circumstances for reverse road injection

Hello

Pretty well, I wonder under what circumstances an ASA installs static routes due to the command 'set reverse-road' in a static encryption card.

We have several tunnels where the road is not installed, while others appear. It seems that the route is displayed only if the local side of the tunnel

is directly connected.

So my questions are:

(a) is the local side must be directly connected

(b) is it enough to have the local side in the local routing table

Thanks for your help!

See you soon,.

Heri

Hello

Thank you for the update.

I tried to look at all situations where the behavior you're seeing would normally happen but couldn't find a (or think the same).

-Jouni

Tags: Cisco Security

Similar Questions

Reverse road injection for remote VPN Clients

Hello world

you will need to confirm if reverse road injection is used only for Site to site VPN?

Also to say that we have two sites using site-to-site vpn

Site A Site B

Private private IP IP

172.16.x.x 172.20.x.x

Now, as we VPN site to site, we can either activate the NAT - T option which will allow 172.16 IP reach site B as 172.16 only.

Do not change the IP address.

Option 2

IF we don't allow NAT - T and if we allow injection road Revese and we use say Protocol ospf on ASAs in site A and B.

In this case, we allow IPPS so that we can announce the private road 172.16. on the internet right of site B?

Concerning

MAhesh

Hello Mahesh,

"Reverse road injection (RRI) is used to fill in the routing table of an internal router that is running OSPF Open Shortest Path First () protocol or the RIP (Routing Information) protocol for Remote Clients VPN sessions or a local area network LAN."

Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

As a result, allowed RRI ASA learn routing information for connected peers and advertising via RIP or OSPF.

NAT - T is automatically detected and used when the local or the remote peer is behind NAT.

To answer your question:

If NAT - T is required and enabled, then it will automatically be used peer VPN. Then, with IPP in place, remote network will be added to the routing as static routes table, so they can be advertised by OSPF.

HTH.

Please note all useful messages.

Reverse Route injection

My PIX firewall's VPN headend device. It is located behind the router C1721. I customize remote access VPN split tunnel network. It's working OK if I try to connect to VPN client located between PIX and C1721. If I try to connect to external VPN client before C1721 then it work without access to internal resources. But it works OK if I use the option to split the tunnel network. I passed on the opportunity to reverse the Injection of the road. Help to locate an error, please. What's wrong?

If you're talking about access to internal LAN behind PIX of customers, there is no way it will NOT work without a split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and the relevant part of PIX and router config.

Disable authentication for reverse Telnet over Async lines

I have a 2811 which behaves as a server terminal server with several line async being used to access the console. Whenever I open a telnet reversed on one lines always make me touching up for my credentials. Is there a way to eliminate the requirement of authentication, but only on the async for telnet lines reversed? I can disable in the world (which is not good) and I tried to enter "no authentication connection" under the respective lines async - but still, I wonder. Any thoughts? My current global and line config:

AAA new-model
AAA authentication login default local-case
authorization AAA console
AAA authorization exec default local
!

line 1/0 1 / 15
session-timeout 30
exec-timeout 30 0
No exec
transport telnet entry

I have not tried, but try something like below (which requires the aaa new-model):
```
aaa authentication login no-auth noneline 1/0 1/15  login authentication no-auth 
```

Brief differences entre-cartes, prefix lists, distribution and all that is similar? For the road-handling? Help

Can someone explain to me the differences brief-maps, prefix-lists, distribution lists and everything what is similar is used. I can't get my head around the difference and when I have that list used for my review of Route 301... ..

Thank you in advance.

Take a look at the following link and let us know if you still have questions / need for clarification:

http://www.InformIT.com/library/content.aspx?b=CCIE_Practical_Studies_II&seqNum=102

Thank you for evaluating useful messages!

What is the best format for scanning for reverse images n & B?

I have a few very old 2¼ "X 3¼" B & W negatives, and I want to make of the positive results from them. My question: where should I start? I have a scanner - I guess I'm scanning a negative like any other image, but what is the best format: TIFF, JPEG, PNG...? What resolution - 100 dpi? 300? 600... more?

Take a look through these:

Google

Bad VPN ASA injection road on OSPF when using remote access

Has anyone ever seen the ASA by inserting a bad road in a connection that has been set up with it? I'll explain more below:

I'm using a reverse road Injection. When access remotely with IPSEC (CLIENT) connects to the camera ASA, ASA create a static route to the remote access to the closest router for the SAA to come to this remote access. This itinerary is distributed on OSPF. OK, it may be a normal situation. But, the problem is when I ask another participant of this OSPF area, which is the road to this remote access (CLIENT), the answer is the router closer to the ASA and don't have to ASA. Does anyone have a solution for this? I tried to create a roadmap but that you did not.

