Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
!
Sheep allowed 10 route map
corresponds to the IP 199
!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload
!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6
The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
Cannot ping inside the vpn client hosts. It's a NAT problem
Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.
AAA new-model
!
!
AAA authentication login default local
radius of group AAA authentication login userauthen
AAA authorization exec default local
AAA authorization groupauthor LAN
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group businessVPN
key xxxxxx
DNS 192.168.10.2
business.local field
pool vpnpool
ACL 108
Crypto isakmp VPNclient profile
businessVPN group identity match
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Define VPNclient isakmp-profile
market arriere-route
!
!
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
interface Loopback0
IP 10.1.10.2 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
IP 111.111.111.138 255.255.255.252
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the outgoing IP outside
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
the integrated-Service-Engine0/0 interface
description Locator is initialized with default IMAP group
IP unnumbered Loopback0
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
ip address of service-module 10.1.10.1 255.255.255.252
Service-module ip default gateway - 10.1.10.2
interface BVI1
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
IP nat inside source map route nat interface FastEthernet0/0 overload
nat extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
sheep extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
outside_in extended IP access list
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit any any eq 443 tcp
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
allow any host 111.111.111.138 esp
allow any host 111.111.111.138 eq isakmp udp
allow any host 111.111.111.138 eq non500-isakmp udp
allow any host 111.111.111.138 ahp
allow accord any host 111.111.111.138
access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
!
!
!
!
route nat allowed 10 map
match ip address nat
1 channel ip bridge
In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.
To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.
Kind regards
-
VPN client and contradictory static NAT entries
Hello, we have a VPN IPSEC implemented on a router for remote access. It works very well, for the most part. We have also a few PAT static entries to allow access to a web server, etc. from the outside. We deny NATting from the range of IP addresses for the range of VPN client and it works except for entries that also have PAT configurations.
So, for example, we have web server 10.0.0.1 and a PAT redirection port 10.0.0.1: 80 to the IP WAN port 80. If a VPN client tries to connect to 10.0.0.1: 80, the syn - ack packet back to the customer WAN IP VPN on the router! If the VPN client connects to the RDP server 10.0.0.2:3389, it works very well that this server is not a static entry PAT.
Is there a way to get around this?
Thank you!
There is a way to get around, use the same settings you have for your dynamic nat in your nat staitc entries, something like this:
Currently, it should show as:
IP nat inside source static XXXXX XXXX 80 80
you need to take it
IP nat inside source static 80 XXXX XXXX 80 map route AAAA
When your itinerary map YYY refers to something with an acl that you refuse traffic from inside your router for the pool of vpn
IP Access-list ext nonat
deny ip 10.0.0.0 0.0.0.255
Licensing ip 10.0.0.0 0.0.0.255 any
route allowed AAAA 10 map
match ip address sheep
You even need all the static PAT
HTH
Ivan
-
Connected to the ASA via the "VPN Client" software, but cannot ping devices.
I have a network that looks like this:
I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.
I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).
On the SAA, including the "logging console notifications" value, I notice the following message is displayed:
"% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.
I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?
Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac
Hello
You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"
You would probably need
NAT (inside) 0-list of access inside_nat0_outside
He must manage the NAT0
Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.
I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.
-Jouni
-
Hi all
I have a client who uses a 506e with the cleint 4.02 for the remote VPN Cisco. The pix is multiple inside roads. The first network inside is 192.168.1.X and E1 of the 506 is 192.168.1.1. The second network is 10.71.56.X.
The problem is as soon as the VPN is connected I can ping any host on the 192.168.1.X, but not anything on the 10.71.56.X network. Without netbios or the other. From the PIX, I can ping hosts on two internal networks.
Here is the config below. Thank you!
