Cisco ipsec Vpn connects but cannot communicate with lan

Similar Questions

• Ipad Cisco ipsec VPN connects but not access to the local network

  Hi guys,.

  I am trying to connect our ipads to vpn to access network resources. IPSec cisco ipad connects but not lan access and cannot ping anything not even not the interfaces of the router.

  If I configure the vpn from cisco on a laptop, it works perfectly, I can ping all and can access resources on the local network if my guess is that the traffic is not going in the tunnel vpn between ipad and desktop.

  Cisco 877.

  My config is attached.

  Any ideas?

  Thank you

  Build-in iPad-client is not useful to your configuration.

  You have three options:

  (1) remove the ACL of your vpn group. Without split tunneling client will work.

  2) migrate legacy config crypto-map style. Here, you can use split tunneling

  3) migrate AnyConnect.

  The root of the problem is that the iPad Gets the split tunneling-information. But instead of control with routing traffic should pass through the window / the tunnel and which traffic is allowed without the VPN of the iPad tries to build a set of SAs for each line in your split-tunnel-ACL. But with the model-virtual, SA only is allowed.

• ASA 5505 IPSEC VPN connected but cannot access the local network

  ASA: 8.2.5

  ASDM: 6.4.5

  LAN: 10.1.0.0/22

  Pool VPN: 172.16.10.0/24

  Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

  I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

  Here is my setup, wrong set up anything?

  ASA Version 8.2 (5)

  !

  hostname asatest

  domain XXX.com

  activate 8Fw1QFqthX2n4uD3 encrypted password

  g9NiG6oUPjkYrHNt encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.1.1.253 255.255.252.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  address IP XXX.XXX.XXX.XXX 255.255.255.240

  !

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS server-group DefaultDNS

  domain vff.com

  vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

  access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

  pager lines 24

  Enable logging

  timestamp of the record

  logging trap warnings

  asdm of logging of information

  logging - the id of the device hostname

  host of logging inside the 10.1.1.230

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA-server protocol nt AD

  AAA-server host 10.1.1.108 AD (inside)

  NT-auth-domain controller 10.1.1.108

  Enable http server

  http 10.1.0.0 255.255.252.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 10.1.0.0 255.255.252.0 inside

  SSH timeout 20

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal group vpntest strategy

  Group vpntest policy attributes

  value of 10.1.1.108 WINS server

  Server DNS 10.1.1.108 value

  Protocol-tunnel-VPN IPSec l2tp ipsec

  disable the password-storage

  disable the IP-comp

  Re-xauth disable

  disable the PFS

  IPSec-udp disable

  IPSec-udp-port 10000

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list vpntest_splitTunnelAcl

  value by default-domain XXX.com

  disable the split-tunnel-all dns

  Dungeon-client-config backup servers

  the address value vpnpool pools

  admin WeiepwREwT66BhE9 encrypted privilege 15 password username

  username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

  the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

  tunnel-group vpntest type remote access

  tunnel-group vpntest General attributes

  address vpnpool pool

  authentication-server-group AD

  authentication-server-group (inside) AD

  Group Policy - by default-vpntest

  band-Kingdom

  vpntest group tunnel ipsec-attributes

  pre-shared-key BEKey123456

  NOCHECK Peer-id-validate

  !

  !

  privilege level 3 mode exec cmd command perfmon

  privilege level 3 mode exec cmd ping command

  mode privileged exec command cmd level 3

  logging of the privilege level 3 mode exec cmd commands

  privilege level 3 exec command failover mode cmd

  privilege level 3 mode exec command packet cmd - draw

  privilege show import at the level 5 exec mode command

  privilege level 5 see fashion exec running-config command

  order of privilege show level 3 exec mode reload

  privilege level 3 exec mode control fashion show

  privilege see the level 3 exec firewall command mode

  privilege see the level 3 exec mode command ASP.

