Cannot ping inside the vpn client hosts. It's a NAT problem

Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

AAA new-model

AAA authentication login default local

radius of group AAA authentication login userauthen

AAA authorization exec default local

AAA authorization groupauthor LAN

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

ISAKMP crypto client configuration group businessVPN

key xxxxxx

DNS 192.168.10.2

business.local field

pool vpnpool

ACL 108

Crypto isakmp VPNclient profile

businessVPN group identity match

client authentication list userauthen

ISAKMP authorization list groupauthor

client configuration address respond

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

Define VPNclient isakmp-profile

market arriere-route

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

interface Loopback0

IP 10.1.10.2 255.255.255.252

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

Null0 interface

no ip unreachable

interface FastEthernet0/0

IP 111.111.111.138 255.255.255.252

IP access-group outside_in in

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

inspect the outgoing IP outside

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

the integrated-Service-Engine0/0 interface

description Locator is initialized with default IMAP group

IP unnumbered Loopback0

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

ip address of service-module 10.1.10.1 255.255.255.252

Service-module ip default gateway - 10.1.10.2

interface BVI1

IP 192.168.10.1 255.255.255.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

IP nat inside source map route nat interface FastEthernet0/0 overload

nat extended IP access list

deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

sheep extended IP access list

permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

outside_in extended IP access list

permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

permit any any eq 443 tcp

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

allow any host 111.111.111.138 esp

allow any host 111.111.111.138 eq isakmp udp

allow any host 111.111.111.138 eq non500-isakmp udp

allow any host 111.111.111.138 ahp

allow accord any host 111.111.111.138

access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

route nat allowed 10 map

match ip address nat

1 channel ip bridge

In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

Kind regards

Tags: Cisco Security

Similar Questions

Cannot ping via the VPN client host when static NAT translations are used

Hello, I have a SRI 3825 configured for Cisco VPN client access.

There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

Any help would be appreciated.

Concerning

!

session of crypto consignment

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpnclient

key S3Cu4Ke!

DNS 192.168.1.1 192.168.1.2

domain domain.com

pool dhcppool

ACL 198

Save-password

PFS

netmask 255.255.255.0

!

!

Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

!

Crypto-map dynamic dynmap 10

86400 seconds, life of security association set

game of transformation-3DES-SECURE

market arriere-route

!

card crypto client cryptomap of authentication list drauthen

card crypto isakmp authorization list drauthor cryptomap

client configuration address card crypto cryptomap answer

map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

!

interface GigabitEthernet0/0

NAT outside IP

IP 1.2.3.4 255.255.255.240

cryptomap card crypto

!

interface GigabitEthernet0/1

IP 192.168.1.254 255.255.255.0

IP nat inside

!

IP local pool dhcppool 192.168.2.50 192.168.2.100

!

Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

!

Sheep allowed 10 route map
corresponds to the IP 199

!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload

!

IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6

The problem seems to be that static NAT take your nat exemption.

The solution would be:

IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

HTH

Herbert

ASA 5540 - cannot ping inside the interface

Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

In the ASDM, I see messages like this:

ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

interface Vlanx

IP x.x.x.x 255.255.255.0

IP broadcast directed to 199

IP accounting output-packets

IP pim sparse - dense mode

route IP cache flow

load-interval 30

Has anyone experiences the problem like this before? Thanks in advance for any help.

Can you post the output of the following on the ASA:-

display the route

And the output of your base layer diverter: -.

show ip route<>

HTH >

ASA problem inside the VPN client routing

Hello

I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.

Here are a few relevant config:

network object obj - 192.168.245.0

192.168.245.0 subnet 255.255.255.0

192.168.245.1 - 192.168.245.50 vpn IP local pool

NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary

Out of Packet trace:

Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

MAC access list

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 192.168.245.33 255.255.255.255 outside

Phase: 3

Type: ACCESS-LIST

Subtype: Journal

Result: ALLOW

Config:

Access-group acl-Interior interface inside

access list acl-Interior extended icmp permitted an echo

Additional information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 5

Type: INSPECT

Subtype: np - inspect

Result: ALLOW

Config:

Additional information:

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (inside, outside) static source any any destination static obj - 192.168.245.0

obj - 192.168.245.0 no-proxy-arp-search to itinerary

Additional information:

Definition of static 0/x.x.x.x-x.x.x.x/0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Phase: 9

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 277723432 id, package sent to the next module

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.

