Cannot ping internal VPN network.

Similar Questions

• Cannot ping client VPN

  I have a problem with the software client blocking VPN traffic, for example if the client software is installed I can not ping the client or push installs the client, almost acting like Windows Firewall. On a 50 clients that I have 3 that are affected in this way, they are Windows 2000 Pro, all have the latest service packs and security patches, all are configured identically. It doesn't matter where the client is or even if they are VPN in. If they are physically on the local network the problem is the same. As soon as the software is uninstalled the problem disappears. I have tried 3 different versions of the client and it does not change the situation. Anyone had this happen before or been to a resolution?

  Thank you

  Matt

  I solved an exact problem by:

  1. If the PC is on the directly connected network, run the Client VPN software (but do not start a VPN connection), click on the meny Options and uncheck the 'Stateful Firewall '. In this way, you should be able to ping the computer. If not, then you will have to investigate the parameters of local PC Firewall (such as the personal FW, fw XP)

  2. If the PC is VPN in and you want to ping, then you will need to allow icmp traffic from the internal network to the VPN clients.

  Hope this work for you.

• Cisco ASA 5520 cannot ping between VPN Tunnels

  I have the main site and sites A and B.  A to connect to the hand and B connects to the main.  I can ping from A hand and has for main.  I can ping from main to B and B to main.  However, I can not ping from A to B.  A and B are sonicwall 2040 and main is a 5520.  The question should not be with the 5520 none allowing traffic between the two VPN Tunnels, but I can't understand why it does not work.  Can someone give an idea on that?  Thanks in advance.

  Hello

  I see that you use ASDM. Always makes my eyes bleed when I need to look at the DM_INLINE of named objects and try to make sense the CLI format

  Seems to me that there are problems with the NAT.

  If you don't mind a small break between the main Site and remote locations, I'd say changing some follows the NAT configuration

  Remove old

  no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 non-proxy-arp-search of route static destination

  no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 non-proxy-arp-search of route static destination

  Add a new

  object-group network NETWORK-2790

  object-network 10.217.0.0 255.255.255.0

  object-network 10.217.1.0 255.255.255.0

  object-group network NETWORK-3820

  object-network 10.216.0.0 255.255.255.0

  object-network 10.216.1.0 255.255.255.0

  object-group network NETWORK-COLO

  object-net 10.8.0.0 255.255.255.0

  destination of NETWORK of NETWORK-2790-2790 static NAT (outside, outside) static source NETWORK - 3820 - 3820

  NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 2790 - 2790

  NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 3820 - 3820

  The first new line of configuring NAT manages the NAT0 configuration for traffic between SiteA and SiteB. The following configurations of NAT 2 manage the NAT0 for traffic between the main Site - hand Site SiteA - SiteB

  -Jouni

• Once the VPN connection is established, cannot ping or you connect other IP devices

  Try to get a RV016 installed and work so that people can work from home.  You will need to charge customers remote both WIN XP and MAC OS X.

  Have the configured router and works fine with the VPN Linksys client for WIN XP users.  Can connect, ping, mount the shared disks, print to printers to intellectual property, etc.

  Can connect to the router fine with two VPN clients third 3 for Mac: VPN Tracker and IPSecuritas.  However, once the connection is established, cannot ping the VPN LinkSYS router or any other IP address on the LAN Office.  Turn the firewall on or off makes no difference.

  Is there documentation anywhere that describes how the LinksysVPN for Windows Client communicates so these can be replicated in 3rd VPN clients from third parties for the Mac in OS X?

  The connection with IPSecuritas and VPN Tracker is performed using a shared key and a domain name.  It is not a conflict of IP address network between the client and the VPN 192.168.0.0/24 network.

  VPN Tracker and IPSecuritas are able to connect to the routers CISCO easy VPN with no poblem.

  Any ideas on how to get the RV016 to work for non-Windows users?