  processor mode privileged exec command to see the level 3

  privilege command shell see the level 3 exec mode

  privilege show level 3 exec command clock mode

  privilege exec mode level 3 dns-hosts command show

  privilege see the level 3 exec command access-list mode

  logging of orders privilege see the level 3 exec mode

  privilege, level 3 see the exec command mode vlan

  privilege show level 3 exec command ip mode

  privilege, level 3 see fashion exec command ipv6

  privilege, level 3 see the exec command failover mode

  privilege, level 3 see fashion exec command asdm

  exec mode privilege see the level 3 command arp

  command routing privilege see the level 3 exec mode

  privilege, level 3 see fashion exec command ospf

  privilege, level 3 see the exec command in aaa-server mode

  AAA mode privileged exec command to see the level 3

  privilege, level 3 see fashion exec command eigrp

  privilege see the level 3 exec mode command crypto

  privilege, level 3 see fashion exec command vpn-sessiondb

  privilege level 3 exec mode command ssh show

  privilege, level 3 see fashion exec command dhcpd

  privilege, level 3 see the vpnclient command exec mode

  privilege, level 3 see fashion exec command vpn

  privilege level see the 3 blocks from exec mode command

  privilege, level 3 see fashion exec command wccp

  privilege see the level 3 exec command mode dynamic filters

  privilege, level 3 see the exec command in webvpn mode

  privilege control module see the level 3 exec mode

  privilege, level 3 see fashion exec command uauth

  privilege see the level 3 exec command compression mode

  level 3 for the show privilege mode configure the command interface

  level 3 for the show privilege mode set clock command

  level 3 for the show privilege mode configure the access-list command

  level 3 for the show privilege mode set up the registration of the order

  level 3 for the show privilege mode configure ip command

  level 3 for the show privilege mode configure command failover

  level 5 mode see the privilege set up command asdm

  level 3 for the show privilege mode configure arp command

  level 3 for the show privilege mode configure the command routing

  level 3 for the show privilege mode configure aaa-order server

  level mode 3 privilege see the command configure aaa

  level 3 for the show privilege mode configure command crypto

  level 3 for the show privilege mode configure ssh command

  level 3 for the show privilege mode configure command dhcpd

  level 5 mode see the privilege set privilege to command

  privilege level clear 3 mode exec command dns host

  logging of the privilege clear level 3 exec mode commands

  clear level 3 arp command mode privileged exec

  AAA-server of privilege clear level 3 exec mode command

  privilege clear level 3 exec mode command crypto

  privilege clear level 3 exec command mode dynamic filters

  level 3 for the privilege cmd mode configure command failover

  clear level 3 privilege mode set the logging of command

  privilege mode clear level 3 Configure arp command

  clear level 3 privilege mode configure command crypto

  clear level 3 privilege mode configure aaa-order server

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

  : end

  Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

  The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

  On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

• Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

  Hello

  I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

  When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

  However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

  VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

  Please help me I need to find a solution as soon as POSSIBLE!

  Thank you in advance.

  Hello

  Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

  No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  After re-configured this way, make sure that this command is also available:

  Sysopt connection permit VPN

  This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

  Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

  XXXX--> server IP

  AAAA--> VPN IP of the user

  Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

  Thank you

  David Castro,

• My HP 5510 is connected to the wireless network, but cannot communicate with the printer?

  I connect a HP all in one Photosmart 5510 to an ATT Uverse wireless network. It says printer is connected and printer tests are all good.., but still when I try to print, I get an error message saying that cannot communicate with the printer, make sure that it is attached to the network?

  I restarted services, restarted..., still the same case. It says its connected, but do not connect or print. Very frustrating...

  What operating system?

  If Windows, download and run this utility: http://h20180.www2.hp.com/apps/Nav?h_pagetype=s-926&h_lang=en&h_client=s-h-e17-1&h_keyword=dg-NDU&jumpid=ex_r4155/en/hho/ipg/forum/network_diag/

  What did he say?

• Establish a IPsec VPN connection, but remote site can't ping main office

  Hi, I set up connection from site to site IPsec VPN between cisco 892 (main site) router and linksys router wrv210 (remote site). My problem is that I can ping network router wrv210 lan of my main office where is cisco 892 router, but I cannot ping the main site of linksys wrv210 lan (my remote site).

  My configuration on the cisco 892 router:

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-1

  game group-access 103

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-3

  game group-access 106

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-2

  game group-access 105

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-5

  game group-access 108

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-4

  game group-access 107

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-7

  group-access 110 match

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-6

  game group-access 109

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-9

  game group-access 112

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-8

  game group-access 111

  type of class-card inspect entire game SDM_AH

  match the name of group-access SDM_AH

  type of class-card inspect entire game SDM_ESP

  match the name of group-access SDM_ESP

  type of class-card inspect entire game SDM_VPN_TRAFFIC

  match Protocol isakmp

  match Protocol ipsec-msft

  corresponds to the SDM_AH class-map

  corresponds to the SDM_ESP class-map

  type of class-card inspect the correspondence SDM_VPN_PT

  game group-access 102

  corresponds to the SDM_VPN_TRAFFIC class-map

  type of class-card inspect entire game PAC-cls-insp-traffic

  match Protocol cuseeme

  dns protocol game

  ftp protocol game

  h323 Protocol game

  https protocol game

  match icmp Protocol

  match the imap Protocol

  pop3 Protocol game

  netshow Protocol game

  Protocol shell game

  match Protocol realmedia

  match rtsp Protocol

  smtp Protocol game

  sql-net Protocol game

  streamworks Protocol game

  tftp Protocol game

  vdolive Protocol game

  tcp protocol match

  udp Protocol game

  inspect the class-map match PAC-insp-traffic type

  corresponds to the class-map PAC-cls-insp-traffic

  type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-10

  game group-access 113

  type of class-card inspect all sdm-service-ccp-inspect-1 game

  http protocol game

  https protocol game

  type of class-card inspect entire game PAC-cls-icmp-access

  match icmp Protocol

  tcp protocol match

  udp Protocol game

  type of class-card inspect correspondence ccp-invalid-src

  game group-access 100

  type of class-card inspect correspondence ccp-icmp-access

  corresponds to the class-ccp-cls-icmp-access card

  type of class-card inspect correspondence ccp-Protocol-http

  match class-map sdm-service-ccp-inspect-1

  !