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password xxxxx
passwd xxxxxxx
hostname GNB - PIX
cisco.com-domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
QUBEADMIN tcp service object-group
Beach of port-object 444 444
outside_access_in list access permit tcp any host 12.X.X.X eq pop3
outside_access_in list access permit tcp any host 12.X.X.X eq smtp
outside_access_in list access permit tcp any host 12.X.X.X EQ field
outside_access_in list access permit tcp any host 12.X.X.X eq www
outside_access_in list access permit tcp any host 12.X.X.X QUBEADMIN object-group
outside_access_in list access permit icmp any any echo response
access-list outside_access_in allow icmp all once exceed
outside_access_in list access permit tcp any host 12.169.2.21 eq ssh
GNB_splitTunnelAcl ip 10.71.56.0 access list allow 255.255.255.0 any
outside_cryptomap_dyn_20 ip access list allow any 10.71.56.32 255.255.255.224
pager lines 24
opening of session
timestamp of the record
logging paused
logging buffered stored notifications
Logging trap errors
notifications to the history of logging
the logging queue 0
host of logging inside the 10.71.55.10
logging out of the 192.104.109.91 host
interface ethernet0 car
Auto interface ethernet1
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside 12.X.X.X 255.255.254.0
IP address inside 192.168.1.254 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
local IP VPNPOOL 10.71.56.40 pool - 10.71.56.50
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
public static 12.X.X.X (Interior, exterior) 192.168.1.1 mask subnet 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 12.X.X.X 1
Route inside 10.71.55.0 255.255.255.0 192.168.1.1 1
Route inside 10.71.56.0 255.255.255.0 192.168.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address VPNPOOL pool GUARD
vpngroup dns-server 10.71.56.10 GNB 10.71.56.10
GNB GNB_splitTunnelAcl vpngroup split tunnel
vpngroup GNB 1800 idle time
GNB vpngroup password *.
Telnet timeout 5
SSH timeout 60
Terminal width 80
Cryptochecksum:XXXXX
: end
[OK]
GNB - PIX #.
You use 10.71.56.0 255.255.255.0 in two places
you route to it via 192.168.1.1, but you're also allocation of addresses for vpn clients. Guests who are on the segment 10.71.56.0/24, if they manage to get the connected vpn client package (which is assigned a 10.71.56.x) address, would not send the response packet to this request on the local subnet, the router that has the 192.168.1.1 interface, which is what would be needed to make it work.
You must use a different network for your vpn clients block - you cannot use the same ip through two different networks space.
-
Cannot Ping across the VPN remote access
Hello world
I hope I posted this in the right place!
I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!
We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.
When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.
I'm sure it's something stupid I've done (or not done).
I have attached my config and would be grateful if someone could take a look and point me in the right direction.
Thanks in advance for your help,
Peter.
Hi Peter,.
You must add a line to the inside_access_in access list:
Enable
conf t
access-list inside_access_in allow icmp a whole
output
write members
Kind regards
Cathy
-
VPN site to site access via a VPN client
Hi all
From our headquarters, we use a vpn site-to-site to connect to another site and it works great.
We have just configured the VPN client on our headquarters, remote VPN user can access the LAN in the seat.
We need the remote user can also access the LAN on the other site, but it does not work.
The site to site VPN and VPN client are configured on the same device, using even outside the interface.
Vpn client address pool is already included in the address that is allowed to go through the site to site VPN.
We would like to know if it is possible to access the site to site VPN, connecting to the VPN client and when the architecture is as above?
in the case where we use different devices and different internet connection for client VPN and site to site VPN, we can access the other site by the remote user VPN LAN?
Kind regards
Since you already have 10.13.0.0/16 in your site to site crypto ACL, which already includes the pool vpn so you need not configure it specifically.
You are missing the following command:
permit same-security-traffic intra-interface
ACL split tunnel should be standard ACL as follows:
access list ACL-CL-VPN allow 10.13.0.0 255.255.0.0
access list ACL-CL-VPN allow 10.14.0.0 255.255.248.0
-
The VPN Clients cannot Ping hosts
I'll include a post my config. I have clients that connect through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the main network for the office.
I can connect to the VPN, and I received a correct address assignment. I belive tunneling can be configured correctly in the aspect that I can always connect to the internet then on the VPN, but I can't ping all hosts on the 192.168.1.0 network. In the journal of the ASDM debugging, I see pings to the ASA, but no response is received on the client.
6 February 21, 2013 21:54:26 180.0.0.1 53508 192.168.1.1 0 Built of ICMP incoming connections for faddr gaddr laddr 192.168.1.1/0 (christopher) 192.168.1.1/0 180.0.0.1/53508 Any help would be greatly appreciated, I'm currently presuring my CCNP so I would get a deeper understanding of how to resolve these issues.