  We found and fixed the problem, so using VPN Tracker or current IPSecuritas on OS X people have access to the LAN via the RV016 machines. The "remote networks" in the screen BASE in VPN Tracker has been set on the entire subnet: 192.168.0.0/255.255.255.0 the in the RV016 has been set to the IP of 192.168.0.1 to 192.168.0.254 range. Even if the addresses are essentially the same, without specifying the full subnet in the RV016 has allowed the connection to do but prevented the VPN client machine to connect because the RV016 would pass all traffic to the Remote LAN. Change the setting of 'local group' in RV016 settings in the screen "VPN/summary/GroupVPN', 'Local Group Zone' for the subnet 192.168.0.0/24 full solved the problem.

• ASA 5510 - cannot access or ping internal networks

  Hello

  I can't ping of an internal network (10.1.1.0/24) to another internal network (10.1.2.0/24 and 10.1.3.0/24 and so on).

  The static route is in place and his works fine. I can ping these ASA network but not workstations.

  The error I get on ASA is: refuse packet dropped due to the implicit access list.

  Here is the configuration file:

  :

  ASA Version 8.0 (2)

  !

  host name asa

  test.com domain name

  activate the encrypted password of YLmDtv0bLkbX2VFy

  names of

  DNS-guard

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP address 20x.20x.16.xxx 255.255.255.224

  !

  interface Ethernet0/1

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/2

  nameif dmz

  security-level 50

  IP 172.16.0.254 255.255.255.0

  !

  interface Ethernet0/3

  nameif inside

  security-level 100

  IP 10.1.1.2 255.255.255.0

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 172.16.200.1 255.255.255.248

  management only

  !

  access-list acl_outside note allows outdoor ping (need to enable internal rule of ICMP n ° 3)

  acl_outside list extended access permit icmp any one

  acl_outside list extended access permit tcp any any eq idle ftp

  acl_outside list extended access permit tcp any any object-group inactive DM_INLINE_TCP_1

  Comment from inside_access_in-access list internal nodes access to the outside world (all ports)

  inside_access_in list extended access allowed object-group TCPUDP any object-group everything

  access-list inside_access_in note allows ping within the network to the external network (internet).

  inside_access_in access list extended icmp permitted any any inactive echo

  access-list inside_access_in note allow ping respond both ways - from the inside to the outside and

  Note to inside_access_in list to access the outside inside (nat sound knots)

  inside_access_in list extended access allow DM_INLINE_SERVICE_1 of object-group a

  access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.192

  access-list sheep extended permits all ip 172.16.100.0 255.255.255.192

  standard access list group1_splitTunnelAcl allow a

  pager lines 24

  Within 1500 MTU

  management of MTU 1500

  mask IP local VPN-pool 172.16.100.0 - 172.16.100.62 255.255.255.192

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow all outside

  ICMP allow any inside

  ASDM image disk0: / asdm - 602.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 20x.20x.16.xxx (outside)

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group acl_outside in interface outside

  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 20x.20x.16.xxx 1

  Route inside 10.1.2.0 255.255.255.0 10.1.1.248 1

  Route inside 10.1.3.0 255.255.255.0 10.1.1.248 1

  Route inside 10.1.4.0 255.255.255.0 10.1.1.248 1

  Route inside 10.1.7.0 255.255.255.0 10.1.1.248 1

  Route inside 10.1.9.0 255.255.255.0 10.1.1.248 1

  Route inside 10.1.14.0 255.255.255.0 10.1.1.248 1

  Route inside 10.1.15.0 255.255.255.0 10.1.1.247 1

  Route inside 192.168.1.0 255.255.255.0 10.1.1.248 1

  Route inside 192.168.20.0 255.255.255.240 10.1.1.248 1

  Route inside 192.168.30.0 255.255.255.240 10.1.1.248 1

  Route inside 192.168.40.0 255.255.255.240 10.1.1.248 1

  Route inside 192.168.50.0 255.255.255.240 10.1.1.248 1

  Route inside 192.168.70.0 255.255.255.240 10.1.1.248 1

  Route inside 192.168.80.0 255.255.255.240 10.1.1.248 1

  -------------------------------------

  Any help or advice will be appreciated.

