Cannot ping vpn client of 1721 cli on the tunnel endpoint

Similar Questions

• VPN Client connection - Hong Kong to the United States.

  We have a PIX 515E with active VPN. In the United States, users have no problem connecting with the VPN client.

  However, we have a user in Hong Kong, who has problems. It can connect to the external interface and the connection. The user is assigned an IP address from the pool of reserve, but cannot connect to our server here in the States or internal ping even one of the ip addresses.

  Is there another config that needs to be done?

  Yes, the do config mode:

  ISAKMP nat-traversal

  Save with: write mem - and your done.

  Download now your username in Hong KONG to establish the connection of the VPN client and try and ping a server in-house on your side. And make sure that the MS XP firewall is disabled.

  Let me know how you go and if this does not solve your problem please rate another post could seek the same solution!

  Jay

• Cisco AnyConnect VPN Client (connection attempt failed because the network or pc problem cisco)

  Hi all

  I am trying to connect to my Cisco AnyConnect VPN Client but everytime I try, I get an error (connection attempt failed because the network or pc problem cisco)

  Can anyone help me please with this.

  Thank you

  Zia

  What is the local firewall on your computer?

• Internet access with VPN Client to ASA and full effect tunnel

  I'm trying to migrate our concentrator at our new 5520 s ASA. The concentrator has been used only for VPN Client connections, and I have not the easiest road. However, I, for some reason, can't access to internet through our business network when I've got profiles with lots of tunneling.

  I've included the configuration file, with many public IP information and omitted site-to-site tunnels. I left all the relevant stuff on tunnel-groups and group strategies concerning connectivity of VPN clients. The range of addresses that I use for VPN clients is 172.16.254.0/24. The group, with what I'm trying to access the internet "adsmgt" and the complete tunnel to our network part is fine.

  As always, any help is appreciated. Thank you!

  Hüseyin... good to see you come back.. bud, yes try these Hüseyin sugesstiong... If we looked to be ok, we'll try a different approach...

  IM thinking too, because complete tunnel is (no separation) Jim ASA has to go back for the outbound traffic from the internet, a permit same-security-traffic intra-interface, instruction should be able to do it... but Jim start by Hüseyin suggestions.

  Rgds

  Jorge

• Failover of VPN client for remote access with the .pcf file

  Hi all

  It is possible to give 2 remote peer ip address to connect customer VPN cisco in FCP file, is possible to achieve failover.

  I have my firewall HO and DR configured for VPN remoteaccess. I need to specify two firewall ips in FCP file in PC client, incase HO firewall is not a customer VPN avialable will automatically connect to the firewall DR. I tried like below his does not work I think

  appreicaite any help...

  [main]

  Description =

  Host = 172.18.4.22

  Host = 172.18.4.10

  AuthType = 1

  GroupName = xxxxxx

  GroupPwd =

  enc_GroupPwd = DDBC400B7B3D1AEA1A5E6DEB5874CC057F759A6EED78B281F28D68F6A65380506D7E6CBA173B854C6ADC53FC49C1595B

  EnableISPConnect = 0

  ISPConnectType = 0 [main]
  Description =
  Host = 172.18.4.22
  Host = 172.18.4.10
  AuthType = 1
  GroupName = xxxxxx
  GroupPwd =
  enc_GroupPwd = DDBC400B7B3D1AEA1A5E6DEB5874CC057F759A6EED78B281F28D68F6A65380506D7E6CBA173B854C6ADC53FC49C1595B
  EnableISPConnect = 0
  ISPConnectType = 0

  Thanks in advance

  Mikael

  You must configure the server "backup":
  http://www.Cisco.com/en/us/docs/security/vpn_client/cisco_vpn_client/VPN...

  The easiest way is to do it with the GUI.

  Sent by Cisco Support technique iPad App

• Return VPN traffic flows do not on the tunnel

  Hello.

  I tried to find something on the internet for this problem, but am fails miserably. I guess I don't really understand how the cisco decides on the road.