-Chris
hostname RegencyRE - ASA
domain regencyrealestate.info
activate 2/VA7dRFkv6fjd1X of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 180.0.0.0 Regency
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
link to the description of REGENCYSERVER
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
link to the description of RegencyRE-AP
!
interface Vlan1
nameif inside
security-level 100
192.168.1.120 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 208.67.220.220
name-server 208.67.222.222
domain regencyrealestate.info
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 Regency 255.255.255.224
RegencyRE_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask Regency 180.0.0.1 - 180.0.0.20 255.255.255.0 IP local pool
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM 255.255.255.0 inside Regency location
ASDM location 192.168.0.0 255.255.0.0 inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 12.186.110.2 1
Route inside 192.0.0.0 255.0.0.0 192.168.1.102 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
http server enable 8443
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 15
SSH version 2
Console timeout 0
dhcprelay Server 192.168.1.102 inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 69.25.96.13 prefer external source
NTP server 216.171.124.36 prefer external source
WebVPN
internal RegencyRE group strategy
attributes of Group Policy RegencyRE
value of server DNS 208.67.220.220 208.67.222.222
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RegencyRE_splitTunnelAcl
username password encrypted adriana privilege 0
christopher encrypted privilege 15 password username
irene encrypted password privilege 0 username
type tunnel-group RegencyRE remote access
attributes global-tunnel-group RegencyRE
Regency address pool
Group Policy - by default-RegencyRE
IPSec-attributes tunnel-group RegencyRE
pre-shared key R3 & eNcY1.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d
: end
Hello
-be sure that the destination host 192.168.1.x has a route towards 180.0.0.0 by the ASA gateway.
-Configure the following figure:
capture capin interface inside match icmp 192.168.1.x host 180.0.0.x
capture ASP asp type - drop all
then make a continuous ping and get 'show capin cap' and 'asp cap.
-then check the ping, the 'encrypted' counter is increasing in the VPN client statistics
I would like to know about it, hope this helps
----
Mashal
-
My creative cloud cannot happen on the adobe servers and when I tried to repair the host file using the creative cloud cleaning tool, it displays Error occurred while setting entries HF: 5
Please let us know your operating system.
Concerning
Megha Rawat
-
Itineraries other nets will be lost when using the vpn client?
I have a very general question. I intend to implement a security solution for the extranet partners to connect to our intranet using VPN client. IPSec will close on the external interface of the Cisco PIX firewall v6.3.
Now, my consirn is, I downloaded the vpn client to test but I saw no advance settings to define what network traffic will pass through the IPSec tunnel and which will be routed normally. Is it by default all traffic passing through VPN? Is that what it means if there are other networks using their default route, they will not be able to achieve? (i.e. the Internet).
Thank you.
That would depend on how you set up the PIX. You can allow the VPN to your site and access to the Internet at the same time. This is called the split tunneling. It is configurable on the PIX, not the customer.
This link might help you get started, but I'm sure that there stronger links.
-
ASA Anyconnect VPN do not work or download the VPN client
I have a Cisco ASA 5505 that I try to configure anyconnect VPN and thought, I've changed my setup several times but trying to access my static public IP address of the external IP address to download the image, I am not able to. Also when I do a package tracer I see he has been ignored through the acl when the packets from side to the ASA via port 443, it drops because of the ACL. My DMZ so will he look like something trying to access the ASA via the VPN's going to port 443. Here is my config
XXXX # sh run
: Saved
:
ASA Version 8.4 (3)
!
hostname XXXX
search for domain name
activate pFTzVNrKdD9x5rhT encrypted password
zPBAmb8krxlXh.CH encrypted passwd
names of
!
interface Ethernet0/0
Outside-interface description
switchport access vlan 20
!
interface Ethernet0/1
Uplink DMZ description
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
Ganymede + ID description
switchport access vlan 10
switchport monitor Ethernet0/0
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
Description Wireless_AP_Loft
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
IP address x.x.x.249 255.255.255.248
!