If I understand your question, my question for you is whether the OSPF route to the remote VPN client is source by ASA or another device?

Is the IP address in the space I wrote ASA_ROUTER_ID ASA router ID or it is the router from another device ID? What I've listed below are an example of the output of "show ip route. The value in bold must be ASA router ID, if she is from the road to the VPN client. Other OSPF routers will forward packets destined to VPN to ASA client.

#sh ip route 1.1.1.0
Routing for 1.1.1.0/24 entry
Known through the "ospf 1", metric 110, distance 310, type intra zone
Last updated on GigabitEthernet0 1.2.2.2, 2w there
Routing descriptor blocks:
* 1.2.2.2, ASA_ROUTER_ID, there is, through GigabitEthernet0 2w
Path metric is 310, number of shares of traffic 1

Branch 5505, 1 circuit ISP, Dual - peer VPN Configuration for Data Center & Track Options

Hi all

I have a data center with two lines of ISP redundancy and two ASA 5520 for redundancy VPN to my branches. Each of my branches has 1 ASA 5505 with a base license and 1 ISP circuit. Currently all my VPN tunnels are built for data center main circuit ISP only, so if one goes down, I'm toast. I need to fix this. Problem is, I don't know how I can control failover on 5505 with 1 single line branch. Please see my picture for an example of how he looks at it right now.

So the problem is that the data center LAN my branch has to go to is identical regardless of which circuit of data center is in the. And I know the ASA rules say only 1 VPN tunnel can be active at a time if flow are the same. So in this case, I know you usually do:

card crypto outside_map 1 set 12.x.xxx.20 50.xxx.xx.190 counterpart

and then configure route followed to control when cut down the primary counterpart and turn back up by peers. But where I have only 1 ISP on the side of the branch, I'll only have 1 default route: route outside 0.0.0.0 0.0.0.0 3.3.3.2 1, will be used that the active end counterpart is the primary or the secondary data center. Also, since I did not have a second track, I can't configure followed on the main road with an SLA that defines the trigger conditions, because there is nothing to ensure the follow-up of the routing.

How is - a would handle a situation like this? Are there other features that can be taken off the roads? I really need to be able to define "num-package 5 ' in ALS so my sites are not beat all day, but once again, without something to follow, I can't really set up a meaningful SLAS. Any help is appreciated.

Thanks for the additional explanation. It helps to clarify your environment. EIGRP running on the Remote would be a nice option, but I'm not sure that it is supported on the SAA. I ran EIGRP to remote peers using IOS routers (using the two ACCORD with IPsec and VTI tunnels tunnels) and it was very effective. But on the SAA, I believe that we must seek an alternative.

It seems to me that using reverse road Injection as part of your VPN site-to-site should work. With IPP the ASA inserts a static route to remote resources when the VPN tunnel is negotiated and traffic can flow. If you redistribute the static in EIGRP EIGRP then must learn the ways of any ASA a currently active tunnel. And who should provide the dynamic rollover you need.

HTH

Rick

Why no implicit route for traffic from IPSec-L2L tunnel?

In a hub-and-spoke IPSec environment, it is not difficult to implement routing by spoke to the hub.

But on the side of the hub of a tunnel, where the gateway of last resort for traffic by spoke it, it seems almost counterintuitive than the ACL instructions and even cryptographic doesn't implicitly create a route for the traffic of the station in the tunnel at the end (talk). It could always be replaced with a static if necessary.

There is probably a good reason for this, but I can't think of it. Or am I the only person who thinks it is strange... or maybe an opportunity to feature?

Hello

This feature exists and is called reverse road injection. The route is created dynamically (based on ACL Cryptography) and is only available when the SA is up.

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gt_rrie.html

HTH

Laurent.

VPN 3000 RRI

Hi guys,.

I'm working on the creation of a vpn between a vpn 3000 and a

point of control, the problem I have on the vpn3000 is that if I do not have

Select "reverse road injection" it won't establish the vpn.

I thought she might have because the roads of local lan did not exist

on the vpn 3000, so I added static to match the list of the network, but it

still wouldn't go out, as soon as I activate the reverse road injection it

works very well.

any ideas?

Thank you

Adam Baxter.

