Client VPN access to VLAN native only
I have a router 2811 (config below) with VPN set up. I can connect through the VPN devices and access on the VLAN native but I can't access the 10.77.5.0 (VLAN 5) network (I do not access the 10.77.10.0 - network VLAN 10). This question has been plagueing me for quite a while. I think it's a NAT device or ACL problem, but if someone could help me I would be grateful. Client VPN IP pool is 192.168.77.1 - 192.168.77.10. Thanks for the research!
Current configuration: 5490 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
2811-Edge host name
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXX
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
AAA - the id of the joint session
!
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.77.5.1 10.77.5.49
DHCP excluded-address IP 10.77.10.1 10.77.10.49
!
dhcp Lab-network IP pool
import all
Network 10.77.5.0 255.255.255.0
router by default - 10.77.5.1
!
pool IP dhcp comments
import all
Network 10.77.10.0 255.255.255.0
router by default - 10.77.10.1
!
domain IP HoogyNet.net
inspect the IP router-traffic tcp name FW
inspect the IP router traffic udp name FW
inspect the IP router traffic icmp name FW
inspect the IP dns name FW
inspect the name FW ftp IP
inspect the name FW tftp IP
!
Authenticated MultiLink bundle-name Panel
!
voice-card 0
No dspfarm
!
session of crypto consignment
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
life 7200
!
Configuration group customer isakmp crypto HomeVPN
key XXXX
HoogyNet.net field
pool VPN_Pool
ACL vpn
Save-password
Max-users 2
Max-Connections 2
Crypto isakmp HomeVPN profile
match of group identity HomeVPN
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpn
!
Crypto-map dynamic vpnclient 10
Set transform-set vpn
HomeVPN Set isakmp-profile
market arriere-route
!
dynamic vpn 65535 vpnclient ipsec-isakmp crypto map
!
username secret privilege 15 5 XXXX XXXX
username secret privilege 15 5 XXXX XXXX
Archives
The config log
hidekeys
!
IP port ssh XXXX 1 rotary
!
interface Loopback0
IP 172.17.1.10 255.255.255.248
!
interface FastEthernet0/0
DHCP IP address
IP access-group ENTERING
NAT outside IP
inspect the FW on IP
no ip virtual-reassembly
automatic duplex
automatic speed
No cdp enable
vpn crypto card
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
No cdp enable
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
IP 10.77.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
IP 10.77.5.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
IP 10.77.10.1 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet0/1/0
no ip address
Shutdown
automatic duplex
automatic speed
!
router RIP
version 2
10.0.0.0 network
network 172.17.0.0
network 192.168.77.0
No Auto-resume
!
IP pool local VPN_Pool 192.168.77.1 192.168.77.10
no ip forward-Protocol nd
!
IP http server
no ip http secure server
overload of IP nat inside source list NAT interface FastEthernet0/0
!
IP extended INBOUND access list
permit tcp any any eq 2277 newspaper
permit any any icmp echo response
allow all all unreachable icmp
allow icmp all once exceed
allow tcp any a Workbench
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
allow an esp
allowed UDP any eq field all
allow udp any eq bootps any eq bootpc
NAT extended IP access list
IP 10.77.5.0 allow 0.0.0.255 any
IP 10.77.10.0 allow 0.0.0.255 any
IP 192.168.77.0 allow 0.0.0.255 any
list of IP - vpn access scope
IP 10.77.1.0 allow 0.0.0.255 192.168.77.0 0.0.0.255
IP 10.77.5.0 allow 0.0.0.255 192.168.77.0 0.0.0.255
!
access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.77.5.1 eq bootps
access-list 100 permit udp 10.77.10.0 0.0.0.255 eq bootpc host 10.77.5.1 eq bootps
access-list 100 deny tcp 10.77.10.0 0.0.0.255 any eq telnet
access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.5.0 0.0.0.255
access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.1.0 0.0.0.255
access ip-list 100 permit a whole
!
control plan
!