Check if the firewall is enabled on your host from the client ravpn and blocking your pings.

Remote access VPN client to connect but cannot ping inside the host, after that split tunnel is activated (config-joint)

Hello

I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.

is hell config please kindly and I would like to know what might happen.

hostname horse

domain evergreen.com

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

ins-guard

!

interface GigabitEthernet0/0

LAN description

nameif inside

security-level 100

192.168.200.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description CONNECTION_TO_FREEMAN

nameif outside

security-level 0

IP 196.1.1.1 255.255.255.248

!

interface GigabitEthernet0/2

Description CONNECTION_TO_TIGHTMAN

nameif backup

security-level 0

IP 197.1.1.1 255.255.255.248

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

management only

!

boot system Disk0: / asa844-1 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain green.com

network of the NETWORK_OBJ_192.168.2.0_25 object

Subnet 192.168.2.0 255.255.255.128

network of the NETWORK_OBJ_192.168.202.0_24 object

192.168.202.0 subnet 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

Access extensive list permits all ip a OUTSIDE_IN

gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

backup of MTU 1500

mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-645 - 206.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

!

network obj_any object

dynamic NAT interface (inside, backup)

Access-group interface inside INSIDE_OUT

Access-group OUTSIDE_IN in interface outside

Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10

Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 100

type echo protocol ipIcmpEcho 212.58.244.71 interface outside

Timeout 3000

frequency 5

monitor als 100 calendar life never start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

backup of crypto backup_map interface card

Crypto ikev1 allow outside

Crypto ikev1 enable backup

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

!

track 10 rtr 100 accessibility

Telnet 192.168.200.0 255.255.255.0 inside

Telnet 192.168.202.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.202.0 255.255.255.0 inside

SSH 192.168.200.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 15

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntunnel strategy

Group vpntunnel policy attributes

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntunnel_splitTunnelAcl

field default value green.com

internal vpntunnell group policy

attributes of the strategy of group vpntunnell

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl

field default value green.com

Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password

attributes of user name THE

VPN-group-policy gbnlvpn

tunnel-group vpntunnel type remote access

tunnel-group vpntunnel General attributes

address VPNPOOL pool

strategy-group-by default vpntunnel

tunnel-group vpntunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group vpntunnell remote access

tunnel-group vpntunnell General-attributes

address VPNPOOL2 pool

Group Policy - by default-vpntunnell

vpntunnell group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565

Hello

1 - Please run these commands:

"crypto isakmp nat-traversal 30.

"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.

The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.

Please let me know.

Thank you.

Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

Hello!

I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

ASA Version 9.1 (1)

!

ASA host name

domain xxx.xx

names of

local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

!

interface GigabitEthernet0/0

nameif inside

security-level 100

192.168.11.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description Interface_to_VPN

nameif outside

security-level 0

IP 111.222.333.444 255.255.255.240

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

management only

nameif management

security-level 100

192.168.5.1 IP address 255.255.255.0

!

passive FTP mode

DNS server-group DefaultDNS

www.ww domain name

permit same-security-traffic intra-interface

the object of the LAN network

subnet 192.168.11.0 255.255.255.0

LAN description

network of the SSLVPN_POOL object

255.255.255.0 subnet 192.168.12.0

VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 711.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

list of URLS no

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

LOCAL AAA authorization exec

Enable http server

http 192.168.5.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec pmtu aging infinite - the security association