Vlan30 interface
no interface before Vlan10
nameif dmz
security-level 50
IP 172.16.30.1 255.255.255.0
!
boot system Disk0: / asa843 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
search for domain name
network obj_any1 object
subnet 0.0.0.0 0.0.0.0
network of the Webserver_DMZ object
Home 172.16.30.8
network of the Mailserver_DMZ object
Home 172.16.30.7
the object DMZ network
172.16.30.0 subnet 255.255.255.0
network of the FTPserver_DMZ object
Home 172.16.30.9
network of the Public-IP-subnet object
subnet x.x.x.248 255.255.255.248
network of the FTPserver object
Home 172.16.30.8
network of the object inside
192.168.10.0 subnet 255.255.255.0
network of the VPN_SSL object
10.101.4.0 subnet 255.255.255.0
outside_in list extended access permit tcp any newspaper object Mailserver_DMZ eq www
outside_in list extended access permit tcp any newspaper EQ 587 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper SMTP object Mailserver_DMZ eq
outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq pop3 object
outside_in list extended access permit tcp any newspaper EQ 2525 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq imap4 object
outside_in list extended access permit tcp any newspaper EQ 465 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper EQ 993 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper EQ 995 object Mailserver_DMZ
outside_in list extended access permit tcp any newspaper EQ 5901 Mailserver_DMZ object
outside_in list extended access permit tcp any newspaper Mailserver_DMZ eq https object
Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
vpn_SplitTunnel list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer to 8192
logging trap warnings
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
local pool VPN_SSL 10.101.4.1 - 10.101.4.4 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 647.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside inside static destination VPN_SSL VPN_SSL
NAT (exterior, Interior) static source VPN_SSL VPN_SSL
!
network obj_any1 object
NAT static interface (indoor, outdoor)
network of the Webserver_DMZ object
NAT (dmz, outside) static x.x.x.250
network of the Mailserver_DMZ object
NAT (dmz, outside) static x.x.x.. 251
the object DMZ network
NAT (dmz, outside) static interface
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede HNIC +.
AAA-server host 192.168.10.2 HNIC (inside)
Timeout 60
key *.
identity of the user by default-domain LOCAL
Console HTTP authentication AAA HNIC
AAA console HNIC ssh authentication
Console AAA authentication telnet HNIC
AAA authentication secure-http-client
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ca trustpoint localtrust
registration auto
Configure CRL
Crypto ca trustpoint VPN_Articulate2day
registration auto
name of the object CN = vpn.articulate2day.com
sslvpnkey key pair
Configure CRL
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 30
SSH 192.168.10.0 255.255.255.0 inside
SSH timeout 15
SSH version 2
Console timeout 0
No vpn-addr-assign aaaDHCP-client update dns
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd outside auto_config
!
dhcpd address 192.168.10.100 - 192.168.10.150 inside
dhcpd allow inside
!
dhcpd address dmz 172.16.30.20 - 172.16.30.23
dhcpd enable dmz
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
authenticate the NTP
NTP server 192.168.10.2
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-64-3.1.06079-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal VPN_SSL group policy
VPN_SSL group policy attributes
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_SplitTunnel
the address value VPN_SSL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 15
AnyConnect ssl deflate compression
AnyConnect ask enable
ronmitch50 spn1SehCw8TvCzu7 encrypted password username
username ronmitch50 attributes
type of remote access service
type tunnel-group VPN_SSL_Clients remote access
attributes global-tunnel-group VPN_SSL_Clients
address VPN_SSL pool
Group Policy - by default-VPN_SSL
tunnel-group VPN_SSL_Clients webvpn-attributes
enable VPNSSL_GNS3 group-alias
type tunnel-group VPN_SSL remote access
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect esmtp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: endXXXX #.
You do not have this configuration:
object network DMZ nat (dmz,outside) static interface
Try and take (or delete):
object network DMZ nat (dmz,outside) dynamic interface
-
Routing problem between the VPN Client and the router's Ethernet device
Hello
I have a Cisco 1721 in a test environment.
A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).
The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.
The configuration was inspired form the sample Configuration
"Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"
and the output of the ConfigMaker configuration.
Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem
side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).
Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive
(customer has a correct route and return ICMP packets to the router).
The question now is:
How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?
conf of the router is attached - hope that's not too...
Thanks & cordially
Thomas Schmidt
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
!
host name * moderator edit *.
!
enable secret 5 * moderator edit *.
!
!