Adam,

Take out the static routes and also injection Road opposite say-able.

Activate the logs on the hub of gravity 1-13 for IPSEC & IPSECDBG, IKE, AUTH, IKEDBG, AUTHDBG.

Try to send a ping to the interesting traffic. Capture logs and send them to this post, let me take a look and see if there is a question that jumps.

See you soon

Gilbert

Rays LAN2LAN remote access

I have a portion of the SAA for most as a data center firewall and remote user access. I recently added a LAN2LAN IPsec tunnel to a temporary office. But I noticed that the remote IPsec tunnel cannot achieve speak it LAN.

So imagine a home user with laptop 192.168.1.100 and it creates a split in the ASA IPsec tunnel by which 10.0.0.0/8 is encrypted / tunnel.

Not out of the ASA is a tunnel from LAN to LAN to an office with IP Block 10.10.70.0/24. How the home user could reach a device on the remote site on the 10.10.70.0 network? Is this possible?

There are even several examples on the forums here.

First of all, you must allow back on the same interface of ASA (if you cancel crypto on an interface only).

same level of perm intra-interface security

As a result, you will need access remote subnet go to the lan-to-lan of remote subnets.

I also suggest to add reverse road injection to avoid problems of routing on the SAA.

Don't forget that also this device remote l2l should be adjusted (possibly adjustments of nat, routing and access-list).

Example of doc:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

OSPF on VPN GREoIPSec.

Hello.

I have a network where some spoke of routers (branch offices, all routers are 2811) to connect with the IPSec VPN on adsl lines to my office and an ASA 5540. There is also a central backup with an another ASA 5540 site where VPN end in the case of primary failure asa.

So at each router spoke there is a card encryption with these two counterparts. A default primary and the other as secondary. Primary and secondary offices communicate with each other via a line of metro ethernet.

I want to do is put a router behind accessible of these two ASA to two of them, and then create the GRE tunnels since spoke to the hub router routers and run the Protocol ospf or eigrp on them. You can see the configuration that I am creating in the attached jpeg.

My question is if it will work. It's going to be able to detect whether some were talking about lost the connection to the primary and correctly connected to the secondary and before traffic site? He really care what site connects the router speaks, or what he wants is connectivity from tunnel to tunnel only? And you prefer ospf or eigrp? All equipment is cisco.

Any help would be much appreciated. Thanks in advance.

Hello!

First of all the forums is probably not the best place to ask questions about the design, I would typically tell people to run their Cisco SE ;-)

That being said, here goes. My two cents.

The concept is not without it's charm, even if it looks like instead of using two hub routers DMVPN you really want IPsec for ASAs unloading.

That's ok.

Standard IPsec, several counterparts etc while in in theory ensure the traffic is on the Hub...

How did you change between ASA and hub failure on the path of routing?

I mean say tunnels to ASA elementary school go down because of the failure of the ISP, how does the hub know not to send traffic to the primary and send it to the backup?

I can see reverse road injection + dynamic redistribution in PR as a possibility, not without its flaws.

Possibilibity another would be to run OSPF (via neighbor) across the Board (SAA can run OSPF on IPsec when you use nearby, because we avoid multicast).

It also seems that GRE tunnel(s?) must be from a loopback interface, which means the need for the ASAs where it is ;-)

If you don't mind a suggestion.

Why not have two tunnels WILL, of each spoke to two "hubs" (a hub behind each ASA)...

Two tunnels of all time might mean actually you can try to load sharing, balance the traffic on two location.

Just thinking aloud I don't know about the context and requirements.

Versus EIGRP OSPF. I don't want to start a flame war, so I would say it depends :-)

Especially on what you have in the network, that the final goal is etc etc...

Hope this helps,
Marcin

RRI and Client Mode

Hello

I'm reading the "Cisco VPN Config complete Guide" by Richard Deal and without a doubt it's a good book. I am confronted with a difficulty to understand something here.

In my opinion, reverse road Injection is more useful in the Mode of Extension of LAN in Client mode, because the connections must be made from the company to the SOHO network network. And to do this, the corporate network must know the SOHO network. IPP is used in this case, install a static route inside the company and then VPN gateway redistribute it in the corporate network.