Crypto ca trustpoint ASDM_TrustPoint5

Terminal registration

E-mail [email protected] / * /

name of the object CN = ASA

address-IP 111.222.333.444

Configure CRL

Crypto ca trustpoint ASDM_TrustPoint6

Terminal registration

domain name full vpn.domain.com

E-mail [email protected] / * /

name of the object CN = vpn.domain.com

address-IP 111.222.333.444

pair of keys sslvpn

Configure CRL

trustpool crypto ca policy

string encryption ca ASDM_TrustPoint6 certificates

Telnet timeout 5

SSH 192.168.11.0 255.255.255.0 inside

SSH timeout 30

Console timeout 0

No ipv6-vpn-addr-assign aaa

no local ipv6-vpn-addr-assign

192.168.5.2 management - dhcpd addresses 192.168.5.254

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

SSL-trust outside ASDM_TrustPoint6 point

WebVPN

allow outside

CSD image disk0:/csd_3.5.2008-k9.pkg

AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

internal VPN_CLIENT_POLICY group policy

VPN_CLIENT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - 5 concurrent connections

VPN-session-timeout 480

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

myComp.local value by default-field

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

time to generate a new key 30 AnyConnect ssl

AnyConnect ssl generate a new method ssl key

AnyConnect client of dpd-interval 30

dpd-interval gateway AnyConnect 30

AnyConnect dtls lzs compression

AnyConnect modules value vpngina

value of customization DfltCustomization

internal IT_POLICY group policy

IT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - connections 3

VPN-session-timeout 120

Protocol-tunnel-VPN-client ssl clientless ssl

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

field default value societe.com

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

AnyConnect dtls lzs compression

value of customization DfltCustomization

username vpnuser password PA$ encrypted $WORD

vpnuser username attributes

VPN-group-policy VPN_CLIENT_POLICY

type of remote access service

Username vpnuser2 password PA$ encrypted $W

username vpnuser2 attributes

type of remote access service

username admin password ADMINPA$ $ encrypted privilege 15

VPN Tunnel-group type remote access

General-attributes of VPN Tunnel-group

address VPN_CLIENT_POOL pool

Group Policy - by default-VPN_CLIENT_POLICY

VPN Tunnel-group webvpn-attributes

the aaa authentication certificate

enable VPN_to_R group-alias

type tunnel-group IT_PROFILE remote access

attributes global-tunnel-group IT_PROFILE

address VPN_CLIENT_POOL pool

Group Policy - by default-IT_POLICY

tunnel-group IT_PROFILE webvpn-attributes

the aaa authentication certificate

enable IT Group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

: end

Help me please! Thank you!

Hello

Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

Thank you

swap

Cannot ping inside the ASA from the inside interface

Don't know what I did wrong... appreciate any help

Here is the page layout

laptop--> cisco 3750 switch--> ASA5505 firewall--> future VPN tunnel

Laptop, switch interface VLAN and inside the ASA are all in the same subnet

Switch and ASA have all interfaces local network VIRTUAL 52 (the subnet in question), except for the external interface

-----------------

This is the problem

laptop getting ip addressing and def GW via DHCP from the firewall

switch and FW can ping each other without problem

FW can't ping, still gets the DHCP scope.

Thank you

Dave

Hello

How did you setup?

The laptop is connected to a port of the 3750 (VLAN 52).

The connection between the 3750 and the SAA is a chest or a link L3?

If the 3750 has a SVI belonging to VLAN52, you can ping from the correct PC? As well as the ASA?

Federico.

Cannot Ping across the VPN remote access

Hello world

I hope I posted this in the right place!

I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!

We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.

When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.

I'm sure it's something stupid I've done (or not done).

I have attached my config and would be grateful if someone could take a look and point me in the right direction.

Thanks in advance for your help,

Peter.

Hi Peter,.

You must add a line to the inside_access_in access list:

Enable

conf t

access-list inside_access_in allow icmp a whole

output

write members

Kind regards

Cathy

The VPN Clients cannot Ping hosts

I'll include a post my config. I have clients that connect through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the main network for the office.