  !

  type of policy-card inspect PCB-permits-icmpreply

  class type inspect PCB-icmp-access

  inspect

  class class by default

  Pass

  type of policy-card inspect sdm-pol-VPNOutsideToInside-1

  class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

  class type inspect sdm-cls-VPNOutsideToInside-2

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-3

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-4

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-5

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-6

  inspect

  class type inspect sdm-cls-VPNOutsideToInside-7

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-8

  Pass

  class type inspect sdm-cls-VPNOutsideToInside-9

  inspect

  class type inspect sdm-cls-VPNOutsideToInside-10

  Pass

  class class by default

  drop

  type of policy-map inspect PCB - inspect

  class type inspect PCB-invalid-src

  Drop newspaper

  class type inspect PCB-Protocol-http

  inspect

  class type inspect PCB-insp-traffic

  inspect

  class class by default

  drop

  type of policy-card inspect PCB-enabled

  class type inspect SDM_VPN_PT

  Pass

  class class by default

  drop

  !

  security of the area outside the area

  safety zone-to-zone

  zone-pair security PAC-zp-self-out source destination outside zone auto

  type of service-strategy inspect PCB-permits-icmpreply

  zone-pair security PAC-zp-in-out source in the area of destination outside the area

  type of service-strategy inspect PCB - inspect

  source of PAC-zp-out-auto security area outside zone destination auto pair

  type of service-strategy inspect PCB-enabled

  sdm-zp-VPNOutsideToInside-1 zone-pair security source outside the area of destination in the area

  type of service-strategy inspect sdm-pol-VPNOutsideToInside-1

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key address 83.xx.xx.50 xxxxxxxxxxx

  !

  !

  Crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

  !

  map SDM_CMAP_1 1 ipsec-isakmp crypto

  Description NY_NJ

  the value of 83.xx.xx.50 peer

  game of transformation-ESP-3DES

  match address 101

  !

  !

  !

  !

  !

  interface BRI0

  no ip address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  encapsulation hdlc

  Shutdown

  Multidrop ISDN endpoint

  !

  !

  interface FastEthernet0

  !

  !

  interface FastEthernet1

  !

  !

  interface FastEthernet2

  !

  !

  interface FastEthernet3

  !

  !

  interface FastEthernet4

  !

  !

  interface FastEthernet5

  !

  !

  FastEthernet6 interface

  !

  !

  interface FastEthernet7

  !

  !

  interface FastEthernet8

  no ip address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  automatic duplex

  automatic speed

  !

  !

  interface GigabitEthernet0

  Description $ES_WAN$ $FW_OUTSIDE$

  IP address 89.xx.xx.4 255.255.255.xx

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  NAT outside IP

  IP virtual-reassembly

  outside the area of security of Member's area

  automatic duplex

  automatic speed

  map SDM_CMAP_1 crypto

  !

  !

  interface Vlan1

  Description $ETH - SW - LAUNCH INTF-INFO-FE 1 to $$$ $ES_LAN$ $FW_INSIDE$

  IP 192.168.0.253 255.255.255.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  penetration of the IP stream

  IP nat inside

  IP virtual-reassembly

  Security members in the box area

  IP tcp adjust-mss 1452

  !

  !

  IP forward-Protocol ND

  IP http server

  local IP http authentication

  IP http secure server

  IP http timeout policy slowed down 60 life 86400 request 10000

  !

  !

  IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0

  IP route 0.0.0.0 0.0.0.0 89.xx.xx.1

  !

  SDM_AH extended IP access list

  Note the category CCP_ACL = 1

  allow a whole ahp

  SDM_ESP extended IP access list

  Note the category CCP_ACL = 1

  allow an esp

  !

  recording of debug trap

  Note access-list 1 INSIDE_IF = Vlan1

  Note category of access list 1 = 2 CCP_ACL

  access-list 1 permit 192.168.0.0 0.0.0.255

  Access-list 100 category CCP_ACL = 128 note

  access-list 100 permit ip 255.255.255.255 host everything

  access-list 100 permit ip 127.0.0.0 0.255.255.255 everything

  access-list 100 permit ip 89.xx.xx.0 0.0.0.7 everything

  Note access-list 101 category CCP_ACL = 4

  Note access-list 101 IPSec rule

  access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  Note access-list 102 CCP_ACL category = 128

  access-list 102 permit ip host 83.xx.xx.50 all

  Note access-list 103 CCP_ACL category = 0

  Note access-list 103 IPSec rule

  access-list 103 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 104 CCP_ACL category = 2

  Note access-list 104 IPSec rule

  access-list 104 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  access-list 104. allow ip 192.168.0.0 0.0.0.255 any

  Note access-list 105 CCP_ACL category = 0

  Note access-list 105 IPSec rule

  access-list 105 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 106 CCP_ACL category = 0

  Note access-list 106 IPSec rule

  access-list 106 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 107 CCP_ACL category = 0

  Note access-list 107 IPSec rule

  access-list 107 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 108 CCP_ACL category = 0

  Note access-list 108 IPSec rule

  access-list 108 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 109 CCP_ACL category = 0

  Note access-list 109 IPSec rule

  access-list 109 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 110 CCP_ACL category = 0

  Note access-list 110 IPSec rule

  access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 111 CCP_ACL category = 0

  Note access-list 111 IPSec rule

  access-list 111 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 112 CCP_ACL category = 0

  Note access-list 112 IPSec rule

  access-list 112 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  Note access-list 113 CCP_ACL category = 0

  Note access-list 113 IPSec rule

  access-list 113 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

  not run cdp

  !