  In any case, I have a Cisco 837 which I use for internet access and to which I would like to be able to complete a VPN on. When I vpn (using vpnc in a Solaris box as it happens which is connected to the cisco ethernet interface), I can establish a VPN and when I ping a host on the inside, I see this package ping happen, however, the return package, the cisco 837 is trying to send via the public internet facing interface Dialer1 without encryption. I can't work for the life of me why.

  (Also note: I can also establish a tunnel to the public internet, but again, I don't can not all traffic through the tunnel.) I guess I'm having the same problem, IE back of packages are not going where it should be, but I do know that for some, on the host being ping well, I can see the ping arriving packets and the host responds with a response to ICMP echo).

  Here is the version of cisco:

  version ADSL #show
  Cisco IOS software, software C850 (C850-ADVSECURITYK9-M), Version 12.4 (15) T5, VERSION of the SOFTWARE (fc4)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2008 by Cisco Systems, Inc.
  Updated Friday 1 May 08 02:07 by prod_rel_team

  ROM: System Bootstrap, Version 12.3 (8r) YI4, VERSION of the SOFTWARE

  ADSL availability is 1 day, 19 hours, 27 minutes
  System to regain the power ROM
  System restarted at 17:20:56 CEST Sunday, October 10, 2010
  System image file is "flash: c850-advsecurityk9 - mz.124 - 15.T5.bin".

  Cisco 857 (MPC8272) processor (revision 0 x 300) with 59392K / 6144K bytes of memory.
  Card processor ID FCZ122391F5
  MPC8272 CPU Rev: Part Number 0xC, mask number 0 x 10
  4 interfaces FastEthernet
  1 ATM interface
  128 KB of non-volatile configuration memory.
  20480 bytes K of on board flash system (Intel Strataflash) processor

  Configuration register is 0 x 2102

  And here is the cisco configuration (IP address, etc. changed of course):