  Thank you

  You need two or three statements

  permit same-security-traffic intra-interface

  access-list sheep extended ip 10.1.2.0 allow 255.255.255.0 10.1.1.0 255.255.255.0

  10.1.3.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0

  10.1.4.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0

  10.1.7.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0

  10.1.9.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0

  10.1.14.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0

  and so on...

  apply sheep except for inside the interface which you already have (inside) nat 0 access-list sheep

  Concerning

• cannot ping between remote vpn site?

  vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well.  I can ping from central office for two remote sites, but I cannot ping between these two vpn sites?  Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next?  Help, please...

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  !
  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0
  !
  extended OUTSIDE allowed a whole icmp access list
  HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
  !
  destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
  !
  address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
  card crypto VPN-card 50 peers set *. *.56.250
  card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
  VPN-card interface card crypto outside
  !
  internal strategy group to DISTANCE-NETEXTENSION
  Remote CONTROL-NETEXTENSION group policy attributes
  value of DNS server *. *. *. *
  VPN-idle-timeout no
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value REMOTE-NET2
  value by default-field *.org
  allow to NEM
  !
  remote access of type tunnel-group to DISTANCE-NETEXTENSION
  Global DISTANCE-NETEXTENSION-attributes tunnel-group
  authentication-server-group (inside) LOCAL
  Group Policy - by default-remote CONTROL-NETEXTENSION
  IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
  IKEv1 pre-shared-key *.
  tunnel-group *. *.56.250 type ipsec-l2l
  tunnel-group *. *.56.250 ipsec-attributes
  IKEv1 pre-shared-key *.
  !

  !

  ASA - 5510 # display route. include the 192.168.42
  S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA - 5510 # display route. include the 192.168.46
  S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA-5510.

  !
  Username: Laporte-don't Index: 10
  Assigned IP: 192.168.46.0 public IP address: *. *.65.201
  Protocol: IKEv1 IPsecOverNatT
  License: Another VPN
  Encryption: 3DES hash: SHA1
  TX Bytes: bytes 11667685 Rx: 1604235
  Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
  Opening time: 08:19:12 IS Thursday, February 12, 2015
  Duration: 6 h: 53 m: 29 s
  Inactivity: 0 h: 00 m: 00s
  Result of the NAC: unknown
  Map VLANS: VLAN n/a: no
  !
  ASA - 5510 # display l2l vpn-sessiondb

  Session type: LAN-to-LAN

  Connection: *. *.56.250
  Index: 6 IP Addr: *. *.56.250
  Protocol: IPsec IKEv1
  Encryption: AES256 3DES hash: SHA1
  TX Bytes: bytes 2931026707 Rx: 256715895
  Connect time: 02:00:41 GMT Thursday, February 12, 2015
  Duration: 13: 00: 10:00

  Hi Rico,

  You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

  example:

  Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0

  dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
  public static SITE SITE-B-B

  destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
  SITE static-SITE a

  Hope this helps

  Thank you

  Rizwan James

• Peer AnyConnect VPN cannot ping, RDP each other

  I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1).  I have a remote access VPN set up and remote access users are able to connect and access to network resources.   I can ping the VPN peers between the Remote LAN.    My problem counterparts VPN cannot ping (RDP, CDR) between them.   Ping a VPN peer of reveals another the following error in the log of the SAA.

  Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.