  !

  !

  !

  allowed SDM_RMAP_1 1 route map

  corresponds to the IP 104

  --------------------------------------------------------

  I only give your router cisco 892 because there is nothnig much to change on linksys wrv210 router.

  Hope someone can help me. See you soon

  You can run a "ip inspect log drop-pkt" and see if get you any what FW-DROP session corresponding to the traffic you send Linksys to the main site. Zone based firewall could be blocking traffic initiated from outside to inside.

• established - VPN connection, but cannot connect to the server?

  vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4

  Thank you

  ASA Version 8.2 (1)

  !

  hostname ciscoasa5505

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.0.3 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 208.0.0.162 255.255.255.248

  !

  interface Vlan5

  Shutdown

  prior to interface Vlan1

  nameif dmz

  security-level 50

  IP address dhcp setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS lookup field inside

  DNS server-group DefaultDNS

  192.168.0.4 server name

  Server name 208.0.0.11

  permit same-security-traffic intra-interface

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  object-group service TS-780-tcp - udp

  port-object eq 780

  object-group service Graphon tcp - udp

  port-object eq 491

  Allworx-2088 udp service object-group

  port-object eq 2088

  object-group service allworx-15000 udp

  15000 15511 object-port Beach

  object-group service udp allworx-2088

  port-object eq 2088

  object-group service allworx-5060 udp

  port-object eq sip

  object-group service allworx-8081 tcp

  EQ port 8081 object

  object-group service web-allworx tcp

  EQ object of port 8080

  allworx udp service object-group

  16001 16010 object-port Beach

  object-group service allworx-udp

  object-port range 16384-16393

  object-group service remote tcp - udp

  port-object eq 779

  object-group service billing1 tcp - udp

  EQ object of port 8080

  object-group service billing-1521 tcp - udp

  port-object eq 1521

  object-group service billing-6233 tcp - udp

  6233 6234 object-port Beach

  object-group service billing2-3389 tcp - udp

  EQ port 3389 object

  object-group service olivia-3389 tcp - udp

  EQ port 3389 object

  object-group service olivia-777-tcp - udp

  port-object eq 777

  netgroup group of objects

  network-object host 192.168.0.15

  network-object host 192.168.0.4

  object-group service allworx1 tcp - udp

  8080 description

  EQ object of port 8080

  allworx_15000 udp service object-group

  15000 15511 object-port Beach

  allworx_16384 udp service object-group

  object-port range 16384-16393

  DM_INLINE_UDP_1 udp service object-group

  purpose of group allworx_16384

  object-port range 16384 16403

  object-group service allworx-5061 udp

  range of object-port 5061 5062

  object-group service ananit tcp - udp

  port-object eq 880

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389

  outside_access_in list extended access permit tcp any host 208.0.0.164 eq https

  outside_access_in list extended access permit tcp any host 208.0.0.164 eq www

  outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field

  outside_access_in list extended access permit tcp any host 208.0.0.162 eq www

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group

  outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777

  outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object

  outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060

  outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive

  outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081

  outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000

  outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group

  outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group

  outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

  permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0

  Ping list extended access permit icmp any any echo response

  inside_access_in of access allowed any ip an extended list

  permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0

  access-list 1 standard allow 192.168.0.0 255.255.255.0

  pager lines 24

  Enable logging

  logging buffered stored notifications

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 dmz

  IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool

  192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT (outside) 1 192.168.0.0 255.255.255.0

  alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255

  public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area

  public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255

  public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area

  public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255

  static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1

  Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.0.0 255.255.255.0 inside

  http 192.168.0.3 255.255.255.255 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Sysopt noproxyarp inside

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 108.0.0.97

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 20 match address outside_20_cryptomap

  card crypto outside_map 20 set pfs

  peer set card crypto outside_map 20 69.0.0.54

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life no

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 1

  life no

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  identifying client DHCP-client interface dmz

  dhcpd outside auto_config

  !

  dhcpd address 192.168.0.20 - 192.168.0.50 inside

  dhcpd dns 192.168.0.4 208.0.0.11 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  internal group anyconnect strategy

  attributes of the strategy group anyconnect

  VPN-tunnel-Protocol svc webvpn

  WebVPN

  list of URLS no

  SVC request enable

  encrypted olivia Zta1M8bCsJst9NAs password username

  username of graciela CdnZ0hm9o72q6Ddj encrypted password

  tunnel-group 69.0.0.54 type ipsec-l2l

  IPSec-attributes tunnel-group 69.0.0.54

  pre-shared-key *.

  tunnel-group 108.0.0.97 type ipsec-l2l

  IPSec-attributes tunnel-group 108.0.0.97

  pre-shared-key *.

  tunnel-group anyconnect type remote access

  tunnel-group anyconnect General attributes

  remote address pool

  strategy-group-by default anyconnect

  tunnel-group anyconnect webvpn-attributes

  Group-alias anyconnect enable

  !

  Global class-card class

  match default-inspection-traffic

  !

