Cisco VPN Client anything cannot access through VPN on an ASA5505 8.4
Hello
Completely new to Cisco ASA and the need to get this working ASAP.
8.4 (1) ASA 5505 is the secondary FW and I need to authorize all out and block everything coming, but for the VPN clients. Since a jerk of Cisco, I used the ASDM and it's sorcerers to make this work, which may explain my situation.
192.168.101.0/24 is the local network
192.168.101.5 is the IP of ASA
192.168.101.2 is the primary FW (and the default gateway for servers, I have to access through the VPN)
10.10.101.0/24 is the VPN IP range (this can be what you want, I'm not married to it somehow)
My Cisco VPN Client connects to the ASA and receives 10.10.101.1 IP address, but I get no connectivity to the ASA or any other 192.168.101.x or service server (tried RDP, telnet, ping, etc.)
Configuration file is attached.
Help pretty please!
Thank you.
Did you add a route for the VPN Pool on the main firewall to the ASA?
Best regards
Peer
Sent by Cisco Support technique iPad App
Tags: Cisco Security
Similar Questions
-
We have Creative Cloud for businesses.
Our creative cloud for the client company (= users) cannot access the Typekit portfolio plan, only the free fonts.
Best regards
Matti Makijarvi
We had it operating forest offf CC and Typekit user accounts, delete this user of dashboard, creating a new email account for the user, inviting through this e-mail as a new user.
Now, she has access to the Typekit PF regime.
/Matti
-
A VPN client / ASA cannot access the Internet.
VPN clients can get to the servers internal/DMZ but not Internet. This is the partial config of the SAA. TIA
Pool VPN 10.17.70.0
DMZ 192.168.100.0
172.0.0.0 internal
-------------------------------------
nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0
access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0
standard access list splittunnel allow 172.0.0.0 255.0.0.0
Global interface (10 outside)
Global interface (Businesspartner) 10
NAT (inside) 0-list of access nonatdmz
NAT (Inside) 10 0.0.0.0 0.0.0.0
NAT (DMZ) 10 0.0.0.0 0.0.0.0
Vinnie, happy that you have found here.
Telnet for asa by vpn session, you need to add this statement.
management-access inside
In this same connection see split tunnel vs local Allow only lan access, you can learn the differences and you will better understand your configuration asa related to ra vpn.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080702999.shtml
-
Cisco linksys router and cannot access the wireless network
We have cisco linksys wireless router. When we installed everything first, we could connect our wireless laptops to the network. Now, however, the network is detected, but there is no access to the internet. We have even a guy from ATT were out and he said that the wireless router has been installed backwards? He installed a dsl fast access on our laptop icon, and now we can access the wireless network but only if we connect as the first. We can also connect iPod to the wireless network. They detect the network, but when we enter the password cannot connect.
Hi JC_3094,
Welcome to the Microsoft Community and thanks for posting the question.
According to the description, it looks like you aren't able to access the Internet.
The likely causes of this problem is if the router is not configured properly.
Here are some steps that should help you to solve this problem.
Method 1:
Check if the router is configured properly to get access to the Internet.
Method 2:
Try the steps mentioned in this link and check:
This tutorial is designed to help you identify and solve problems with a wired (Ethernet) and wireless (Wi - Fi) network connections in Windows.
Wireless and wired network problemsMethod 3:If there is a frequent disconnection try to update the firmware on the router and check.In addition, visit these links for more information:Why can't I connect to the Internet?Hope this information helps. Respond us if you have any questions with windows and we will be happy to help. -
Cannot access through its name WD my cloud
Hi, I am using OSX Seira. I try to connect to my WD my cloud device by using the name of the device via its app, but can not access. But when I use the IP address of my cloud, I can access it easily. It is also perfectly show in Finder.
Can someone guide me why can not use it by name?
Ignore it. When I rebooted the WD my cloud device. It works fine now. Don't know why this has happened.