Line con 0
session-timeout 30
password 7 XXXX
line to 0
line vty 0 4
Rotary 1
transport input telnet ssh
line vty 5 15
Rotary 1
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
WebVPN cef
!
end
If you want to say, that after the way nat rules which I have proposed, you lost the connection to the VLAN native, so yes, it's because the subnet VLANs native has not been included in this acl with Deny statement. So that the ACL should look like this:
NAT extended IP access list
deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255
deny ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255 //This is not respected
allow an ip
In addition, if you want to go throug the other tunnel inside the subnet not listed above, then you should include that subnet to the NAT exemption rule with Deny statement.
Tags: Cisco Security
Similar Questions
-
Remote RDP client VPN access on ASA 5510
Hello.
We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?
Thank you
Hi Salsrinivas,
so to summarize:
the VPN client connects to the ASA offshore
the VPN client can successfully RDP on a server at the offshore location
the VPN client cannot NOT RDP on a server at the location of the customer
offshore and the location of the customer are connected by a tunnel L2L
(and between the 2 sites RDP works very well)
is that correct?
Things to check:
-the vpn in the ACL crypto pool?
-you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?
-you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?
If you need help more could you put a config (sterilized) Please?
HTH
Herbert -
VPN site-to-site between two PIX 501 with Client VPN access
Site A and site B are connected with VPN Site to Site between two PIX 501.
Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.
How is that possible for a VPN client connected to Site A to Site B?
Thank you very much.
Alex
Bad and worse news:
Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.
Even worse: PIX 501 can not be upgraded to 7.0...
A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.
HTH Please assess whether this is the case.
Thank you
-
Client VPN access router to the Internet through the same router! How?
Hi all
I already setup VPN users connect to our router 1841 and corporate network. Use Cisco VPN Client and connection ends on the interface Dialer1 in 1841. This interface is also our ADSL Internet connection.
I need the VPN users out to the Internet via this VPN connection (it is through this Dialer1), rather than use the split tunneling and Internet browsing from their Local Internet service providers.
Of course, this Dialer1 is also 'nat outside' and FastEthernet is LAN and "nat inside '.
So I'll need NAT these VPN-pool addresses to address IP Dialer1. But what would be 'nat inside' in this case...
Can anyone help?
a loopback interface must be configured to "nat inside '.
for example
Loopback int 1
IP 1.1.1.1 255.255.255.0
No tap
IP nat inside
access-list 199 refuse ip<1841 private="" net=""><1841 private="" net="" mask="">
access-list 199 ip allow a
allowed policy-road route map 10
corresponds to the IP 199
set ip next-hop 1.1.1.2
interface Dialer0
political map of IP policy-road route
-
SRP526W to transmit or provide VPN access to clients
Hello
We have a SRP526W here, which replaced a cheap, simple router. Now, we would like to set up VPN access for outside clients again. So far, this was done by sending PPTP (TCP 1723 and GRE) for the Routing and Windows 2000 RAS server within the network.
According to this post SRP521W, and therefore I guess so the SRP526W, are not able to pass the GRE: https://supportforums.cisco.com/thread/2093204
Is it possible to provide external client VPN access with this router? Perhaps with L2TP (but then you should transmit ESP) or IPSec (ESP and AH as far as I know)?
If there is no solution, we need to replace this device again once with a cheap, simple, router that is able to convey the Grateful - as you can imagine, we would like to save this shame Cisco.
Kind regards
Dominik
Hello Dominik,
The SRP520 only supports IPSec site-to-site at this time.
Advancements are made, please check in the new year.
Andy
-
PIX - PIX VPN and Client VPN - cannot access core network
I hub and spoke PIX and a VPN Client that connects to speak it PIX, much the same as the example configuration here: -.
This example shows the client VPN access to the network behind PIX RADIUS. I want the client to also be able to access the central network, i.e. the client connects to the pix speaks via vpn, and traffic is routed through the vpn to PIX - PIX to the central site.
How this would change the configuration contained in the example?
See you soon,.
Jon
You can not do this, the PIX cannot route a package back on the same interface, it is entered in the. The only way to do that is to have the client connect to the hub PIX, but then they would not be able to get to the network behind PIX distance either.