  !

  World-Policy policy-map

  Global category

  inspect the icmp

  !

  service-policy-international policy global

  : end

  ASDM location 208.0.0.164 255.255.255.255 inside

  ASDM location 192.168.0.15 255.255.255.255 inside

  ASDM location 192.168.50.0 255.255.255.0 inside

  ASDM location 192.168.1.0 255.255.255.0 inside

  don't allow no asdm history

  Right now your nat 0 (NAT exemption) follows the access list:

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

  Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.

  Then try to add an entry to the list of access as:

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0

  It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.

• VPN connects but cannot ping or access resources

  I hope this is an easy fix and it's something that I am missing.  I've been looking at this for several hours.

  Scenario:

  I Anyconnect Essentials so I use the SSL connection

  I changed my domain name and external IP in my setup, I write.

  My VPN connection seems to work very well.  In fact, I was able to connect to 3 locations with 3 different external IP address.

  1 location, I get IP address 192.168.30.10, as it should.  I can ping 192.168.1.1, but not the 192.168.1.6 which is my temporary resource, the firewall is disabled on 192.168.1.6.

  2 location, I get an IP of 192.168.30.11, as it should.  I was able to ping 192.168.30.10, could not sue 192.168.1.1 as the place closed.

  Any help would be appreciated, it's getting late so I hope I gave enough details.  I feel so close but yet so far.

  See the ciscoasa # running

  : Saved

  :

  ASA Version 8.2 (1)

  !

  ciscoasa hostname

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 22.22.22.246 255.255.255.252

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone CST - 6

  clock to summer time recurring CDT

  DNS lookup field inside

  DNS domain-lookup outside

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  ICMP-type of object-group ALLOWPING

  echo ICMP-object

  ICMP-object has exceeded the time

  response to echo ICMP-object

  Object-ICMP traceroute

  Object-ICMP source-quench

  ICMP-unreachable object

  access-list 10 scope ip allow a whole

  10 extended access-list allow icmp a whole

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.30.10 - 192.168.30.25 255.255.255.0 IP local pool SSLClientPoolNew

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 192.168.1.0 255.255.255.0

  Route outside 0.0.0.0 0.0.0.0 22.22.22.245 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  network-acl 10

  WebVPN

  SVC request no svc default

  AAA authentication LOCAL telnet console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd dns 8.8.8.8

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow inside

  allow outside

  AnyConnect essentials

  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 image

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 2 image

  enable SVC

  tunnel-group-list activate

  internal SSLClientPolicy group strategy

  attributes of Group Policy SSLClientPolicy

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  field default value mondomaine.fr

  the address value SSLClientPoolNew pools

  WebVPN

  SVC Dungeon-Installer installed

  time to generate a new key of SVC 180

  SVC generate a new method ssl key

  SVC value vpngina modules

  attributes of Group Policy DfltGrpPolicy

  VPN-tunnel-Protocol webvpn

  username test encrypted password privilege 15 xxxxxxxxxxxxxx

  username ljb1 password encrypted xxxxxxxxxxxxxx

  type tunnel-group SSLClientProfile remote access

  attributes global-tunnel-group SSLClientProfile

  Group Policy - by default-SSLClientPolicy

  tunnel-group SSLClientProfile webvpn-attributes

  enable SSLVPNClient group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:ed683c7f1b86066d1d8c4fff6b08c592

  : end

  Patrick,

  'Re missing you the excemption NAT. Please add the following and try again:

  access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  Let us know if you still have problems after that.

  Raga

• Windows Vista machines can see XP machines but cannot communicate with them.

  original title: VISTA machine can see XP machines in local network, cannot connect

  I have a 3 computer home network that has worked very well for many years, but it is usually just used by 3 machines to access the Internet.  Very rarely a computer does enter a file out of one of the other machines, but this feature has certainly worked in the past.

  Machine 1: Desktop/VISTA/setting up a connection to the router

  Machine 2: Desktop/XP/setting up a connection to the router

  Machine 3: Computer connection laptop/XP/wireless to the router

  All the machines, automatic update of Windows and all the computers are running Norton Security Suite, which is also updated automatically.  Norton Security Suite is a relatively new introduction to the network.

  2 XP machines see that all 3 computers in the network each has access to the other.  2 XP machines can not "reach" the VISTA ("the network path was not found") which could be correct, because machine that I never shared something on this machine, although sharing file and printer sharing * are * on.

  On the VISTA machine click on network and sharing Center and then see the full plan shows 3 machines in the group.  But, then clicking on view computers and devices results in the network window, which shows that the VISTA as a computer machine and a media device.  No XP computer to connect to.

  The VISTA machine can ping machines (Machine 2 ping or ping Machine 3) XP, but XP machines can't ping the VISTA.  In fact, it's quite strange; If I 'ping Machine 1' of one of the machines XP ping command reports "Pinging Machine 1. (Name of working group) "[208.68.143.50] with 32 bytes of data", then he received 4 requests, responses has expired.  I have no idea where this name - the name of my PC added on behalf of the Working Group - and the IP address belongs to a computer somewhere in Massachusetts!  (I'm in California).

  Rattling of the VISTA machine using its IP internal, as reported by the router just translates into 4 requests, responses has expired.