  Current configuration: 7782 bytes
  !
  ! Last configuration change at 11:57:21 CEST Monday, October 11, 2010 by bautsche
  ! NVRAM config updated at 11:57:22 CEST Monday, October 11, 2010 by bautsche
  !
  version 12.4
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  hostname adsl
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 4096
  enable secret 5
  !
  AAA new-model
  !
  !
  AAA authentication login local_authen local
  AAA authentication login sdm_vpn_xauth_ml_1 local
  AAA authorization exec local local_author
  AAA authorization sdm_vpn_group_ml_1 LAN
  !
  !
  AAA - the id of the joint session
  clock timezone gmt 0
  clock daylight saving time UTC recurring last Sun Mar 01:00 last Sun Oct 01:00
  !
  !
  dot11 syslog
  no ip source route
  dhcp IP database dhcpinternal
  No dhcp use connected vrf ip
  DHCP excluded-address IP 10.10.7.1 10.10.7.99
  DHCP excluded-address IP 10.10.7.151 10.10.7.255
  !
  IP dhcp pool dhcpinternal
  import all
  Network 10.10.7.0 255.255.255.0
  router by default - 10.10.7.1
  Server DNS 212.159.6.9 212.159.6.10 212.159.13.49 212.159.13.50
  !
  !
  IP cef
  property intellectual auth-proxy max-nodata-& 3
  property intellectual admission max-nodata-& 3
  no ip bootp Server
  nfs1 host IP 10.10.140.207
  name of the IP-server 212.159.11.150
  name of the IP-server 212.159.13.150
  !
  !
  !
  username password cable 7
  username password bautsche 7
  vpnuser password username 7
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  BA aes 256
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 3
  BA 3des
  Prior authentication group part 2
  the local address SDM_POOL_1 pool-crypto isakmp client configuration
  !
  ISAKMP crypto client configuration group groupname2
  key
  DNS 10.10.140.201 10.10.140.202
  swangage.co.uk field
  pool SDM_POOL_1
  users of max - 3
  netmask 255.255.255.0
  !
  ISAKMP crypto client configuration group groupname1
  key
  DNS 10.10.140.201 10.10.140.202
  swangage.co.uk field
  pool SDM_POOL_1
  users of max - 3
  netmask 255.255.255.0
  ISAKMP crypto sdm-ike-profile-1 profile
  groupname2 group identity match
  client authentication list sdm_vpn_xauth_ml_1
  ISAKMP authorization list sdm_vpn_group_ml_1
  client configuration address respond
  ISAKMP crypto profile sdm-ike-profile-2
  groupname1 group identity match
  ISAKMP authorization list sdm_vpn_group_ml_1
  client configuration address respond
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set esp-3des esp-md5-hmac ESP_MD5_3DES
  Crypto ipsec transform-set ESP-AES-256-SHA aes - esp esp-sha-hmac
  !
  crypto dynamic-map SDM_DYNMAP_1 1
  Set the security association idle time 3600
  game of transformation-ESP-AES-256-SHA
  market arriere-route
  crypto dynamic-map SDM_DYNMAP_1 2
  Set the security association idle time 3600
  game of transformation-ESP-AES-256-SHA
  market arriere-route
  !
  !
  card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
  map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
  map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
  !
  Crypto ctcp port 10000
  Archives
  The config log
  hidekeys
  !
  !
  synwait-time of tcp IP 10
  !
  !
  !
  Null0 interface
  no ip unreachable
  !
  ATM0 interface
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  route IP cache flow
  No atm ilmi-keepalive
  PVC 0/38
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  DSL-automatic operation mode
  waiting-224 in
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface Vlan1
  Description $FW_INSIDE$
  10.10.7.1 IP address 255.255.255.0
  IP access-group 121 to
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP nat inside
  IP virtual-reassembly
  route IP cache flow
  map SDM_CMAP_1 crypto
  Hold-queue 100 on
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP access-group 121 to
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  route IP cache flow
  No cutting of the ip horizon
  Dialer pool 1
  Dialer idle-timeout 0
  persistent Dialer
  Dialer-Group 1
  No cdp enable
  Authentication callin PPP chap Protocol
  PPP chap hostname
  PPP chap password 7
  map SDM_CMAP_1 crypto
  !
  local IP SDM_POOL_1 10.10.148.11 pool 10.10.148.20
  IP local pool public_184 123.12.12.184
  IP local pool public_186 123.12.12.186
  IP local pool public_187 123.12.12.187
  IP local pool internal_9 10.10.7.9
  IP local pool internal_8 10.10.7.8
  IP local pool internal_223 10.10.7.223
  IP local pool internal_47 10.10.7.47
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 Dialer1
  IP route 10.10.140.0 255.255.255.0 10.10.7.2
  !
  no ip address of the http server
  no ip http secure server
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source static 10.10.7.9 123.12.12.184
  IP nat inside source static tcp 10.10.7.8 22 123.12.12.185 22 Expandable
  IP nat inside source static tcp 10.10.7.8 25 123.12.12.185 25 expandable
  IP nat inside source static tcp 10.10.7.8 80 123.12.12.185 80 extensible
  IP nat inside source static tcp 10.10.7.8 443 123.12.12.185 443 extensible
  IP nat inside source static tcp 10.10.7.8 993 123.12.12.185 993 extensible
  IP nat inside source static tcp 10.10.7.8 123.12.12.185 1587 1587 extensible
  IP nat inside source static tcp 10.10.7.8 8443 123.12.12.185 8443 extensible
  IP nat inside source static 10.10.7.223 123.12.12.186
  IP nat inside source static 10.10.7.47 123.12.12.187
  !
  record 10.10.140.213
  access-list 18 allow one
  access-list 23 permit 10.10.140.0 0.0.0.255
  access-list 23 permit 10.10.7.0 0.0.0.255
  Access-list 100 category SDM_ACL = 2 Note
  access-list 100 deny ip any 10.10.148.0 0.0.0.255
  access ip-list 100 permit a whole
  Note access-list 121 SDM_ACL category = 17
  access-list 121 deny udp any eq netbios-dgm all
  access-list 121 deny udp any eq netbios-ns everything
  access-list 121 deny udp any eq netbios-ss all
  access-list 121 tcp refuse any eq 137 everything
  access-list 121 tcp refuse any eq 138 everything
  access-list 121 tcp refuse any eq 139 all
  access ip-list 121 allow a whole
  access-list 125 permit tcp any any eq www
  access-list 125 permit udp any eq isakmp everything
  access-list 125 permit udp any any eq isakmp
  access-list 194 deny udp any eq isakmp everything
  access-list 194 deny udp any any eq isakmp
  access-list 194 allow the host ip 123.12.12.184 all
  IP access-list 194 allow any host 123.12.12.184
  access-list 194 allow the host ip 10.10.7.9 all
  IP access-list 194 allow any host 10.10.7.9
  access-list 195 deny udp any eq isakmp everything
  access-list 195 deny udp any any eq isakmp
  access-list 195 allow the host ip 123.12.12.185 all
  IP access-list 195 allow any host 123.12.12.185
  access-list 195 allow the host ip 10.10.7.8 all
  IP access-list 195 allow any host 10.10.7.8
  not run cdp
  public_185 allowed 10 route map
  corresponds to the IP 195
  !
  public_184 allowed 10 route map
  corresponds to the IP 194
  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 100
  !
  !
  control plan
  !
  !
  Line con 0
  connection of authentication local_authen
  no activation of the modem
  preferred no transport
  telnet output transport
  StopBits 1
  line to 0
  connection of authentication local_authen
  telnet output transport
  StopBits 1
  line vty 0 4
  access-class 23 in
  privilege level 15
  authorization exec local_author
  connection of authentication local_authen
  length 0
  preferred no transport
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  130.88.202.49 SNTP server
  130.88.200.98 SNTP server
  130.88.200.6 SNTP server
  130.88.203.64 SNTP server
  end