In client mode, the reverse is true: connections are initiated from the client software or the SOHO network to the corporate network ONLY. So why do I care all to reach the SOHO network or client software from the company network? The author does not specify that. That's what the author said:

"The Cisco IPP provides the best approach to remote access clients. IPP is a further development of Cisco-owners for IPsec. At the end of ISAKMP/IKE Phase 1, the remote access client does the following:
- If in client mode, the client is assigned an internal address of the gateway VPN; the VPN gateway this will add as a static route to the local routing table. ---- > WHY?
- If in network extension mode, the client sends the network number of the Interior of the interface of the VPN gateway using an ISAKMP/IKE Phase 1 message. "---> MAKE SENSE
Please clarify why should I the IPP solution for the client mode. IPP for mode LAN Extension makes more sense.

Kind regards

AM

Hello

As I mentioned in the first answer,

Consider a situation where you have a central office VPN device that IS NOT the device that crosses all traffic internal to the external network. In other words in your internal network the default route redirects traffic to another device, for example the perimeter firewall.

Now for all traffic to flow between the 2 different networks you must naturally the routing tables on the device between the networks to have a route to each network or traffic not correctly between them.

So consider a situation where your hardware client Mode Client connects to the central VPN device (which is not the gateway for all external traffic) which is running OSPF with all internal routers and the IPP is NOT used. The IP of PAT address used by the hardware Client Mode Client is never adverticed to the rest of the network and traffic flows incorrectly for the perimeter firewall to which the default route points to. If IPP has been activated (and other settings) internal routers could properly bringing traffic back to the PAT IP address to the VPN device rather than the perimeter firewall.

Naturally, the situation described above applies to a LAN Extender mode also, but in this case the VPN device is naturally adverticing a whole network/subnet instead of an IP address of the host used as IP address of the PAT customer.

If the remote Client Mode or LAN Extension Mode hardware Client connects to the central site, the central site must have a route to the remote network or the IP of PAT address for traffic to flow between the 2 end points of the network.

If the central VPN device does not install a route to the address IP of PAT to the central network and then naturally the traffic won't be a way. Customer address IP PAT mode traffic will reach the central site, but the return to the address IP of PAT traffic will not flow properly without IPP.

-Jouni

VPN is not talk for the subnet behind a remote router

Hi all

I was hitting my head on the wall for a few days everything that is wrong with my configuration ASA...

That's what I got:

AnyConnect vpn (10.10.70.0/24)-online tunnel => ASA5505 performer v9.1.2 (10.10.20.1)-online (10.10.20.2) router (10.10.50.1) 1841-online my environment tour (10.10.50.0/24)

VPN is allowed to authenticate, get an address, ping 10.10.20.0/24 but unable to pass traffic (ping, ftp, etc.) 10.10.50.0 network at all.

Using EIGRP between ASA and 1841, tried static set time 'network' then 'redisturbute' and the ' redisturbute static route-map ", still no luck.

Found several docs, tried, doesn't seem to help...

https://supportforums.Cisco.com/thread/2206416

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00809d07de.shtml

Help, please...

Attach the configs for the ASA and router

Thank you in advance!

Keith S.

Hi Keith,

You are using IKEv1 or IKEV2.

It comes to your configuration:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF

Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

Crypto-map dynamic outside_dyn_map 20 the value reverse-road

test of dynamic-map 10 crypto-card, the value reverse-road

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

The dynamic map that is applied to the interface is SYSTEM_DEFAULT_CRYPTO_MAP which is an ikev2.

But the question is not the one. Depending on your configuration, there is a runnning between the ASA and the router EIGRP and according to your router table routing does not know where is 10.10.70.0/24 subnet is. To inject the subnet pool VPN in the routing table that we need an arriere-route control that you configured on a card which is not in use. Try this:

Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.

And let me know if it helps.

Thank you

Jeet Kumar

ASA Version 9.0 (1) - Ping works both inside and outside, WWW does not work for remote VPN

I am at a loss, I can connect VIA VPN and Ping inside the IPs (192.168.1.2) and outside (4.2.2.2) IPs of the remote VPN client, but can't surf WWW. Inside the network, all users have WWW access and the network is fine. I'm new on the revisions to ver 8.3 and don't see what I'm missing?

Info:

ASA-A # sh xl
in use, the most used 12 4
Flags: D - DNS, e - extended, I - identity, i - dynamics, r - portmap,
s - static, T - twice, N - net-to-net
NAT inside:192.168.1.0/24 to outside:24.180.x.x/24
flags s idle 0:10:46 timeout 0:00:00
NAT outside:192.168.2.0/24 to outside:24.180.x./24
flags s idle 0:00:59 timeout 0:00:00
NAT inside:192.168.1.0/24 to any:192.168.1.0/24
sitting inactive flags 0:11:51 timeout 0:00:00
NAT any:192.168.2.0/24 to inside:192.168.2.0/24
sitting inactive flags 0:11:51 timeout 0:00:00
ASA-A #.

