Client Vpn Cisco vpn remote site inaccessible (one site to another)
Hello
I configured two vpn with pix 515 cisco connection. One using a cisco vpn client and another another site to site vpn connectin with other pix.
I have my local network with 192.168.149.0 network, vpn clinet pool with 192.168.17.0 network and a remote site with 192.168.145.0.
Client vpn local network accessible and always remote site, but 192.168.17.0 (vpn client) 192.168.145.0 not accessible (remote site).
Plese help me!
Thank you
This scenario is possible with no v6.x, v7.x
the link below is an example of configuration:
Tags: Cisco Security
Similar Questions
-
Hello
7.0 (1) version pix
ASDM version 5.0 (1)
I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site
who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success
The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.
where can I see the vpn pix for error log?
is there a manual for the solution of site to site VPN using the wizard
Help, please.
Thanks in advance
the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm
Newspaper to go to the section "check".
-
2 VPN remote sites can communicate by tunnel via a mutual 3' rd PIX?
Hello
I have a client who has a PIX 515E in the P.C. of the company and s 2 PIX 501 at remote sites. As of today the distance 2 PIX have a VPN connection from site to site with the HQ PIX.
My question is... is - it possible to have the HQ PIX act as a virtual private network 'hub' for remote to communicate across sites? I mean, it is, is it possible to configure the PIX so that traffic to the site remote B can go into the tunnel at HQ, and then through the tunnel to the remote B site?
If this is possible, how? The HQ PIX would have enough information to route packets in the proper way? What should I do?
Thank you in advance to those who will answer. :-)
If the question is not too clear, please post here and tell me...
Steffen
Steffen,
Unfortunately, the answer to that is no the PIX not "redirect" return packages the same interface, where they were received. This is normal and is part of the security on the PIX algorithm. The VPN 3000 and IOS will do this, but not the PIX.
However, as a workaround, can not only create another tunnel on the 2 rays to another? In other words, Setup a 'triangle' of sorts. That's usually what we suggest in situations like this.
I hope this helps.
Scott
-
Internet access and VPN remote site?
Hi all!
I have a remote site who want to use their own internet connection to access the internet. Just at that moment that I use their router gateway to send all their data on an IPSec tunnel to us (Cisco 831) it connects to a headquarters at 2600. is it possible to have a slot on the remote site, so that surfers IP packets are sent directly to the internet and IP private to the IPSec VPN?
I have to get more / different HW or a simple change in config?
I checked Cisco.com but just GRE tunnels where both the tunnel AND out of the interface have the Crypto Card...
Hello
You can restore the mode of connectivity with the outside world?
Also can you confirm if you use any device behind the router coz your LAN network is configured to only 2 usable/configurable ips belonging to 30 mask...
with this configuration a little you must enable natting who will do the trick for you...
just include commands in your config below...
interface Ethernet0/0
NAT outside IP
!
interface Ethernet0/1
IP nat inside
!
IP nat inside source list 1 interface ethernet 0/0 overload
!
access-list 1 permit 172.16.222.44 0.0.0.3
regds
-
Can also interface with VPN remote site also for another use?
Hi all
An interface used for the remote site VPN on PIX can be used for another function, for example for the smtp server and web publishing?
Thank you!
Best regards
Teru Lei
Yes! of course you can. Just try it.
--
Alexis Fidalgo
Systems engineer
AT & T Argentina
-
Remote access from one machine to another triple monitor machine triple monitor
Need help, I have window 7 pro with 3 screens at home and wants to distance in my office with the same configuration. (triple monitors) I can't be able to get it to work where I can use all 3 monitors. Is there any additional software, I need? I was told that I had to upgrade to Ultimate windows if to make both of my machines need Windows Ultimate or just one initiating the remote?
See:
In editions of Windows 7 ultimate and Windows 7 Enterprise, remote desktop connection supports the use of several screens with high resolution in a remote session.
http://Windows.Microsoft.com/en-us/Windows7/Remote-Desktop-connection-frequently-asked-questions
-
With the help of Client VPN dial-up networking on L2l
I m tring to configure ASA 5505 with Cleint of VPN to access a remote network on a L2L with an another ASA 5505, but without success. There is a special function for this work?
Follow the topology
TKS
Hello
You must ensure that you have configured following
- permit same-security-traffic intra-interface
- This will allow VPN Client traffic to enter the ASA and leave the same interface
- If you use Split Tunnel ACL with the VPN Client, make sure that the ACL has included Remote Site network
- If you use complete Tunnel this wont be a problem
- Make sure that the ACL of VPN L2L that defines "interesting traffic" includes the pool of Client VPN on both sides of the VPN L2L
- Configure a NAT0 on the ASA of Client VPN 'outside' interface that makes NAT0 for pool of Client VPN Remote Site network
If you have a real-world setting to share I can try to help with those. Otherwise I can only give general things like the above to check.