  Any help would be appreciated.

  Thank you very much.

  Ciao,.

  Eric

  Hi Eric,.

  (Sorry for the late reply - needed some holidays)

  So I see that you have a few steps away now. I think that there are 2 things we can try:

  1)

  I guess you have provided that:

  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1

  Since the routemap refers to ACL 100 to define the traffic to be translated, we can exclude traffic that initiates the router:

  Access-list 100 category SDM_ACL = 2 Note

  access-list 100 deny ip 123.12.12.185 host everything
  access-list 100 deny ip any 10.10.148.0 0.0.0.255
  access ip-list 100 permit a whole

  Which should prevent the source udp 4500 to 1029 changing port

  OR

  2)

  If you prefer to use a different ip address for VPN,

  Then, you can use a loop like this:

  loopback interface 0

  123.12.12.187 the IP 255.255.255.255

  No tap

  map SDM_CMAP_1 crypto local-address loopback 0

  I don't think you should apply card encryption to the loopback interface, but it's been a while since I have configured something like that, so if you have problems first try and if still does not get the crypto debugs new (isakmp + ipsec on the vpn, nat router on the router of the client package).

  HTH

  Herbert

• Site VPN to IPsec with PAT through the tunnel configuration example

  Hello

  as I read a lot about vpn connections site-2-site
  and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

  now, I got suite facility with two locations A and B.

  192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
  172.16.16.0/24 Site has

  ---------------------------------------------------------------------------

  Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  ---------------------------------------------------------------------------

  Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
  witch need to access a server terminal server on the SITE b.

  As I have no influence on where and when guests pop up in my Site.
  I would like to hide them behind a single ip address to SITE B.

  If in the event that a new hosts need access, or old hosts can be deleted,
  its as simple as the ACL or conviniently inlet remove the object from the network.

  so I guess that the acl looks like this:

  ---------------------------------------------------------------------------

  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

  ---------------------------------------------------------------------------

  But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
  address for the translation of PAT?

  something like this he will say, it must be treated according to the policy:

  NAT (1-access VPN INVOLVED-HOST internal list)

  Now how do I do that?
  The rest of the config, I guess that will be quite normal as follows:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of AA peers. ABM CC. DD
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

  ---------------------------------------------------------------------------

  On SITE B

  the config is pretty simple:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of peer SITE has IP
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  ---------------------------------------------------------------------------

  Thank you for you're extra eyes and precious time!

  Colin

  You want to PAT the traffic that goes through the tunnel?

  list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

  PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (inside) 1 access list PAT

  Global (outside) 1 192.168.0.3 255.255.255.255

  Then, the VPN ACL applied to the card encryption:

  list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

  Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

  The interesting thing is that traffic can only be activated from your end.

  The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

  Is that what you are looking for?