Or that the customer would connect on a different interface in the PIX of distance, but this would mean another connection ISP on this PIX. Example of config is here: http://www.cisco.com/warp/public/110/client-pixhub.html
-
The VPN Clients need access to the subnet on another router
Hello
We have a pix 515e PIX Version 8.0 (2)
We have two subnet 10.1.x.x/16 and 10.2.x.x/16
The firewall is on 10.1.x.x and vpn clients can access this subnet.
The firewall can ping 10.2.x.y where x is a server in the other subnet.
On the 10.2.x.x customers out the firewall.
The problem is that vpn clients cannot access the server of 10.2.x.y even if the pix can ping 10.2.x.y and the road for him.
What I need to check that the vpn rules are correct in the pix 515e?
I think it is a rule of exemption nat or something like that not exactly sure.
Everything would be a great help.
Thank you
Hello
For clients VPN access to these subnets, check the following:
1 NAT exemption include these subnets (if not using NAT)... it's the NAT0 ACL command
2. these subnets is included in the split tunneling
3. these subnets have a route to the PIX to send traffic to the VPN client pool.
4. There are no ACLs not applied to the inside interface of the PIX deny this communication.
Federico.
-
VPN access to the not directly connected networks
Hello
I have a 5510 which is used for Client VPN access and there is something simple that I can't work.
The VPN part works very well with AAA on a CBS.
But what does not is access to networks that are not directly connected to the inside interface.
That is to say the VPN users can connect to the network within the Interface (say 192.168.0.0/24) but not a 10.0.0.0/8 network which is connected through 192.168.0.1 router.
I have the static routes in Routing and firewall all showing the way back to the firewall on all the other networks, but I don't get more far the 192.168.0.1 router...
I use split tunneling and pass all of the private over the VPN - internet networks is used through the own local access to clients.
Can someone help me out here?
Thank you.
Fraser
PS: have the same type of access on a 7206VXR and soft, everything can be consulted and which is necessary - but I would like to move this service to the ASA.
Fraser
I don't understand the ASDM parts as you suggest. The code would be great.
I would also recommend control ACL applied to the inside interface (if any) that it allows traffic as
inside_access_in list of permitted access 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask
If still no joy, attach your config sanitized, would be useful for me to diagnose.
Concerning
-
Wacky VPN access problem of ASA
Hi people,
I am currenty a situation, and I am in real need of advice...
The situation is that, if ASA helps my remote branches to access my home network and its allowing people to visit Internet inside, its not allowing the remote VPN client VPN access... R V to aid VPN client version of Cisco 4.6...
See a presentation of basic network that illustrates our network and configuration of the ASA...
Advice to solve this problem will be greatly appreciated...
Kind regards
Noman Bari
I see what rou are... Please see my attchement...
Please rate if it helps!
-
PIX-to-client VPN and how to reach on other interfaces systems
Hi all
I've implemented a Pix-to-Client VPN and it seems works ok.
As you can see, customer gets the same inside the class address (192.168.100.x) so I can reach across systems.
My questions are:
If I give different subnet pool addresses, how can 1 I still reach inside systems?
2 if I have other systems on these interfaces such dmz1 (192.168.10.0) dmz2 (192.168.20.0) how to get to these systems of the
even the client vpn access?
Concerning
Alberto Brivio
IP local pool vpnpool1 192.168.100.70 - 192.168.100.80
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0
NAT (inside) - 0 102 access list
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac trmset1
Crypto-map dynamic map2 10 set transform-set trmset1
map map1 10 ipsec-isakmp crypto dynamic map2
map1 outside crypto map interface
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address vpnpool1 pool test
vpngroup split tunnel 102 test
vpngroup test 1800 idle time
test vpngroup password *.
It is generally preferable to use another range of IP addresses. The PIX will know that the VPN Client uses that vary and route it properly whitch is not the case when you are using the same IP range as the inside interface.
To access another interface use the SHEEP (your ACL 102) access list which disables NAT between the VPN and the neworks to which you want to connect.