-
Hi all
I confronted strange problem during the installation of MD3600f I have connected a point to MD and assign 192.168.128.102 to my laptop. I did ping 192.168.128.101 (cont0) but could not access via a browser. I want to access controller in the command edit IP address. Pls advise.
Rufat
Download the latest version of the resource DVD.
A Dell to look all this is en.community.dell.com/.../4234.dell-powervault-md-downloads.aspx. You will want to get this DVD resources 4.1.0.88.
-
Cannot access through desktop remote after replacing the hard drive
After replacing the hard drive, I can't access the computer via desktop remotely. running Windows 7. Settings of remote desktop access. The firewall is disabled.
Hello
I appreciate the efforts that you put to publish the query on this forum.
I suggest that you post the application on Microsoft TechNet forum because we have experts working on these issues. You can check the link to post the same query on TechNet:
http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro
Please do not hesitate to contact us if you have other questions related to Windows.
-
I have a home with 4 PC network - one of them is running Windows 7 Home Premium (with homegroup disabled) and others running XP Pro. The XP machines is called 'Server' and the server and the computer services browser running and set to automatic. Two other computers, called "Notebook" and "Dell", as well as the machine Windows 7 have no file and sharing printers enabled and have specifically the Server service is disabled.
My problem is that one of the two XP client machines cannot access the working group. Let me be clear about this: I open Windows Explorer and click on "My network places"-> "entire network"-> "Microsoft Windows network", there is then a second 5-10 break and then my workgroup name is displayed. When I click on the name of the Working Group, there is another ~ 10 second pause and then I get a message that says error "
is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have permissions. A device attached to the system does not work. ', where is the name of my group to work for other days, after some of the computers are restarted, I find that the XP client has absolutely no problem with that; but the other now has this same problem. In other words, the problem going on between two XP clients. Let's analyze: I have Windows on all PC firewall and any other firewall program. I tried to disable the Windows Firewall and my anti-virus (temporarily), program without effect. This may not be a problem with the way I've set up my actions because the error occurs when I try to click on the task force rather than a shared resource. This cannot be a problem with a specific XP client because at different times, each of the two PCs worked perfectly without any changes of configuration made between the two. It could be a problem with the server settings; but I don't see what it could be. I tried editing
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters and changing
IRPStackSize from 21 to 45, then 50. I also tried to change the size of 2 to 3. I restarted the server and the client XP and had no effect.
I don't have the same account of user configured on all three machines. However, this cannot be the issue because the problem occurs when I click on the task force, before the server name is still displayed. In addition, each of these two XP clients have connected with their existing user accounts at times.
I tried the Wizzard of configuration network running on all four machines, without effect. I tried a lot of things, most of which I can't remember. I'm at the end of my mind. Help, please.
JW,
Thanks for the continued support.
By the advice of IPCONFIG, I looked at the registry for all computers and found EnableProxy wasn't there. According to the documentation by default to 0, which is what we want. However, I added it to all the computers and left it set to 0 and restarted the computer. The node Type still said 'unknown '.
Thanks for the info on the master browser.
The ""Network location cannot be reached"when you access actions."
the article talks about Windows 2003 Server and none of the symptoms mentioned relate to this situation.The "network adapter advanced troubleshooting for Windows workstations" is on hardware troubleshooting. I think that it's probably not a problem because the computer has no trouble to access the internet, which is not possible if the card network are not working.
I went through the AutoCorrect entry to reset the TCP/IP stack, even if the article describes symptoms such as difficulty to access the internet... And... THIS MARKET!
After re-booting, the PC that was in trouble can now access the working group. All other PCs can always too (have not tried to restart all over again). AWESOME! I can't thank you enough!
I re-post if the syptoms happen; but for now, we can consider this issue RESOLVED.
Thank you 1 million,
Adam
-
Cannot access the AIP SSM via ASDM
CISCO recommendations below:
Cannot access the AIP SSM via ASDM
Problem:
This error message appears on the GUI.
Error connecting to sensor. Error Loading Sensor error
Solution:
Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor
----------------------------------------------------------------------------------------------------------------------------------------------
I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.