I can connect to the VPN, and I received a correct address assignment. I belive tunneling can be configured correctly in the aspect that I can always connect to the internet then on the VPN, but I can't ping all hosts on the 192.168.1.0 network. In the journal of the ASDM debugging, I see pings to the ASA, but no response is received on the client.

February 21, 2013

21:54:26

180.0.0.1

53508

192.168.1.1

Built of ICMP incoming connections for faddr gaddr laddr 192.168.1.1/0 (christopher) 192.168.1.1/0 180.0.0.1/53508

Any help would be greatly appreciated, I'm currently presuring my CCNP so I would get a deeper understanding of how to resolve these issues.

-Chris

hostname RegencyRE - ASA

domain regencyrealestate.info

activate 2/VA7dRFkv6fjd1X of encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

name 180.0.0.0 Regency

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

link to the description of REGENCYSERVER

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

link to the description of RegencyRE-AP

interface Vlan1

nameif inside

security-level 100

192.168.1.120 IP address 255.255.255.0

interface Vlan2

nameif outside

security-level 0

IP x.x.x.x 255.255.255.248

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS lookup field inside

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name 208.67.220.220

name-server 208.67.222.222

domain regencyrealestate.info

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 Regency 255.255.255.224

RegencyRE_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

outside_access_in list extended access permit icmp any one

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask Regency 180.0.0.1 - 180.0.0.20 255.255.255.0 IP local pool

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

ASDM 255.255.255.0 inside Regency location

ASDM location 192.168.0.0 255.255.0.0 inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 12.186.110.2 1

Route inside 192.0.0.0 255.0.0.0 192.168.1.102 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

LOCAL AAA authentication serial console

http server enable 8443

http 0.0.0.0 0.0.0.0 outdoors

http 0.0.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 15

SSH version 2

Console timeout 0

dhcprelay Server 192.168.1.102 inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 69.25.96.13 prefer external source

NTP server 216.171.124.36 prefer external source

WebVPN

internal RegencyRE group strategy

attributes of Group Policy RegencyRE

value of server DNS 208.67.220.220 208.67.222.222

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list RegencyRE_splitTunnelAcl

username password encrypted adriana privilege 0

christopher encrypted privilege 15 password username

irene encrypted password privilege 0 username

type tunnel-group RegencyRE remote access

attributes global-tunnel-group RegencyRE

Regency address pool

Group Policy - by default-RegencyRE

IPSec-attributes tunnel-group RegencyRE

pre-shared key R3 & eNcY1.

class-map inspection_default

match default-inspection-traffic

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d

: end

Hello

-be sure that the destination host 192.168.1.x has a route towards 180.0.0.0 by the ASA gateway.

-Configure the following figure:

capture capin interface inside match icmp 192.168.1.x host 180.0.0.x

capture ASP asp type - drop all

then make a continuous ping and get 'show capin cap' and 'asp cap.

-then check the ping, the 'encrypted' counter is increasing in the VPN client statistics

I would like to know about it, hope this helps

----

Mashal

Client VPN cannot get inside the network

The VPN client connects to the 2600 on the serial interface, should be able to get to the 10.10.0.0 network beyond 192.168.1.14. The customer ping responds failure of external serial interface address.

If you still have problems... can you check that there is a static route BOF 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert to a host on the network of 10.10.x.x at 192.168.100.7 and see where it goes... your tests show that the VPN client knows how to get to this subnet, but it seems that there is a problem of routing between 10.X.X.X going 192.168.100.0

I hope that helps!

try VPN remote ping inside the network

I use this Setup

http://www.Cisco.com/image/gif/en/us/guest/tech/TK372/c1492/ccmigration_09186a008009442e.gif

I cannot ping inside user from the remote client?

do you know why?

Add...

management-access inside

Please evaluate the useful messages.

The VPN Clients need access to the subnet on another router

Hello

We have a pix 515e PIX Version 8.0 (2)

We have two subnet 10.1.x.x/16 and 10.2.x.x/16

The firewall is on 10.1.x.x and vpn clients can access this subnet.