Example of config:
access-list allowed SHEEP Internalnet ISubnetMask VPN-pool 255.255.255.0 ip
access-list allowed SHEEP DMZnet DMZSubnetMask VPN-pool 255.255.255.0 ip
NAT (inside) 0 SHEEP
AAA-server local LOCAL Protocol
AAA authentication secure-http-client
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS
card crypto 65535 REMOTE ipsec-isakmp dynamic outside_dyn_map
REMOTE client authentication card crypto LOCAL
interface card crypto remotely outside
ISAKMP allows outside
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
IP pool local VPNPool x.y.z.1 - x.y.z.254
vpngroup VPNGroup address pool VPNPool
vpngroup VPNGroup dns-server dns1 dns2
vpngroup VPNGroup default-domain localdomain
vpngroup idle 1800 VPNGroup-time
vpngroup VPNGroup password grouppassword
username, password vpnclient vpnclient-password
sincerely
Patrick
-
The VPN Clients cannot access any internal address
Without a doubt need help from an expert on this one...
Attempting to define a client access on an ASA 5520 VPN that was used only as a
Firewall so far. The ASA has been recently updated to Version 7.2 (4).
Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot
ping any address on internal networks, or even the inside interface of the ASA.
(I hope) Relevant details:
(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and
are able to connect.
(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it
appears that the packets are décapsulés and decrypted, but NOT encapsulated or
encrypted (see the output of "sh crypto ipsec his ' home).
(3) by the other related posts, we've added commands associated with inversion of NAT (crypto
ISAKMP nat-traversal 20
crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our
Configuration.
(4) we tried encapsulation TCP and UDP encapsulation with experimental client
profiles: same result in both cases.
(5) if I (attempt) ping to an internal IP address of the connected customer, the
real-time log entries ASA show the installation and dismantling of the ICMP requests to the
the inner target customer.
(6) the capture of packets to the internal address (one that we try to do a ping of the)
VPN client) shows that the ICMP request has been received and answered. (See attachment
shooting).
(7) our goal is to create about 10 VPN client of different profiles, each with
different combinations of access to the internal VLAN or DMZ VLAN. We do not have
preferences for the type of encryption or method, as long as it is safe and it works: that
said, do not hesitate to recommend a different approach altogether.
We have tried everything we can think of, so any help or advice would be greatly
Sanitized the ASA configuration is also attached.
appreciated!
Thank you!
It should be the last step :)
on 6509
IP route 172.16.100.0 255.255.255.0 172.16.20.2
and ASA
no road inside 172.16.40.0 255.255.255.0 172.16.20.2
-
Client VPN on PIX needs to access DMZ
VPN clients 3.5 ending PIX 6.X cannot access hosts on a PIX DMZ interface. Journal reports of error that there is no 'translation group available outside' for the subnet of the VPN Client (from the vpngroup pool).
I should add the VPN client subnet to a nat (outside) device?
Can I add it to the nat inside?
Can I just add static to the DMZ hosts within the subnet interface because VPN clients can access the inside hosts?
(I have the subnets in the nat 0 sheep ACL)
Thanks and greetings
JT
You'll need to add is nat 0. You say in your () you have an acl sheep, for the perimeter network or the inside interface? You use the same access list to the sheep inside and dmz? You should separate if you use separate access list. Is your pool of client on a different subnet than your home network and dmz? It must be something like this:
Customer IP local pool 192.168.1.1 - 192.168.1.254
IP, add inside 10.10.10.1 255.255.255.0
Add 10.10.20.1 dmz IP 255.255.255.0
access-list sheep by 10.10.10.0 ip 255.255.255.0 192.168.1.0 255.255.255.0
nonatdmz list of access by IP 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (dmz) 0-list of access nonatdmz
If this is correct then clear x, wr mem, reload. I hope this helps.
Kurtis Durrett
PS
If he did not, only can recommend the upgrade your client and pix because that is exactly how it should look, and if its does not work you are facing an additional feature you want.
-
ASA5505 can transfer clients to remote VPN access to the local network
I have currently ASA 5505 and 2911-router and I am trying to configure the VPN topology.
Can ASA5505 you transmit to remote VPN access clients LAN operated by another router?
These two cases are possible? :
(1) ASA 5505 and 2911-router are separate WAN interfaces, each connected directly to the ISP. But so can I connect an other interfaces LAN of ASA 5505 in a switch managed by 2911 router customers to distance-SSL-VPN to inject into the local network managed by the router?