AAA new-model
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
! only for the test...
!
username cisco password 0 * moderator edit *.
!
IP subnet zero
!
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
3des encryption
preshared authentication
Group 2
!
ISAKMP crypto client configuration group 3000client
key cisco123
pool ippool
!
! We do not want to divide the tunnel
! ACL 108
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
interface Ethernet0
no downtime
Description connected to VPN
IP 192.168.1.1 255.255.255.0
full-duplex
IP access-group 101 in
IP access-group 101 out
KeepAlive 10
No cdp enable
!
interface Ethernet1
no downtime
address 192.168.3.1 IP 255.255.255.0
IP access-group 101 in
IP access-group 101 out
full-duplex
KeepAlive 10
No cdp enable
!
interface FastEthernet0
no downtime
Description connected to the Internet
IP 172.16.12.20 255.255.224.0
automatic speed
KeepAlive 10
No cdp enable
!
! This access group is also only for test cases!
!
no access list 101
access list 101 ip allow a whole
!
local pool IP 192.168.10.1 ippool 192.168.10.10
IP classless
IP route 0.0.0.0 0.0.0.0 172.16.12.20
enable IP pim Bennett
!
Line con 0
exec-timeout 0 0
password 7 * edit from moderator *.
line to 0
line vty 0 4
!
end
^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-
Thomas,
Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.
Kurtis Durrett
-
The VPN client VPN connection behind other PIX PIX
I have the following problem:
I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).
So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5
I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.
Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.
If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:
305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x
194.x.x.x is our customer s address IP PIX
I understand that somewhere access list is missing, but I can not understand.
Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.
Can you please help me?
Thank you in advan
The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.
I've cut and pasted here for you to read, I think that the problem mentioned below:
Question:
Hi Glenn,.
Following is possible?
I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.
The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?
My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.
Thank you very much for any help provided in advance.
Response from Glenn:
First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:
fixup protocol esp-ike
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.
If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:
ISAKMP nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.
ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.
A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.
NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.
Hope that helps.
-
The VPN client user authentication
When users connect to our network remotely via VPN user name field is already filled with the last person who logged. I know that they just delete the username and enter their own, but is there a way the client can be configured to where the username field will be always empty for all those who want access to the network via VPN? We have an ASA 5510 with version 7.0 (8) and a windows 2003 with IAS server for windows authentication. Thank you!
Hello
In FCP, you can configure a single line is not editable by the user (or the vpn client).
Simply insert an attack! Like this
! Username =
! SaveUserPassword = 0
! UserPassword =
! enc_UserPassword =
Subsequently the vpn client will not save registrations for these settings more.
-
Between the VPN Client and VPN from Site to Site
Looking for an example of ASA 8.0 configuration allowing traffic between a Cisco VPN client host and destination of remote access connected via LAN/Site-to-Site tunnel. The remote access client and the tunnel site-to-site terminate on the same device of the SAA.
Thanks in advance.
-Rey
Hi Rey,
Here is an example of a config for what you are looking for.
I hope this helps.
PS: This uses GANYMEDE + for authentication, you can replace it with your authentication method.
Kind regards
Assia
Maybe you are looking for
-
How to shrink a webpage on my monitor?
Unable to see the entire web page without moving the page to the right.
-
Message no longer works on my Air Office
MacBook Air (11 inch, mid 2013) DDR3 4 GB 1600 MHz Yosemite 10.10.5 (14F1605) Just "upgraded" to an iPhone 6 and 9.3 iOS. Message on the desktop of my computer, does more to send instant messages to my contacts. I have AOL, Yahoo and Google accounts
-
Take the real component of the logarithms of negative numbers
I'm taking the log of a number, and I need the real component. For example: log(-5) = 0.698970004 + 1.36437635 i I have to be able to take the 0.698970004 and use it, while just Labview says his NAN. I just figured as a CPD, I can throw the entries,
-
Start from the Port of FCoE storage
If I directly attach an array of NetApp fabric using new storage interconnection FCoE ports, the blades allows SAN boot in this scenario?
-
Hello I am not able to send datagrams using a BIS connection. I tried to add to the url 'ConnectionType = mds - public', but it does not work. Documentation of BB said: "to use the transport of BlackBerry Internet Service, you must register for the S