  Here's my ASA running-config:

  ASA Version 8.3 (1)

  !

  ciscoasa hostname

  domain dental.local

  activate 9ddwXcOYB3k84G8Q encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone CST - 6

  clock to summer time recurring CDT

  DNS lookup field inside

  DNS server-group DefaultDNS

  192.168.1.128 server name

  domain dental.local

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  network of the RAVPN object

  10.10.10.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_10.10.10.0_28 object

  subnet 10.10.10.0 255.255.255.240

  network of the NETWORK_OBJ_192.168.1.0_24 object

  subnet 192.168.1.0 255.255.255.0

  access-list Local_LAN_Access note VPN Customer local LAN access

  Local_LAN_Access list standard access allowed host 0.0.0.0

  DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

  Note VpnPeers access list allow peer vpn ping on the other

  permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers

  pager lines 24

  Enable logging

  asdm of logging of information

  logging of information letter

  address record [email protected] / * /

  exploitation forest-address recipient [email protected] / * / level of information

  record level of 1 600 6 rate-limit

  Outside 1500 MTU

  Within 1500 MTU

  mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 711.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, all) static source all electricity static destination RAVPN RAVPN

  NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

  NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

  !

  network obj_any object

  NAT dynamic interface (indoor, outdoor)

  network of the RAVPN object

  dynamic NAT (all, outside) interface

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Community SNMP-server

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit

  Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit

  Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit

  Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit

  Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  trustpoint crypto ca-CA-SERVER ROOM

  LOCAL-CA-SERVER key pair

  Configure CRL

  Crypto ca trustpoint ASDM_TrustPoint0

  registration auto

  name of the object CN = ciscoasa

  billvpnkey key pair

  Proxy-loc-transmitter

  Configure CRL

  crypto ca server

  CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl

  name of the issuer CN = ciscoasa

  SMTP address [email protected] / * /

  crypto certificate chain ca-CA-SERVER ROOM

  certificate ca 01

  * hidden *.

  quit smoking

  string encryption ca ASDM_TrustPoint0 certificates

  certificate 10bdec50

  * hidden *.

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  authentication crack

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  authentication rsa - sig

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 40

  authentication crack

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 50

  authentication rsa - sig

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 60

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 70

  authentication crack

  aes encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 80

  authentication rsa - sig

  aes encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 100

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 110

  authentication rsa - sig

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 120

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 130

  authentication crack

  the Encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 140

  authentication rsa - sig

  the Encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 150

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  enable client-implementation to date

  Telnet 192.168.1.1 255.255.255.255 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.50 - 192.168.1.99 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  threat detection statistics

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  SSL-trust outside ASDM_TrustPoint0 point

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image

  SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml

  enable SVC

  tunnel-group-list activate

  internal-password enable

  chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  Server DNS 192.168.1.128 value

  Protocol-tunnel-VPN l2tp ipsec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl

  Dental.local value by default-field

  WebVPN

  SVC value vpngina modules

  internal DefaultRAGroup_1 group strategy

  attributes of Group Policy DefaultRAGroup_1

  Server DNS 192.168.1.128 value

  Protocol-tunnel-VPN l2tp ipsec

  Dental.local value by default-field

  attributes of Group Policy DfltGrpPolicy

  Server DNS 192.168.1.128 value

  VPN - 4 concurrent connections

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  value of group-lock RAVPN

  value of Split-tunnel-network-list Local_LAN_Access

  Dental.local value by default-field

  WebVPN

  the value of the URL - list DentalMarks

  SVC value vpngina modules

  SVC value dellstudio type user profiles

  SVC request to enable default webvpn

  chip-tunnel enable SmartTunnelList

  wketchel1 5c5OoeNtCiX6lGih encrypted password username

  username wketchel1 attributes

  VPN-group-policy DfltGrpPolicy

  WebVPN

  SVC value DellStudioClientProfile type user profiles

  username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel

  username wketchel attributes

  VPN-group-policy DfltGrpPolicy

  WebVPN

  modules of SVC no

  SVC value DellStudioClientProfile type user profiles

  jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username

  jenniferk username attributes

  VPN-group-policy DfltGrpPolicy

  WebVPN

  SVC value DellStudioClientProfile type user profiles

  attributes global-tunnel-group DefaultRAGroup

  address pool VPNPool

  LOCAL authority-server-group

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared key *.