A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide. I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.
Tried everything, need help from high level.
The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.
I've been playing with it today, and so far it seems to work pretty well.
-
Client VPN cannot access anything at the main Site
I am sure that this problem has been resolved in a million times more, but I can't get this to work. Can someone take a look at this quick config and tell me what is the problem?
The Cisco VPN client connects without problems but I can't access anything whatsoever.
ASA Version 8.4 (4)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 15
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.43.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address a.a.a.a 255.255.255.248
!
interface Vlan15
prior to interface Vlan1
nameif IPOffice
security-level 100
IP 192.168.42.254 255.255.255.0
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
network object obj - 192.168.43.0
192.168.43.0 subnet 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_10.11.12.0_24 object
10.11.12.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.43.160_28 object
subnet 192.168.43.160 255.255.255.240
network of the IPOffice object
subnet 0.0.0.0 0.0.0.0
outside_access_in list extended access permit icmp any 192.168.42.0 255.255.255.0
Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
standard access list vpn_SplitTunnel allow 192.168.43.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 IPOffice
IP local pool newvpnpool 10.11.12.100 - 10.11.12.150 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 649.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary
NAT (IPOffice, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the IPOffice object
NAT (IPOffice, outside) dynamic interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
http 192.168.43.0 255.255.255.0 inside
http 192.168.42.0 255.255.255.0 IPOffice
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
IKEv1 crypto ipsec transform-set high - esp-3des esp-md5-hmac
crypto ipsec transform-set encrypt method 1 IKEv1 esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto-map dynamic dynmap pfs set 30 Group1
Crypto-map dynmap 30 set transform-set ikev1 strong dynamic - a
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
map rpVPN 65535-isakmp ipsec crypto dynamic dynmap
rpVPN interface card crypto outside
crypto isakmp identity address
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 2
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.43.5 - 192.168.43.36 inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal RPVPN group policy
RPVPN group policy attributes
value of server DNS 8.8.8.8
Ikev1 VPN-tunnel-Protocol
username admin privilege 15 encrypted password gP3lHsTOEfvj7Z3g
username password encrypted blPoPZBKFYhjYewF privilege 0 mark
type tunnel-group RPVPN remote access
attributes global-tunnel-group RPVPN
address newvpnpool pool
Group Policy - by default-RPVPN
IPSec-attributes tunnel-group RPVPN
IKEv1 pre-shared-key *.
!
!
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2
: end
Well Yes, you are quite right on site!
Asymmetric routing is not supported on the firewall, such as trafficking and out should be via the interfaces of same, in the contrary case, it think it's an attack and drop the package.
Default gateway on the subnet devices IPOffice should be the interface IPOffice ASA (192.168.42.254), not the switch, if it is a switch shared with your home network. Similarly for devices inside subnet, default gateway must be ASA 192.168.43.254.
In regards to the switch, you can get a default gateway or the ASA inside or IP interface IPOffice ASA and the needs of return traffic to route through the same path
-
I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well
Thank you
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP x.x.x.x 255.255.255.240
!
interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 10.88.10.254 255.255.255.0
!
interface Management0/0
Shutdown
nameif management
security-level 0
no ip address
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the PAT_to_Outside_ClassA object
10.88.0.0 subnet 255.255.0.0
network of the PAT_to_Outside_ClassB object
subnet 172.16.0.0 255.240.0.0
network of the PAT_to_Outside_ClassC object
Subnet 192.168.0.0 255.255.240.0
network of the LocalNetwork object
10.88.0.0 subnet 255.255.0.0
network of the RemoteNetwork1 object
Subnet 192.168.0.0 255.255.0.0
network of the RemoteNetwork2 object
172.16.10.0 subnet 255.255.255.0
network of the RemoteNetwork3 object
10.86.0.0 subnet 255.255.0.0
network of the RemoteNetwork4 object
10.250.1.0 subnet 255.255.255.0
network of the NatExempt object
10.88.10.0 subnet 255.255.255.0
the Site_to_SiteVPN1 object-group network
object-network 192.168.4.0 255.255.254.0
object-network 172.16.10.0 255.255.255.0
object-network 10.0.0.0 255.0.0.0
outside_access_in deny ip extended access list a whole
inside_access_in of access allowed any ip an extended list
11 extended access-list allow ip 10.250.1.0 255.255.255.0 any
outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1
mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool
NAT static NatExempt NatExempt of the source (indoor, outdoor)
NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3
NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search
!