  Federico.

• Tunnel of Split VPN Setup ASA to force inside the tunnel for single address

  Hi all

  We have an ASA with IPSec VPN facility to addresses Internet of Tunnel from Split.  We have an Internet address that must come from the external interface of the ASA.  I have added this address to the list of split tunnel and confirmed on the client that is the road to the tunnel, but I'm not able to get to this address via the VPN.

  How the ASA to allow this unique Internet address to come via the VPN and route back on the same interface to the Internet and the return traffic to back up in the client VPN tunnel.

  I need to get to the address is 213.92.42.118. Here's the config relavent (let me know if I left anything):

  interface GigabitEthernet0/0
  nameif outside
  IP 1.1.1.1 255.255.255.0
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  name 10.80.177.0 VPN_Pool
  Outbound_Ports tcp service object-group
  port-object eq www
  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  access-list extended users allow icmp a whole
  access-list extended users enable a tcp
  access-list extended users allow udp a whole
  users_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
  standard access list users_splitTunnelAcl allow 192.168.43.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed 192.168.40.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed host 213.92.42.118

  FWOB list extended access permit tcp any any Outbound_Ports object-group

  Global (LUXCVGASA01e) 2 1.1.1.1

  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0
  NAT 0 access-list sheep (LUXCVGASA01i)

  Any help is appreciated.

  -Jeff

  Hi Jeff,

  Just had a chance to look through the Setup and I guess that configured nat is incorrect.

  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  NAT 0 access-list sheep (LUXCVGASA01i)
  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0

  Global (LUXCVGASA01e) 2 1.1.1.1

  The access-list says sheep that ALL traffic goes to the pool of the VPN to go UN-natted. So, when you try to access the public ip address via the tunnel VPN, the traffic the ASA, ASA then performs a search destination NAT and matches the nat command "nat (LUXCVGASA01i) 0 access-list sheep." If the ASA detects a destination NAT translation, it will bypass route search and uses the destination NAT translation to determine the output interface (in this scenario, the output interface is LUXCVGASA01i.

  So, to resolve this problem, change the acl sheep from "any to VPN_Pool 255.255.255.0" inside"to the network VPN_Pool 255.255.255.0.

  clear xlate and re-initialization of the tunnel, and this should solve the problem.

  Let me know if that answers your query.

  Kind regards

  Manisha masseur

• Cannot ping static IP to other network on the Internet.

  I'm having a problem with Vista who don't get my XP boxes.  When I ping the network public static IP address, it does not work on Vista home, but not on XP pro.  I have all the network sharing on and I can ping other IP on the internet from Vista without problem.  How can I solve this problem?  Thanks in advance for you help.

  Hello
   
  1. are you able to go online on the Vista machine?
  2 you get an error message when trying to ping IP address on the Vista computer?
   
  We recommend that you reset TCP/IP on the Vista computer and check the result. To do this, see the following article, download and run Microsoft fix:http://support.microsoft.com/kb/299357
   
  Try the steps and post back results.
   
  Kind regards
  Syed
  Answers from Microsoft supports the engineer.

• ASA in ASA VPN-encrypted packets "get lost" in the tunnel

  Hello

  We have a VPN site-to site between ASAs. Both on the v9.1.6 code. On distance ASA, it also has to do NAT source and destination. We see the traffic 'interesting' made from the results of the remote side in ipsec SA. Late has ITS correspondent. Corresponding spinnakers. However, the remote end HIS watch packets encrypted, decrypted none. Late ASA shows no packets encrypted/decrypted. So, how can I "lose" packages in my VPN tunnel if both ends have matching SAs/SPIs?

  Best regards

  Richard

  Hello

  Could be incorrect rules NAT or an access list refusing ESP packets somewhere in the path between the two ASAs.

• Inside the server can't ping remote vpn client

  My simple vpn client can accumulate the tunnel vpn with my Office ASA5510 success and my vpn client can ping the internal server. But my internal server cannot ping the remote vpn client. Even the firewall vpn client windows is disable.

  1. in-house server can ping Internet through ASA.

  2 internal server cannot ping vpn client.

  3 Vpn client can ping the internal server.

  Why interal Server ping vpn client? ASA only does support vpn in direction to go?