  tunnel-group DefaultRAGroup ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  eap-proxy authentication

  type tunnel-group RAVPN remote access

  attributes global-tunnel-group RAVPN

  address pool VPNPool

  LOCAL authority-server-group

  tunnel-group RAVPN webvpn-attributes

  enable RAVPN group-alias

  IPSec-attributes tunnel-group RAVPN

  pre-shared key *.

  tunnel-group RAVPN ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  eap-proxy authentication

  type tunnel-group WebSSLVPN remote access

  tunnel-group WebSSLVPN webvpn-attributes

  enable WebSSLVPN group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  173.194.64.108 SMTP server

  context of prompt hostname

  HPM topN enable

  Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8

  : end

  Hello

  Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.

  I suggest the following changes

  network of the VPN-POOL object

  10.10.10.0 subnet 255.255.255.0

  the object of the LAN network

  subnet 192.168.1.0 255.255.255.0

  PAT-SOURCE network object-group

  object-network 192.168.1.0 255.255.255.0

  object-network 10.10.10.0 255.255.255.0

  NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

  destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

  NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

  The above should allow

  • Dynamic PAT for LAN and VPN users
  • NAT0 for traffic between the VPN and LAN
  • NAT0 for traffic between the VPN users

  You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.

  no static source nat (inside, everything) all electricity static destination RAVPN RAVPN

  No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

  No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

  No network obj_any object

  No network object RAVPN

  In case you do not want to change the settings a lot you might be right by adding this

  network of the VPN-POOL object

  10.10.10.0 subnet 255.255.255.0

  destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

  But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.

  -Jouni

• Cannot ping via the VPN client host when static NAT translations are used

  Hello, I have a SRI 3825 configured for Cisco VPN client access.

  There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

  Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

  For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

  Any help would be appreciated.

  Concerning

  !

  session of crypto consignment

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group vpnclient

  key S3Cu4Ke!

  DNS 192.168.1.1 192.168.1.2

  domain domain.com

  pool dhcppool

  ACL 198

  Save-password

  PFS

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

  !

  Crypto-map dynamic dynmap 10

  86400 seconds, life of security association set

  game of transformation-3DES-SECURE

  market arriere-route

  !

  card crypto client cryptomap of authentication list drauthen

  card crypto isakmp authorization list drauthor cryptomap

  client configuration address card crypto cryptomap answer

  map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

  !

  interface GigabitEthernet0/0

  NAT outside IP

  IP 1.2.3.4 255.255.255.240

  cryptomap card crypto

  !

  interface GigabitEthernet0/1

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  !

  IP local pool dhcppool 192.168.2.50 192.168.2.100

  !

  Note access-list 198 * Split Tunnel encrypted traffic *.
  access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  !
  Note access-list 199 * NAT0 ACL *.
  access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 199 permit ip 192.168.1.0 0.0.0.255 any

  !

  Sheep allowed 10 route map
  corresponds to the IP 199

  !
  IP nat inside source map route sheep interface GigabitEthernet0/0 overload

  !

  IP nat inside source static 192.168.1.1 1.2.3.5
  IP nat inside source static 192.168.1.2 1.2.3.6

  The problem seems to be that static NAT take your nat exemption.

  The solution would be:

  IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
  IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

  HTH

  Herbert

• VPN - cannot ping the next hop

  Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)

  What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.

  Here is my design of the network and the config below:

  Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)

  Router Cisco 881

  AAA new-model

  !

  AAA of authentication ppp default local

  !

  VPDN enable

  !

  !