network of the PAT_to_Outside_ClassA object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassB object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassC object
NAT dynamic interface (indoor, outdoor)
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
dynamic-access-policy-registration DfltAccessPolicy
Sysopt connection timewait
Service resetoutside
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1
life together - the association of security crypto dynamic-map dynmap 10 28800 seconds
Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic dynmap 10 the value reverse-road
card crypto mymap 1 match address outside_1_cryptomap
card crypto mymap 1 set counterpart x.x.x.x
card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1
card crypto mymap 86400 seconds, 1 lifetime of security association set
map mymap 1 set security-association life crypto kilobytes 4608000
map mymap 100-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto isakmp identity address
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 50
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
preshared authentication
aes-256 encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal BACKDOORVPN group policy
BACKDOORVPN group policy attributes
value of VPN-filter 11
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelall
BH.UK value by default-field
type tunnel-group BACKDOORVPN remote access
attributes global-tunnel-group BACKDOORVPN
address pool Admin_Pool
Group Policy - by default-BACKDOORVPN
IPSec-attributes tunnel-group BACKDOORVPN
IKEv1 pre-shared-key *.
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
Excellent.
Evaluate the useful ticket.
Thank you
Rizwan James
-
Cannot access remote resources - Cisco VPN Client
I'm having a problem with my Cisco VPN Client. I am new to VPN configuration, so this is probably something easy I'm missing. I have a my internet gateway for my LAN 2611XM router and my VPN server. I do all my tests of a society with a high card laptop mobile broadband. VPN connects, but anytime I ping anything in the network Cabinet, he returned with the public IP address of the external interface. I have NAT overload configured so any network can access the internet, inside which it looks like may be causing my problem. I don't know how to fix it. My config running is attatched. No one knows what might happen.
Oh, almost forgot to add. When I remove the nat overload on my interface fa0/1, the vpn will connect to any resource on the inside.
Your nat configuration seems to be the origin of the problem. If you are using an ACL to match the source for NAT, then it will be necessary to add the line 1A refuse for the local ip pool for your vpn clients to one only. try that to see how it goes.
Sent by Cisco Support technique iPhone App
-
Cannot access network resources - Cisco VPN client
Please see attached the network topology.
I can connect using the Cisco VPN client and access to all resources of the 192.168.3.0 network
I can't ping / access to all hosts on the network 192.168.5.0.
Any ideas?
Thanks for the help in advance
AD
Quite correct.
Please add has the access list:
CPA list standard access allowed 192.168.5.0 255.255.255.0
-
Cisco vpn client 5.0.07 no internet access
I am trying to configure access remote vpn for the ASA 5505 in my office.
The config is configured on my ASA, and I have cisco vpn client 5.0.07 installed on my laptop (64 bit) to Windows 7. I can start the vpn, put in my references and it seems that everything goes through, but once I'm connected, I lose access to the internet, and I cannot ping anything (4.2.2.2, 192.168.1.1 (gateway), etc...)
I keep seeing something uncheck the "use default gateway on remote network", but this option is available in the TCP/IP properties. Any suggestions?
Eric,
This should be the last change. Looks like you don't have inside the network split tunnel.
Here is the entry you need to do
TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
disconnect and reconnect. It should work like a charm.
Thank you
Bad Boy
-
Why my VPN clients cannot access network drives and resources?
I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!