(2) ASA 5505 is behind router-2911. May 2911 router address public ip or public ip address VPN-access attempts have directly be sent to ASA 5505 when there is only a single public ip address address available?
Long put short, ASA 5505 can inject its clients to remote-access-VPN as one of the hosts on the local network managed by 2911-router?
Thank you.I could help you more if you can explain the purpose of this configuration and connectivity between the router and ASA.
You can activate the reverse route on the dynamic plane on the SAA. The ASA will install a static route to the customer on the routing table. You can use a routing protocol to redistribute static routes to your switch on the side of LAN of the SAA.
-
Why my VPN clients cannot access network drives and resources?
I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!
: Saved
:
ASA Version 8.2 (5)
!
ciscoasa hostname
Cisco domain name
activate the password xxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxx
names of
name 68.191.xxx.xxx outdoors
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.201.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address outside 255.255.255.0
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
192.168.201.1 server name
Cisco domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group network obj - 192.168.201.0
FREE access-list extended ip 192.168.201.0 NAT allow 255.255.255.0 192.168.201.0 255.255.255.0
NAT-FREE 192.168.202.0 permits all ip extended access list 255.255.255.0
FREE access-list extended ip 192.168.202.0 NAT allow 255.255.255.0 any
Extended access list-NAT-FREE enabled a whole icmp
allow any scope to an entire ip access list
allow any scope to the object-group TCPUDP an entire access list
allow any scope to an entire icmp access list
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access allow TCPUDP of object-group a
inside_access_in list extended access permit icmp any one
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access allow TCPUDP of object-group a
outside_access_in list extended access permit icmp any one
Standard access list DefaultRAGroup_splitTunnelAcl allow 192.168.201.0 255.255.255.0
access extensive list ip 192.168.202.0 inside_nat0_outbound allow 255.255.255.0 192.168.201.0 255.255.255.0
inside_nat0_outbound list extended access permit icmp any one
inside_nat0_outbound_1 of access allowed any ip an extended list
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
mask 192.168.202.1 - 192.168.202.50 255.255.255.0 IP local pool KunduVPN
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.201.0 255.255.255.0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route inside 0.0.0.0 0.0.0.0 192.168.201.1 1
Route inside 0.0.0.0 255.255.255.255 outdoor 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.201.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs xxx
Proxy-loc-transmitter
Configure CRL
XXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Cisco by default field value
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
WebVPN
SVC request enable
internal KunduVPN group strategy
attributes of Group Policy KunduVPN
WINS server no
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Cisco by default field value
username xxxx
username xxxxx
VPN-group-policy DfltGrpPolicy
attributes global-tunnel-group DefaultRAGroup
address VPNIP pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
type tunnel-group KunduVPN remote access
attributes global-tunnel-group KunduVPN
address (inside) VPNIP pool
address pool KunduVPN
authentication-server-group (inside) LOCAL
Group Policy - by default-KunduVPN
tunnel-group KunduVPN webvpn-attributes
enable KunduVPN group-alias
allow group-url https://68.191.xxx.xxx/KunduVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc
: end
don't allow no asdm history
Hello
What is the IP address of the hosts/servers LAN Gateway?
If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.
For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.
- Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
- Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
- Host/server LAN sees the connection from a network other than the LAN (192.168.202.0/24) and therefore to forward traffic to the default gateway that would likely be the wireless router.
- Wireless router has no route to the network 192.168.202.0/24 (VPN Pool) and therefore uses its default route to the external network to forward traffic.
- Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP
So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network 192.168.202.0/24 to the 192.168.201.200 gateway IP address (which is the SAA)
I would like to know if the installation is as described above.
-Jouni
-
Hello:
I have configured ASA 5505 to acept Cisco VPN Clients on IP-SEC and access internal subnet of tuneling (added a rule exempt NAT too) and the VPN Clients can connect and work without problems.
But no internal network or the ASA I can ping or conect to the VPN Clients.
My configuration:
Internal network: 172.26.1.0 255.255.255.0
The VPN Clients network 172.26.2.0 255.255.255.0
Can you help me?