  VPDN-group VPDN PPTP

  !

  accept-dialin

  Pptp Protocol

  virtual-model 1

  !

  interface FastEthernet0

  Description link to switch

  switchport access vlan 5

  !

  interface FastEthernet1

  no ip address

  !

  interface FastEthernet2

  no ip address

  !

  interface FastEthernet3

  switchport access vlan 70

  no ip address

  !

  interface FastEthernet4

  Description INTERNET WAN PORT

  IP [IP EXTERNAL address]

  NAT outside IP

  IP virtual-reassembly in

  full duplex

  Speed 100

  card crypto VPN1

  !

  interface Vlan1

  no ip address

  !

  interface Vlan5

  Description $ES_LAN$

  IP 192.168.5.1 255.255.255.248

  no ip redirection

  no ip unreachable

  IP nat inside

  IP virtual-reassembly in

  !

  interface Vlan70

  IP [IP EXTERNAL address]

  IP virtual-reassembly in

  IP tcp adjust-mss 1452

  !

  !

  !

  interface virtual-Template1

  IP unnumbered FastEthernet4

  encapsulation ppp

  peer default ip address pool defaultpool

  Ms-chap PPP chap authentication protocol

  !

  IP local pool defaultpool 192.168.10.200 192.168.10.210

  IP forward-Protocol ND

  IP http server

  23 class IP http access

  local IP http authentication

  IP http secure server

  IP http timeout policy inactive 600 life 86400 request 10000

  !

  overload of IP nat inside source list no. - NAT interface FastEthernet4

  IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]

  Route IP 192.168.0.0 255.255.0.0 192.168.5.2

  !

  No. - NAT extended IP access list

  deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255

  IP 192.168.0.0 allow 0.0.255.255 everything

  VLAN70 extended IP access list

  ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255

  permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp

  permit tcp [IP EXTERNAL] 0.0.0.15 any eq www

  permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15

  permit tcp [IP EXTERNAL] 0.0.0.15 any eq field

  permits any udp [IP EXTERNAL] 0.0.0.15 eq field

  list of IP - VPN access scope

  IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255

  Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255

  WAN extended IP access list

  !

  Layer 3 switch - Dell Powerconnect 6224

  !

  IP routing

  IP route 0.0.0.0 0.0.0.0 192.168.5.1

  interface vlan 5

  name "to connect to the Cisco router.

  Routing

  IP 192.168.5.2 255.255.255.248

  output

  !

  interface vlan 10

  "internal network" name

  Routing

  IP 192.168.10.1 255.255.255.0

  output

  !

  interface ethernet 1/g12

  switchport mode acesss vlan 5

  output

  !

  interface ethernet 1/g29

  switchport mode access vlan 10

  output

  !

  Hi Samuel,.

  I went through your configuration and picked up a few problematic lines...

  First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.

  The cleaner for this is,

  Create a new interface of back of loop with a new subnet

  !

  loopback interface 0
  

  192.168.99.1 IP address 255.255.255.0

  !

  New vpn set up, pool

  !

  IP local pool defaultpool 192.168.99.200 192.168.99.210

  !

  Change your template to point the new loopback interface,

  !

  interface virtual-Template1

  IP unnumbered loopback0

  encapsulation ppp

  peer default ip address pool defaultpool

  Ms-chap PPP chap authentication protocol

  !

  All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.

  PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)

  I hope this helps.

  Please don't forget to rate/brand of useful messages
  

  Shamal

• Site to Site VPN - cannot ping remote subnet

  Hi all.

  I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

  Any suggestions?

  I'm also an instant learn the ASAs, so I'm not an expert.  I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

  Thanks in advance.

  5505 lack the command:

  management-access inside

  Federico.

• Customer remote VPN cannot ping certain IP

  My Cisco VPN client can establish the tunnel with my successful ASA5505 Office vpn but cannot ping some IP such as an internal server (10.100.194.6).

  FIREWALL-1 # ping 10.100.194.6
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.100.194.6, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

  Why I can't ping certain IP?

  Help, please.

  Thank you.

  Hey Kevin,

  Check out the capture, it is obvious that there is a problem of internal routing as we can see packets from the VPN client requests, but there is no response from the server package.