  I worked on it for hours now, after trying all of the 'standard' patches with no improvement.  Given the Windows error message when one of the XP machines trying to access the VISTA - "the path not found network" machine as opposed to they access denied response - and the ping odd response when you use the name of the machine, I have the feeling that the things in the list of standard control is not the problem.

  Any thoughts?

  Tom Young

  I finally reduced to the Norton Security Suite firewall.  Don't think that was the issue that the 2 XP machines are also running Norton Security Suite and is working very well.  Penetrating machines XP 2 'Total confidence' confidence level - which doesn't seem to be necessary according to the news 'aid' to Norton that I read over and over again - cured the problem.

  Tom Young

• Client VPN connects but cannot ping all hosts

  Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients.  I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX.  Can someone tell me what Miss me in my setup?

  Thanks for your help.

  Chi - pix # sh conf
  : Saved
  : Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
  6.3 (3) version PIX
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate the encrypted password
  encrypted passwd
  hostname chi - pix
  .com domain name
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol they 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
  Allow Access-list allowed a whole icmp ping
  access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
  access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
  pager lines 24
  opening of session
  debug logging in buffered memory
  ICMP deny everything outside
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside pppoe setroute
  IP address inside 192.168.5.1 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  IP local pool ippool 10.10.11.1 - 10.10.11.254
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) - 0 102 access list
  NAT (inside) 1 list-access internet-traffic 0 0
  group-access allowed to ping in external interface
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  RADIUS Protocol RADIUS AAA server
  AAA-server local LOCAL Protocol
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
  Crypto-map dynamic dynmap 10 GvnPix-set transform-set
  toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
  toGvnPix interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
  ISAKMP keepalive 60
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 9
  encryption of ISAKMP policy 9
  ISAKMP policy 9 md5 hash
  9 2 ISAKMP policy group
  ISAKMP policy 9 life 86400
  vpngroup address ippool pool chiclient
  vpngroup dns 192.168.5.1 Server chiclient
  vpngroup wins 192.168.5.1 chiclient-Server
  vpngroup chiclient com default domain
  vpngroup split tunnel 101 chiclient
  vpngroup idle 1800 chiclient-time
  vpngroup password chiclient *.
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet timeout 30
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 30
  management-access inside
  Console timeout 0
  VPDN group chi request dialout pppoe
  VPDN group chi net localname
  VPDN group chi ppp authentication pap
  VPDN username password net *.
  dhcpd address 192.168.5.2 - 192.168.5.33 inside
  dhcpd dns xx
  dhcpd rental 86400
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  dhcpd allow inside
  Terminal width 100
  Cryptochecksum:
  Chi - pix #.

  On the PIX configuration seems correct.

  I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?

  How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.

• VPN works, but cannot access the LAN...

  I have cisco vpn client connection to a 1721 at the office. the client connects and I can access the office LAN but but not the local network. I have the box checked in client vpn to allow access to the local network. Help, please!

  Thank you!

  Matt

  Here is the config:

  Current configuration: 3901 bytes

  !

  version 12.2

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  Cerberus hostname

  !

  start the system flash c1700-k9o3sy7 - mz.122 - 11.T10.bin

  AAA new-model

  !

  !

  RADIUS AAA server group SERVERS RADIUS

  auth-port 1645 192.168.69.1 Server acct-port 1646

  !

  AAA authentication login LOGIN group SERVERS RADIUS local

  local NETGROUPAUTH AAA authorization network

  AAA - the id of the joint session

  !

  username mattheff password xxx

  username mikeheff password xxx

  clock timezone CST - 6

  clock to summer time recurring CDT 2 Sun Mar 2:00 1 Sun Nov 02:00

  IP subnet zero

  !

  !

  IP domain name heffnet.net

  name of the IP-server 68.94.156.1

  name of the IP-server 68.94.157.1

  DHCP excluded-address IP 192.168.69.1 192.168.69.99

  DHCP excluded-address IP 192.168.69.111 192.168.69.254

  !

  dhcp HEFFNET_LAN_POOL_1 IP pool

  network 192.168.69.0 255.255.255.0

  router by default - 192.168.69.254

  Server DNS 68.x.x.1 68.94.157.1

  !

  audit of IP notify Journal

  Max-events of po verification IP 100

  VPDN enable

  !

  VPDN-group pppoe

  demand dial

  Protocol pppoe

  !

  !

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  Configuration group VPNGROUP crypto isakmp client

  8mathef8 key

  68.x.x.1 DNS 68.94.157.1

  heffnet.net field

  pool VPN_CLIENT_POOL

  ACL 102

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac VPNSET1

  !

  crypto dynamic-map 10 DYNMAP

  game of transformation-VPNSET1

  !

  !

  list of authentication of card crypto VPNCLIENTMAP customer LOGIN

  list of crypto isakmp NETGROUPAUTH VPNCLIENTMAP card authorization

  crypto card for the VPNCLIENTMAP client configuration address respond

  card crypto VPNCLIENTMAP 10-isakmp dynamic ipsec DYNMAP

  !

  !

  !

  !

  interface Loopback0

  IP address 1.1.x.x.255.255.252

  !