The firewall can ping 10.2.x.y where x is a server in the other subnet.

On the 10.2.x.x customers out the firewall.

The problem is that vpn clients cannot access the server of 10.2.x.y even if the pix can ping 10.2.x.y and the road for him.

What I need to check that the vpn rules are correct in the pix 515e?

I think it is a rule of exemption nat or something like that not exactly sure.

Everything would be a great help.

Thank you

Hello

For clients VPN access to these subnets, check the following:

1 NAT exemption include these subnets (if not using NAT)... it's the NAT0 ACL command

2. these subnets is included in the split tunneling

3. these subnets have a route to the PIX to send traffic to the VPN client pool.

4. There are no ACLs not applied to the inside interface of the PIX deny this communication.

Federico.

Routing problem between the VPN Client and the router's Ethernet device

Hello

I have a Cisco 1721 in a test environment.

A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).

The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.

The configuration was inspired form the sample Configuration

"Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"

and the output of the ConfigMaker configuration.

Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem

side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).

Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive

(customer has a correct route and return ICMP packets to the router).

The question now is:

How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?

conf of the router is attached - hope that's not too...

Thanks & cordially

Thomas Schmidt

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

!

version 12.2

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

!

host name * moderator edit *.

!

enable secret 5 * moderator edit *.

!

!

AAA new-model

AAA authentication login userauthen local

AAA authorization groupauthor LAN

!

! only for the test...

!

username cisco password 0 * moderator edit *.

!

IP subnet zero

!

audit of IP notify Journal

Max-events of po verification IP 100

!

crypto ISAKMP policy 3

3des encryption

preshared authentication

Group 2

!

ISAKMP crypto client configuration group 3000client

key cisco123

pool ippool

!

! We do not want to divide the tunnel

! ACL 108

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

interface Ethernet0

no downtime

Description connected to VPN

IP 192.168.1.1 255.255.255.0

full-duplex

IP access-group 101 in

IP access-group 101 out

KeepAlive 10

No cdp enable

!

interface Ethernet1

no downtime

address 192.168.3.1 IP 255.255.255.0

IP access-group 101 in

IP access-group 101 out

full-duplex

KeepAlive 10

No cdp enable

!

interface FastEthernet0

no downtime

Description connected to the Internet

IP 172.16.12.20 255.255.224.0

automatic speed

KeepAlive 10

No cdp enable

!

! This access group is also only for test cases!

!

no access list 101

access list 101 ip allow a whole

!

local pool IP 192.168.10.1 ippool 192.168.10.10

IP classless

IP route 0.0.0.0 0.0.0.0 172.16.12.20

enable IP pim Bennett

!

Line con 0

exec-timeout 0 0

password 7 * edit from moderator *.

line to 0

line vty 0 4

!

end

^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-

Thomas,

Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.

Kurtis Durrett

The VPN client VPN connection behind other PIX PIX

I have the following problem:

I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

194.x.x.x is our customer s address IP PIX

I understand that somewhere access list is missing, but I can not understand.

Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

Can you please help me?

Thank you in advan

The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

I've cut and pasted here for you to read, I think that the problem mentioned below:

Question:

Hi Glenn,.

Following is possible?

I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

Thank you very much for any help provided in advance.

Response from Glenn:

First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

fixup protocol esp-ike

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

ISAKMP nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

Hope that helps.

Terminating the VPN client on 871W

Hello

I tried to install EasyVPN on a cisco 871W by SDM. The goal is to finish the VPN client with authentication with an external RADIUS/advertising (on a local subnet). I implemented the IAS on a win2003 Server advertising and checked the accounts.

SDM was missing the 'crypto map' piece of config. After you add this in the CLI it still didn't work. Thus, EasyVPN is not as easy at is sounds...

Could someone with some knowledge of VPN and IPsec and so forth please look at this config? Maybe it gives me an idea of what I did wrong (which, without a doubt, must be the case).