ASA-A # sh nat
Manual NAT policies (Section 1)
1 (inside) to destination of (all) Inside_Net Inside_Net the VPN-NET VPN static static
translate_hits = 3, untranslate_hits = 3

Auto NAT policies (Section 2)
1 (inside) (outside) static source Inside_Net 24.180.x.x
translate_hits = 3, untranslate_hits = 184
2 (outdoor) (outdoor) static source VPN-net 24.180.x.x
translate_hits 97, untranslate_hits = 91 =
ASA-A #.

Journal of the Sho:

% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection for udp src outside:192.168.2.10/137(LOCAL\User) dst outside:192.168.2.255/137 refused due to path failure reverse that of NAT
% ASA-609002 7: duration of outside local host: 192.168.2.255 disassembly 0:00:00
% ASA-609001 7: built outside local host: 192.168.2.255

% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection for udp src outside:192.168.2.10/137(LOCAL\User) dst outside:192.168.2.255/137 refused due to path failure reverse that of NAT
% ASA-609002 7: duration of outside local host: 192.168.2.255 disassembly 0:00:00

Current config:

ASA Version 9.0 (1)
!
ASA-A host name
domain a.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
IP local pool vpnpool 192.168.2.10 - 192.168.2.20
!
interface Ethernet0/0
Inet connection description
switchport access vlan 2
!
interface Ethernet0/1
LAN connection description
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP address 24.180.x.x 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
banner exec   ********************************************
banner exec   *                                          *
exec banner * ASA-A *.
banner exec   *                                          *
exec banner * CISCO ASA5505 *.
banner exec   *                                          *
exec banner * A Services Inc.              *
exec banner * xxx in car Street N. *.
exec banner * city, ST # *.
banner exec   *                                          *
banner exec   ********************************************
exec banner ^
passive FTP mode
DNS server-group DefaultDNS
domain a.local
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the Inside_Net object
subnet 192.168.1.0 255.255.255.0
network of the VPN-net object
Subnet 192.168.2.0 255.255.255.0
access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
allowed incoming access extended gre a whole list
inbound udp allowed extended access list any host 24.180.x.x eq 1723
list of allowed inbound tcp extended access any host 24.180.x.x eq pptp
list of allowed inbound tcp extended access any host 24.180.x.x eq smtp
list of allowed inbound tcp extended access any host 24.180.x.x eq www
list of allowed inbound tcp extended access any host 24.180.x.x eq https
list of allowed inbound tcp extended access any host 24.180.x.x eq 987
inbound udp allowed extended access list any host 24.180.x.x eq 25
inbound udp allowed extended access list any host 24.180.x.x eq 443
inbound udp allowed extended access list any host 24.180.x.x eq www
inbound udp allowed extended access list any host 24.180.x.x eq 987
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
public static Inside_Net Inside_Net destination NAT (inside, all) static source VPN-NET VPN
!
network of the Inside_Net object
NAT static 24.180.x.x (indoor, outdoor)
network of the VPN-net object
24.180.x.x static NAT (outdoors, outdoor)
Access-group interface incoming outside
Route outside 0.0.0.0 0.0.0.0 24.180.x.x 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 VPN remote esp-3des esp-md5-hmac
Crypto ipsec ikev2 VPN ipsec-proposal-remotetest
Protocol esp encryption aes - 256, aes - 192, aes, 3des and
Esp integrity sha-1 protocol
Crypto ipsec pmtu aging infinite - the security association
Crypto-map dynamic dyn1 1jeu ikev1 transform-set remote VPN
Crypto-map dynamic dyn1 1jeu reverse-road
map VPN - map 1-isakmp ipsec crypto dynamic dyn1
VPN-card interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet timeout 5
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
user name UName encrypted password privilege 15 xxxxxxxxx
type tunnel-group remote VPN remote access
attributes global-tunnel-group VPN-remote controls
address vpnpool pool
tunnel-group, ipsec VPN-remote controls-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:43db9ab2d3427289fb9a0fdb22b551fa
: end

Hello

Its propably because you do not have a DNS server configured for VPN users. Try this command:
```
 group-policy DfltGrpPolicy attributes dns-server value 8.8.8.8
```

circumstances for reverse road injection

Similar Questions

Maybe you are looking for