: Saved
:
ASA Version 8.2 (5)
!
ciscoasa hostname
Cisco domain name
activate the password xxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxx
names of
name 68.191.xxx.xxx outdoors
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.201.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address outside 255.255.255.0
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
192.168.201.1 server name
Cisco domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group network obj - 192.168.201.0
FREE access-list extended ip 192.168.201.0 NAT allow 255.255.255.0 192.168.201.0 255.255.255.0
NAT-FREE 192.168.202.0 permits all ip extended access list 255.255.255.0
FREE access-list extended ip 192.168.202.0 NAT allow 255.255.255.0 any
Extended access list-NAT-FREE enabled a whole icmp
allow any scope to an entire ip access list
allow any scope to the object-group TCPUDP an entire access list
allow any scope to an entire icmp access list
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access allow TCPUDP of object-group a
inside_access_in list extended access permit icmp any one
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access allow TCPUDP of object-group a
outside_access_in list extended access permit icmp any one
Standard access list DefaultRAGroup_splitTunnelAcl allow 192.168.201.0 255.255.255.0
access extensive list ip 192.168.202.0 inside_nat0_outbound allow 255.255.255.0 192.168.201.0 255.255.255.0
inside_nat0_outbound list extended access permit icmp any one
inside_nat0_outbound_1 of access allowed any ip an extended list
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
mask 192.168.202.1 - 192.168.202.50 255.255.255.0 IP local pool KunduVPN
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.201.0 255.255.255.0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route inside 0.0.0.0 0.0.0.0 192.168.201.1 1
Route inside 0.0.0.0 255.255.255.255 outdoor 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.201.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs xxx
Proxy-loc-transmitter
Configure CRL
XXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Cisco by default field value
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
WebVPN
SVC request enable
internal KunduVPN group strategy
attributes of Group Policy KunduVPN
WINS server no
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Cisco by default field value
username xxxx
username xxxxx
VPN-group-policy DfltGrpPolicy
attributes global-tunnel-group DefaultRAGroup
address VPNIP pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
type tunnel-group KunduVPN remote access
attributes global-tunnel-group KunduVPN
address (inside) VPNIP pool
address pool KunduVPN
authentication-server-group (inside) LOCAL
Group Policy - by default-KunduVPN
tunnel-group KunduVPN webvpn-attributes
enable KunduVPN group-alias
allow group-url https://68.191.xxx.xxx/KunduVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc
: end
don't allow no asdm history
Hello
What is the IP address of the hosts/servers LAN Gateway?
If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.
For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.
- Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
- Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
- Host/server LAN sees the connection from a network other than the LAN (192.168.202.0/24) and therefore to forward traffic to the default gateway that would likely be the wireless router.
- Wireless router has no route to the network 192.168.202.0/24 (VPN Pool) and therefore uses its default route to the external network to forward traffic.
- Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP
So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network 192.168.202.0/24 to the 192.168.201.200 gateway IP address (which is the SAA)
I would like to know if the installation is as described above.
-Jouni
Maybe you are looking for
-
If I had known you were going to change my UI (skin) I wouldn't have updated! Now that the toolbar of the URL (something that I rarely use) is attached to the tabs, I lost a quarter of an inch from my view. I keep this default toolbar. I wish you had
-
I can see peopple have problems with the new pci-e 3.0 graphics cards x 16 cards are retro-compatible in Hp computers that have only pci e 2.0 x 16 support. My quests, so what are the graphics cards that I can be sure that work in my computer Hp? Wil
-
Windows Server 2003 R2 accepts Windows Server 2003 Licenses?
Hello I have a Windows Server 2003 license. I want to reinstall and install Windows Server 2003 R2. I wonder if the license is still valid by using the most recent version. Thank you.
-
having a problem updating security update (kb2416447)
having trouble downloading security update kb2416447 it keeps failing
-
"USB does not recognize the device.
After four years of working perfectly, my Acer Aspire with Windows Vista Home Premium has suddenly decided to generate warnings "USB does not recognize devices" for all external references except a network controller Linksys that needs to be changed