Thank you

Erik

==

AAA new-model
!
AAA rad_eap radius server group
auth-port 1645 10.128.7.5 Server acct-port 1646
!
AAA rad_mac radius server group
!
AAA rad_acct radius server group
!
AAA rad_admin radius server group
!
AAA server Ganymede group + tac_admin
!
AAA rad_pmip radius server group
!
RADIUS server AAA dummy group
!
AAA authentication login default local
AAA authentication login eap_methods group rad_eap
AAA authentication login mac_methods local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ipmobile default group rad_pmip
AAA authorization sdm_vpn_group_ml_1 LAN
AAA accounting network acct_methods
action-type market / stop
Group rad_acct
!
!
!
AAA - the id of the joint session
clock timezone MET 1
clock to DST DST PUTS recurring last Sun Mar 02:00 last Sun Oct 02:00
!
Crypto pki trustpoint TP-self-signed-1278336536
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1278336536
revocation checking no
rsakeypair TP-self-signed-1278336536
!
!
TP-self-signed-1278336536 crypto pki certificate chain
certificate self-signed 01
3082024A 308201B 3 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31323738 33333635 6174652D 3336301E 170 3039 31303237 32313237
32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32373833 65642D
33363533 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
81008B 56 5902F5DF FCE1A56E 3A63350E 45956514 1767EF73 FEC6CD16 7E982A82
B0AF8546 ABB3D35A B7C3A7E3 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC 37A 02103
4EFC398B 0C8B6BE5 AD3E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E
32E6B3B7 861F87FA 222197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C
BF8F0203 010001A 3 72307030 130101 1 FF040530 030101FF 301D 0603 0F060355
551 1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355
1 230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D 0603
551D0E04 16041484 C9111E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A
010104 05000381 8693B 599 70EC1F1A D2995276 F3E4AF9D 81002F4A 0D 864886F7
17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3
AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4
E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E38BC3 342C3AC9
2BEF6821 E4C50277 493AD5B6 2AFE
quit smoking
dot11 syslog
!
IP source-route
!
!
DHCP excluded-address IP 10.128.1.250 10.128.1.254
DHCP excluded-address IP 10.128.150.250 10.128.150.254
DHCP excluded-address IP 10.128.7.0 10.128.7.100
DHCP excluded-address IP 10.128.7.250 10.128.7.254
!
pool IP dhcp VLAN30-COMMENTS
import all
Network 10.128.1.0 255.255.255.0
router by default - 10.128.1.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
IP dhcp VLAN20-STAFF pool
import all
Network 10.128.150.0 255.255.255.0
router by default - 10.128.150.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
IP dhcp SERVERS VLAN10 pool
import all
Network 10.128.7.0 255.255.255.0
router by default - 10.128.7.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
!
IP cef
no ip domain search
IP domain name aaa.com
inspect the tcp IP MYFW name
inspect the IP udp MYFW name
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
VPDN enable
!
!
!
username privilege 15 secret 5 xxxx xxxx
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpn
key xxxx
pool SDM_POOL_1
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
!
Bridge IRB
!
!
interface Loopback0
10.128.201.1 the IP 255.255.255.255
map SDM_CMAP_1 crypto
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 20
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 30
!
interface FastEthernet4
no ip address
Speed 100
full-duplex
PPPoE enable global group
PPPoE-client dial-pool-number 1