  ATM0 interface

  Heffnet WAN/SBC DSL Interface Description

  no ip address

  No atm ilmi-keepalive

  PVC 0/35

  PPPoE-client dial-pool-number 69

  !

  DSL-automatic operation mode

  no fair queue

  !

  interface FastEthernet0

  Heffnet LAN Interface Description

  IP 192.168.69.254 255.255.255.0

  IP nat inside

  IP tcp adjust-mss 1452

  route VPN_ROUTE_MAP card intellectual property policy

  automatic speed

  !

  interface Dialer69

  MTU 1492

  the negotiated IP address

  NAT outside IP

  encapsulation ppp

  Dialer pool 69

  PPP chap hostname cerberus

  PPP chap password xxx

  PPP pap sent-username [email protected] / * / password xxx

  card crypto VPNCLIENTMAP

  !

  local IP VPN_CLIENT_POOL 192.168.70.200 pool 192.168.70.253

  IP nat inside source list interface INTERNALLY Dialer69 overload

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 Dialer69

  no ip address of the http server

  !

  !

  INTERNAL extended IP access list

  deny ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255

  IP 192.168.69.0 allow 0.0.0.255 any

  !

  record 192.168.69.1

  access-list 101 permit ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255

  access-list 102 permit ip 192.168.69.0 0.0.0.255 any

  !

  VPN_ROUTE_MAP allowed 10 route map

  corresponds to the IP 101

  set ip next-hop 1.1.1.2

  !

  alias exec s show ip interface brief

  alias exec sr show running-config

  !

  Line con 0

  privilege level 15

  Synchronous recording

  line to 0

  privilege level 15

  Synchronous recording

  line vty 0 4

  privilege level 15

  Synchronous recording

  line vty 5 15

  privilege level 15

  Synchronous recording

  !

  Scheduler allocate 4000 1000

  end

  Hi Matt,

  The config looks good. Please make sure that you get a route to 192.168.69.0 255.255.255.0 network only after the connection to the VPN client. Please also correspond to the exit "route print" before and after the connection. One last thing, I hope that the local network is not 192.168.69.0.

  HTH,

  Please rate if this helps,

  Kind regards

  Kamal

• Printers HP B110a cannot communicate with the laptop, but both will be connected to the router?

  OK, here's an interesting problem that has been banging my brain for hours, one of my friends has a HP Photosmart all in one printer B110a. Now I can get the printer to connect to the wireless router, no problem. Can I also have the phone to connect to the router, the problem is that the printer cannot communicate with the laptop. The router brand and model is the Linksys wrt54g

  Now, I took my friends laptop home and tried to see if she could detect my wireless printer model different on my router which is a TP WR340GD I went in devices and printers, and went to Add a printer and Add Printer wireless, it instantly detected my printer via the wireless network. There is no problem on the side of the laptop. I am sure that any firewall on the laptop was turned off when I tried the connected printer.

  So now I have my friends printer here with me and decided to try and see if I could detect the HP Photosmart printer All In One Printer on my laptop on my TP WR340GDwireless router. Yet once, it worked perfectly and it has detected the printer and works wireless without fault.

  I'm down now to the conclusion that the problem is with my friends router Linksys wrt54g I'm gone in the settings of the router, change the wireless channels, changed security between WEP and WPA/WPA2 and AES AND TKIP wireless and this does not solve the problem.

  I can access to the Photosmart B110a: the Web server integrated in a browser ONLY if I have the laptop to the router physically connected by Ethernet cable when trying to access my router from a friend, but I can access through wireless on my router. The problem is probably something very simple that I forgot, but I was more all I can think that I tried to reset harder than the printer cleaned the network settings on the printer as well from the display of the printer menu.

  I'm really lost now, someone at - it suggestions?

  Hey pcwizard, ok, I checked the router settings and Mac filtering turned on, so I decided to reset the router, it restored to factory settings. Re-Setup wireless and once again I tried, still had no luck with the laptop to communicate with the printer.

  in any case, I decided to connect the cable from the printer to the laptop and took the USB to wireless Assistant. As I reinstalled it the printer using the wired method.

  He told me that the rules of traffic incoming and outgoing firewall stopped communication between devices and assign port numbers 427-9000 etc.. However, I had turned off all firewall, Windows and Norton 360, which since then, I've replaced with a better anti-virus software.

  I went into the settings of the router, port forwarded the application numbers, tried again and is again no luck. I'm usually pretty good with computers, but it was really annoying me. So I went and had a coffee and a brainwave came and I decided to see if my laptop could detect and connect the printer to the router. As soon as I tried it, he finds and the printer has detected immediately.

  Then I thought there must be something on my laptop to friends who may be at the origin of the problem, when I looked, I noticed that my friend had the old software Vodafone Mobile Broadband running in the background which was connected to the router.

  So I closed and turn it off and tried again adding printer. SUCCESS now detects it and the printer is now communicate and respond with the laptop. I'm guessing that the Vodafone Mobile Broadband have a built-in firewall blocking the communication. However it is strange because it worked without problem on my printer at home, so I wonder if some how blacklisted broadband Vodafone IP address of the printer at a time on their router.