  Please ensure that the server has pointing on the Firewall VPN subnet route.
  HTH.

  Kind regards

  Dinesh Moudgil

  PS: Please check the useful messages.

• Site to site between ASA 8.2 VPN, cannot ping

  Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

  

  Here is my setup for both.

  Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

  When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  ...
  

  Each attempt to ping responds with "Request timed out" on the computer of ping.

  Why clients cannot mutually ping on the VPN tunnel?

  Hello

  Create a NAT0 ACL at both ends.

  ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

  NAT (inside) 0 access-list SHEEP

  THX

  MS

  Edit: at the beginning, I mentioned ACL #, it may not work.

• ASA VPN cannot ping ip local pool

  Hello

  We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

  Thanks in advance

  Keith

  Hi Keith,

  I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

  Can you add "same-security-traffic intra-interface permits" and try again?

  Federico.

• Cannot ping computers on the subnet remote site vpn while to set up

  Hi all

  I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.

  the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip

  Here is my scenario:

  LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant

  LAN1: 192.168.x.0/24

  LAN2: 172.25.88.0/24

  remote_machine_ip: 172.25.87.30

  LAN1 can ping to ASA5505 inside interface (172.25.88.1)

  but cannot ping ordinateur_distant (172.25.87.30)

  Inside of the interface ASA5505 can ping ordinateur_distant

  LAN2 can ASA5510 ping inside the machines on LAN1 and interface

  Is there something I missed?

  Thanks much for the reply

  I don't think it's something you really want to do.

  If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.

  So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1

  But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.

  If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858

  Kind regards

• DLR Uplink and GSS internal transit same VXLAN cannot ping each other.

  Start with, I run NSX 6.2.2 firewall rules on 'allow all' to 'all' to 'all' "all protocols", in other words disabled...

  I have a VXLAN 5000 transit, with an uplink DLR interface attached to it, and an internal interface GSS in the appendix in which neither of the parties can ping to another. So for troubleshooting, I added 2 VM Windows attached to the same transit VXLAN 5000, a virtual machine is on ESXi host 1 and the other is on host ESXi 4. They can fine ping each other, and two virtual machines can ping both the uplink of DLR and internal interfaces of the GSS.

  This question has puzzled me because it makes no sense, why the DLR and the GSS cannot ping each other but 2 virtual machines that VXLAN can ping all adjacent devices. I can even put bridges on those virtual machines with a rule NAT on the GSS and those virtual machines can get internet through the GSS, but no matter what I try, the DLR cannot ping the GSS, and the GSS cannot ping DLR...

  I need to define a static route between the GSS DLR <>- but if I can't even answer ping interfaces I'm dead in the water.

  If I install virtual machines in a network LAN DLR interface such as WebApp and test for example database, I can ping throughout the DLR together until the IP DLR Uplink, but then he cannot ping the GSS internal.

  Does anyone have suggestions for troubleshooting? Test commands that I can run? I tried many things and then lots of websites with the troubleshooting steps. Everything seems fine, all green checks in the installation steps... All roads, MACs, ARP tables appear as expected when I run test on host computers commands and controllers. I don't know what is the cause except for a bug in the code...

  All ideas are welcome... Thank you

  UPDATE:

  Yes, so it has need of a static NAT rule on the GSS...

  In my environment, I added a SNAT rule on adapter: ESG_Uplink with 0.0.0.0/24 CBC-translation dst: 1.1.1.101 (my lab ESG IP Uplink).

  It works now... VM tenant box connected to WebApp portgroup (192.168.13.115) can now ping gateway DLR, through routing OSPF to the GSS and ping on physical bridge of...

  I learned a lot on this one... I'm not going to worry about why the static route, I tried first post didn't work, since I was the OSPF running instead (which is more appropriate for my laboratory for realistic scenario anyway), and the Foundation will now suffice to build the rest of this POC vRA / vRO lab...

  Thank you in any case, sometimes it's just nice to have someone to listen.