No cdp enable
!
interface Dot11Radio0
no ip address
Shutdown
No dot11 extensions aironet
!
interface Vlan1
address IP AAA. BBB. CCC.177 255.255.255.240
no ip redirection
no ip proxy-arp
NAT outside IP
no ip virtual-reassembly
No autostate
Hold-queue 100 on
!
interface Vlan10
SERVER description
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 10
Bridge-group of 10 disabled spanning
!
interface Vlan20
Description of the STAFF
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 20
Bridge-group 20 covering people with reduced mobility
!
Vlan30 interface
Description COMMENTS
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 30
Bridge-group 30 covering people with reduced mobility
!
interface Dialer1
MTU 1492
IP unnumbered Vlan1
no ip redirection
no ip proxy-arp
NAT outside IP
inspect the MYFW over IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication pap callin
PPP pap sent-name of user password 7 xxxx xxxxx
!
interface BVI10
Description the server network bridge
IP 10.128.7.254 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface BVI20
Description personal network bridge
IP 10.128.150.254 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface BVI30
Bridge network invited description
IP 10.128.1.254 255.255.255.0
IP access-group Guest-ACL in
IP nat inside
IP virtual-reassembly
!
pool of local SDM_POOL_1 192.168.2.1 IP 192.168.2.100
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
IP http secure ciphersuite 3des-ede-cbc-sha
IP http secure-client-auth
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
overload of IP nat inside source list 101 interface Vlan1
IP nat inside source static tcp 10.128.7.1 25 AAA. BBB. Expandable 25 CCC.178
IP nat inside source static tcp 10.128.7.1 80 AAA. BBB. CCC.178 extensible 80
IP nat inside source static tcp 10.128.7.1 443 AAA. BBB. CCC.178 extensible 443
IP nat inside source static tcp 10.128.7.1 8333 AAA. BBB. CCC.178 extensible 8333
IP nat inside source static tcp 10.128.7.2 25 AAA. BBB. Expandable 25 CCC.179
IP nat inside source static tcp 10.128.7.2 80 AAA. BBB. CCC.179 extensible 80
IP nat inside source static tcp 10.128.7.2 443 AAA. BBB. CCC.179 extensible 443
IP nat inside source static tcp 10.128.7.2 8333 AAA. BBB. CCC.179 extensible 8333
IP nat inside source static tcp 10.128.7.3 25 AAA. BBB. Expandable 25 CCC.180
IP nat inside source static tcp 10.128.7.3 80 AAA. BBB. CCC.180 extensible 80
IP nat inside source static tcp 10.128.7.3 443 AAA. BBB. CCC.180 extensible 443
IP nat inside source static tcp 10.128.7.3 8333 AAA. BBB. CCC.180 extensible 8333
IP nat inside source static tcp 10.128.7.4 25 AAA. BBB. Expandable 25 CCC.181
IP nat inside source static tcp 10.128.7.4 80 AAA. BBB. CCC.181 extensible 80
IP nat inside source static tcp 10.128.7.4 443 AAA. BBB. CCC.181 extensible 443
IP nat inside source static tcp 10.128.7.4 8333 AAA. BBB. CCC.181 extensible 8333
IP nat inside source static tcp 10.128.7.5 25 AAA. BBB. Expandable 25 CCC.182
IP nat inside source static tcp 10.128.7.5 80 AAA. BBB. CCC.182 extensible 80
IP nat inside source static tcp 10.128.7.5 443 AAA. BBB. CCC.182 extensible 443
IP nat inside source static tcp 10.128.7.5 8333 AAA. BBB. CCC.182 extensible 8333
IP nat inside source static tcp 10.128.7.6 25 AAA. BBB. Expandable 25 CCC.183
IP nat inside source static tcp 10.128.7.6 80 AAA. BBB. CCC.183 extensible 80
IP nat inside source static tcp 10.128.7.6 443 AAA. BBB. CCC.183 extensible 443
IP nat inside source static tcp 10.128.7.6 8333 AAA. BBB. CCC.183 extensible 8333
IP nat inside source static tcp 10.128.7.7 25 AAA. BBB. Expandable 25 CCC.184