  I'm so happy, it's finally done, a lot of hours and work, and after all this time it was * beep * Vodafone.

  in any case Pcwizard I thank very much for trying to help, no doubt has given me a few ideas.

  Thanks again!

• BlackBerry Z10 Z10 suddenly stopped synchronization of calendar and contact - link gives BB cannot communicate with connected mssg but displays device

  I think that BB link updated the software in March 2015.  I had been very good sync with my laptop Windows 8 with the Outlook calendar and contacts, but this week it stopped.  BB link watch Z0 connected, but says cannot communicate with the device.  I tried the solution of knowledge base - leave plugged phone with a USB cable, power phone off, then back on donkey wait 3-5 minutes for the pilots to complete loading - but none help.  I rebooted the computer and the Z10 several times, but no luck with the synchronization.  Any help is appreciated!

  Try the following steps, which will completely remove all traces of BlackBerry-link device driver entries and may solve your problem:

  1. Uninstall the BlackBerry link.
  2. Open the Device Manager by pressing the Windows key + R on your keyboard type devmgmt.msc , and then click OK.
  3. Click view , and then click Show hidden devices on the menu that appears.
  4. Expand the BlackBerry section by clicking on the + symbol next to it.
  5. Right-click on the following, and then click Uninstall. In the dialog box that appears, select delete the driver for this device. If more than one of each of the following entries appear, remove them as well.
     • BlackBerry smartphone
     • BlackBerry smart phone
  6. Expand the network adapters section by clicking on the + symbol next to it.
  7. Right-click on the following, and then click Uninstall. In the dialog box that appears, select delete the driver for this device. If more than one of each of the following entries appear, remove them as well.
     • BlackBerry smartphone
     • Tethering BlackBerry smartphone
     • Virtual private network of blackBerry
  8. Restart the computer.
  9. Reinstall the latest version of BlackBerry link.
  10. Try to reconnect your BlackBerry Z10 to the computer and see if she is able to communicate with the BlackBerry link.

  After back and let us know if it works for you.

• VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

  I tried to set up a simple customer vpn using this document

  http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

  VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

  6.3 (5) PIX version

  interface ethernet0 car

  Auto interface ethernet1

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the encrypted password of VmHKIhnF4Gs5AWk3

  VmHKIhnF4Gs5AWk3 encrypted passwd

  hostname VOIPLABPIX

  domain voicelab.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside 208.x.x.11 255.255.255.0

  IP address inside 172.10.2.2 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

  history of PDM activate

  ARP timeout 14400

  NAT (inside) - 0 102 access list

  Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

  Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 172.0.0.0 255.0.0.0 inside

  http 0.0.0.0 0.0.0.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

  Crypto-map dynamic map2 10 set transform-set trmset1

  map map1 10 ipsec-isakmp crypto dynamic map2

  client authentication card crypto LOCAL map1

  map1 outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 encryption aes-256

  ISAKMP policy 10 sha hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address voicelabpool pool cuclab

  vpngroup dns 204.x.x.10 Server cuclab

  vpngroup cuclab by default-field voicelab.com

  vpngroup split tunnel 101 cuclab

  vpngroup idle 1800 cuclab-time

  vpngroup password cuclab *.

  Telnet timeout 5

  SSH 208.x.x.11 255.255.255.255 outside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 172.10.1.2 255.255.255.255 inside

  SSH timeout 60

  Console timeout 0

  username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

  Terminal width 80

  Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

  : end

  Try to turn on NAT - T

  PIX (config) #isakmp nat-traversal 20

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

  HTH

• Unable to connect to the wireless network, Windows error cannot communicate with the device or the reaource (primary DNS server)

  Original title: internet connection problem

  Hey,.

  I use a wireless connection at home, it works very well in my android and apple gadget, but it does not work for my laptop. It is said:

  1. Windows cannot communicate with the device or the reaource (primary DNS server)

  2. the connection between the Internet and your access point, router or cable modem is broken

  3 problem with access point or wireless adapter

  I think it's an effects of virus or something?  Because yesterday it works really well. How can I fix? Thank you very much

  Hello Hildegard Lydia,

  You may experience this problem for a number of reasons. Some common problems that can cause these problems are: drivers damaged or incompatible, updates missing, network connection settings, hardware problems or software or TCP/IP can sometimes be damaged or corrupted.

  What is the brand and model of your computer?

  Please follow the steps mentioned below:

  Method 1: a component of the Internet connection on your computer is a package of instructions called TCP/IP. TCP/IP can sometimes become damaged or altered. If you can't connect to the Internet and you have tried all other methods to solve the problem, TCP/IP can be causing it.
  I suggest you try to reset the TCP/IP stack.
  http://support.Microsoft.com/kb/299357

  Method 2:

  I suggest that you refer to the following link:

  Why can't I find a wireless network?

  http://Windows.Microsoft.com/en-CA/Windows/cant-find-wireless-network#1TC=Windows-7

  Method 3:

  See the steps in the following link and check:

  Wireless and wired network problems

  http://Windows.Microsoft.com/en-CA/Windows/network-connection-problem-help#network-problems=Windows-7&V1H=win81tab1&V2H=win7tab1&V3H=winvistatab1&v4h=winxptab1

  Please an update on the status of the issue to help you further.