Here is my configuration:
: Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name ftf.es enable password xxxxxxx encrypted passwd xxxxx encrypted names name 217.125.44.23 IP_publica name 172.26.1.100 Servidor name 192.168.1.3 IP_externa name 192.168.2.3 IP_Externa2 name 172.26.2.0 VPN_Clients ! interface Vlan1 nameif inside security-level 100 ip address 172.26.1.89 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address IP_externa 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 13 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name ftf.es same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service terminal-server tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list FTFVPN_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list FTFVPN_Group_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list outside_access_in extended permit tcp any host IP_externa eq 3389 access-list outside_access_in extended permit object-group TCPUDP any host IP_externa eq www access-list FTF_ADSL2_splitTunnelAcl standard permit any access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 VPN_Clients 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 host 172.26.1.199 access-list outside_nat0_outbound extended permit ip VPN_Clients 255.255.255.0 172.26.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn 172.26.1.180-172.26.1.200 mask 255.255.255.0 ip local pool vpn2 172.26.2.100-172.26.2.200 mask 255.255.255.0 ip local pool vpn3 172.26.3.100-172.26.4.150 mask 255.255.255.0 ip local pool vpn4 172.26.1.240-172.26.1.250 mask 255.255.255.0 ip local pool FTFVPN_Pool 176.26.1.150-176.26.1.170 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 Servidor 3389 netmask 255.255.255.255 static (inside,outside) tcp interface www Servidor www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 172.26.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 60 set pfs group1 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs group1 crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 100 set pfs group1 crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 120 set pfs group1 crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 172.26.1.90-172.26.1.217 inside ! webvpn enable outside url-list FTFVLC "DYNAMICS" cifs://172.26.1.100 1 port-forward TEST 3389 172.26.1.100 3389 Terminal Server group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes banner value Bienvenido a la red de FTF dns-server value 172.26.1.100 80.58.32.97 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn split-tunnel-policy tunnelall default-domain value ftf.es group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value vpn2 smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward value TEST port-forward-name value Acceso a aplicaciones sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate group-policy FTFVPN_Group internal group-policy FTFVPN_Group attributes dns-server value 172.26.1.100 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value FTFVPN_Group_splitTunnelAcl default-domain value ftf.es address-pools value vpn2 group-policy VPNSSL internal group-policy VPNSSL attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix username raul password xxxxxx encrypted privilege 0 username raul attributes vpn-group-policy FTFVPN_Group tunnel-group DefaultRAGroup general-attributes address-pool vpn2 default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy VPNSSL tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server Servidor master timeout 5 retry 3 tunnel-group FTFVPN_Group type ipsec-ra tunnel-group FTFVPN_Group general-attributes address-pool vpn2 default-group-policy FTFVPN_Group tunnel-group FTFVPN_Group ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f5e713652d4a2e2623248d7e49086105 : end asdm image disk0:/asdm-524.bin asdm location Servidor 255.255.255.255 inside asdm location IP_publica 255.255.255.255 inside asdm location IP_externa 255.255.255.255 inside asdm location IP_Externa2 255.255.255.255 inside asdm location VPN_Clients 255.255.255.0 inside no asdm history enable
Raul,
I don't see to apply ACLs inside the interface or as vpn-filter that will prevent the PING of the SAA within the intellectual property to the VPN client.
Are you sure that the VPN client does not have the Windows Firewall on or antivirus software that prevents to respond to PING?
Federico.
Maybe you are looking for
-
Satellite L500D - 16K - where to find the new updates?
HY guys,. When I bought my Satellite L500D - 16K, I complained in forums dedicated to this notebook page contained very few pilots. After some time, a week or two, she 'suddenly' populated with drivers for everything. Now, after verification not for
-
All-in-one HP Office Pro 8610: black vertical line on the scans
I have a black vertical line down my scans and copies that are feeding by automatic feeding (8610 Office Pro HP all in one)
-
How to record a slideshow of photos of my screensaver
I have PhotoStage on my computer. I made a slideshow of my photos and I would use as my screensaver. How can I do this?
-
HP wireless keyboard is not working but the wireless mouse still doesn't work
-
new hard drive I bought a new hard drive as an upgrade for my previous hard disk which had no space and I want to put vista on my new hard drive. I have a sony notebook and cannot find a way to do thanks in advance