IP nat inside source static tcp 10.128.7.7 80 AAA. BBB. CCC.184 extensible 80
IP nat inside source static tcp 10.128.7.7 443 AAA. BBB. CCC.184 extensible 443
IP nat inside source static tcp 10.128.7.7 8333 AAA. BBB. CCC.184 extensible 8333
IP nat inside source static tcp 10.128.7.8 25 AAA. BBB. Expandable 25 CCC.185
IP nat inside source static tcp 10.128.7.8 80 AAA. BBB. CCC.185 extensible 80
IP nat inside source static tcp 10.128.7.8 443 AAA. BBB. CCC.185 extensible 443
IP nat inside source static tcp 10.128.7.8 8333 AAA. BBB. CCC.185 extensible 8333
IP nat inside source static tcp 10.128.7.9 25 AAA. BBB. Expandable 25 CCC.186
IP nat inside source static tcp 10.128.7.9 80 AAA. BBB. CCC.186 extensible 80
IP nat inside source static tcp 10.128.7.9 443 AAA. BBB. CCC.186 extensible 443
IP nat inside source static tcp 10.128.7.9 8333 AAA. BBB. CCC.186 extensible 8333
IP nat inside source static tcp 10.128.7.10 25 AAA. BBB. Expandable 25 CCC.187
IP nat inside source static tcp 10.128.7.10 80 AAA. BBB. CCC.187 extensible 80
IP nat inside source static tcp 10.128.7.10 443 AAA. BBB. CCC.187 extensible 443
IP nat inside source static tcp 10.128.7.10 8333 AAA. BBB. CCC.187 extensible 8333
IP nat inside source static tcp 10.128.7.11 25 AAA. BBB. Expandable 25 CCC.188
IP nat inside source static tcp 10.128.7.11 80 AAA. BBB. CCC.188 extensible 80
IP nat inside source static tcp 10.128.7.11 443 AAA. BBB. CCC.188 extensible 443
IP nat inside source static tcp 10.128.7.11 8333 AAA. BBB. CCC.188 extensible 8333
IP nat inside source static tcp 10.128.7.12 25 AAA. BBB. Expandable 25 CCC.189
IP nat inside source static tcp 10.128.7.12 80 AAA. BBB. CCC.189 extensible 80
IP nat inside source static tcp 10.128.7.12 443 AAA. BBB. CCC.189 extensible 443
IP nat inside source static tcp 10.128.7.12 8333 AAA. BBB. CCC.189 extensible 8333
!
Guest-ACL extended IP access list
deny ip any 10.128.7.0 0.0.0.255
deny ip any 10.128.150.0 0.0.0.255
allow an ip
IP Internet traffic inbound-ACL extended access list
allow udp any eq bootps any eq bootpc
permit any any icmp echo
permit any any icmp echo response
permit icmp any any traceroute
allow a gre
allow an esp
!
access-list 1 permit 10.128.7.0 0.0.0.255
access-list 1 permit 10.128.150.0 0.0.0.255
access-list 1 permit 10.128.1.0 0.0.0.255
access-list 2 allow 10.0.0.0 0.255.255.255
access-list 2 refuse any
access-list 101 permit ip 10.128.7.0 0.0.0.255 any
access-list 101 permit ip 10.128.150.0 0.0.0.255 any
access-list 101 permit ip 10.128.1.0 0.0.0.255 any
Dialer-list 1 ip Protocol 1
!
!
!
!
format of server RADIUS attribute 32 include-in-access-req hour
RADIUS-server host 10.128.7.5 auth-port 1645 acct-port 1646 borders 7 xxxxx
RADIUS vsa server send accounting
!
control plan
!
IP route 10 bridge
IP road bridge 20
IP road bridge 30
Banner motd ^.
Unauthorized access prohibited. *
All access attempts are logged! ***************

^
!
Line con 0
password 7 xxxx
no activation of the modem
line to 0
line vty 0 4
access-class 2
privilege level 15
transport input telnet ssh
!
max-task-time 5000 Planner
AAA.BBB.CCC.ddd NTP server
end

Erik,

The address pool you are talking about is to assign to the customer or the public router interface? If you want to set up your vpn client software point a full domain name instead of an IP address that you can do it too long you can ensure the use of the name is resolved by a DNS SERVER.

The range of addresses that you can be asigned to your Dialer interface will depend on your ISP.

-Butterfly

Cannot ping inside the vpn client hosts. It's a NAT problem

Similar Questions

Maybe you are looking for