  Thank you.

  Hello

  Enable inspect ICMP, this should work for you.

  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the icmp
  inspect the icmp error

  inspect the icmp

  

  To configure the ICMP inspection engine, use the command of icmp inspection in class configuration mode. Class configuration mode is accessible from policy map configuration mode.

  inspect the icmp

  HTH

  Sandy

• Once the VPN connection is established, cannot ping or you connect other IP devices

  Try to get a RV016 installed and work so that people can work from home.  You will need to charge customers remote both WIN XP and MAC OS X.

  Have the configured router and works fine with the VPN Linksys client for WIN XP users.  Can connect, ping, mount the shared disks, print to printers to intellectual property, etc.

  Can connect to the router fine with two VPN clients third 3 for Mac: VPN Tracker and IPSecuritas.  However, once the connection is established, cannot ping the VPN LinkSYS router or any other IP address on the LAN Office.  Turn the firewall on or off makes no difference.

  Is there documentation anywhere that describes how the LinksysVPN for Windows Client communicates so these can be replicated in 3rd VPN clients from third parties for the Mac in OS X?

  The connection with IPSecuritas and VPN Tracker is performed using a shared key and a domain name.  It is not a conflict of IP address network between the client and the VPN 192.168.0.0/24 network.

  VPN Tracker and IPSecuritas are able to connect to the routers CISCO easy VPN with no poblem.

  Any ideas on how to get the RV016 to work for non-Windows users?

  We found and fixed the problem, so using VPN Tracker or current IPSecuritas on OS X people have access to the LAN via the RV016 machines. The "remote networks" in the screen BASE in VPN Tracker has been set on the entire subnet: 192.168.0.0/255.255.255.0 the in the RV016 has been set to the IP of 192.168.0.1 to 192.168.0.254 range. Even if the addresses are essentially the same, without specifying the full subnet in the RV016 has allowed the connection to do but prevented the VPN client machine to connect because the RV016 would pass all traffic to the Remote LAN. Change the setting of 'local group' in RV016 settings in the screen "VPN/summary/GroupVPN', 'Local Group Zone' for the subnet 192.168.0.0/24 full solved the problem.

• WAG320N - LAN clients cannot ping clients WLAN.

  Hi all

  I wonder if you can help. I currently have a router WAG320N, which seems to work out for a small problem.

  However, the problem I am facing is that my LAN clients cannot ping my clients wireless and vice versa.

  I googled this problem which has recommended that the AP isolation is off which is was by default.

  Any other ideas?

  Thanking in advance.

  Sprite

  As you are not able to ping customers wireless to wireline customers. Turn on the isolation of the AP.

  See if that helps you.

• VPN clients cannot access remote sites - PIX, routing problem?

  I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

  Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

  Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

  Very good and works very well.

  When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

  However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

  On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

  Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

  (Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

  with pix v6, no traffic is allowed to redirect to the same interface.

  for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

  with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• Win 7 VPN client cannot access remote resources beyond the VPN server

  I have a Win 7 laptop with work and customer Win 7 VPN set up, and through it that I can access everything allowed resources on the remote network.

  I built a new computer, set up the Win 7 client with the exact same parameters everywhere, connected to the VPN with success, but can not access any of the resources on the remote network that I can on my laptop.

  Win 7 64 bit SP 1

  I did research online and suggestions have already had reason of my new set up.  In addition, I have a second computer that I've set up the VPN client, and I'm having the same problem.  VPN connects successfully, but is unable to access the resources.

  Tested with firewall off the coast.

  Troubleshooting Diagnostic reports: your computer seems to be configured correctly, distance resources detected, but not answered do not.

  I created another VPN client on the new computer to another remote network and everything works perfectly.

  Remember the old VPN connection to the remote network that does not work on the new computer works perfectly on Win 7 64 bit laptop computer.

  So, what do I find also different between identical configurations "should be" where we work and two new machines is not?

  It must be something stupid.

  Hello

  This question is more suited for a TechNet audience. I suggest you send the query to the Microsoft TechNet forum. See the link below to do so:
  https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking

  Please let us know if you have more queries on Windows.