-Jouni
- permit same-security-traffic intra-interface
-
Use the client VPN tunnel to cross the LAN-to-LAN tunnel
I have been troubleshooting an issue and cannot cross an obstacle. The ASA is running ASA running 1,0000 code 24. I am using a client VPN tunnel to connect to the ASA. The ASA has already a LAN-to-LAN tunnel, set up and operating and I need the VPN client to access the remote site over the LAN-to-LAN tunnel.
The internal IP address of the local part is 192.168.0.0/24 and the IP address of the Remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are distributed 192.168.200.0/24 IPs. I have attached the relevant configuration for the SAA.
When the VPN client on the network, I can access resources on the ASA network internal. On the internal network of the SAA, users can access resources through the LAN-to-LAN tunnel. Client VPN cannot access resources on the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.
Thank you for your help.
try adding...
permit same-security-traffic intra-interface
-
VPN clients cannot access remote sites - PIX, routing problem?
I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)
Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.
Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.
Very good and works very well.
When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.
However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.
On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.
Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?
(Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)
with pix v6, no traffic is allowed to redirect to the same interface.
for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.
with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".
-
Cisco VPN client + VPN site-to-site
Hi all
I have two ASA5505 with a site to site VPN.
One of the ASA is connected to the internal network 192.168.150.0.
It is connected to 192.168.151.0.
I also configured IPSec Cisco VPN client that is connected to 192.168.150.0.
I would like to know if it is possible for a connected with the Cisco VPN client to access the 192.168.151.0 by the site-to-site VPN network.
Thank you!
Hello
If you mean that the IP addresses of the VPN Pool are something like 192.168.150.x then I suggest to use a totally different network than those used on LANs.
At the software level 9.1 basically causes changes to how are the NAT0 configurations.
MAIN SITE
network of the VPN-POOL object
subnet x.x.x.x y.y.y.y
being REMOTE-LAN network
192.168.151.0 subnet 255.255.255.0
destination of static NAT VPN VPN-POOL POOL (outdoors, outdoor) static REMOTE - LAN LAN
REMOTE SITE
network of the VPN-POOL object
subnet x.x.x.x y.y.y.y
the object of the LAN network
192.168.151.0 subnet 255.255.255.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
Otherwise, I would imagine that the same kind of configurations above apply. You need the ' same-security-movement ' command to allow the 'outside' to ' outside ' of the movement. You will have to ensure that the ACL from Tunnel Split contains the remote site network. And of course, you should make sure that the ACL crypto sets / include traffic between VPN pool and the network 192.168.151.0/24 on both sides ASAs.
-Jouni
-
PIX - ASA, allow RA VPN clients to access servers at remote sites
I got L2L tunnels set up for a couple of remote sites (PIX) for several months now. We have a VPN concentrator, which will go EOL soon, so I'm working on moving our existing customers of RA our ASA. I have a problem, allowing RA clients access to a server to one of our remote sites. PIX and ASA (main site) relevant config is shown below. The error I get on the remote PIX when you try a ping on the VPN client is:
Group = 204.14. *. *, IP = 204.14. *. * cheque card static Crypto Card = outside_map, seq = 40, ACL does not proxy IDs src:172.16.200.0 dst: 172.16.26.0
The config:
Hand ASA config
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.1.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.22.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.200.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.200.0 255.255.255.0
access extensive list ip 172.16.0.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.1.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.22.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.200.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
card crypto outside_map 60 match address outside_cryptomap_60
outside_map 60 set crypto map peer 24.97. *. *
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
=========================================
Remote config PIX
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.1.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.22.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.200.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.1.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.22.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.200.0 255.255.255.0
card crypto outside_map 60 match address outside_cryptomap_60
peer set card crypto outside_map 60 204.14. *. *
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
outside_map interface card crypto outside
EDIT: Guess, I might add, remote site is 172.16.26.0/24 VLAN VPN is 172.16.200.0/24...
What you want to do is 'tunnelall', which is not split tunneling. This will still allow customers to join the main and remote site, but not allow them to access internet... unless you have expressly authorized to make a 'nat (outside)"or something. Your journey on the client will be, Secured route 0.0.0.0 0.0.0.0
attributes of group policy
Split-tunnel-policy tunnelall
Who is your current config, I don't see where the acl of walton is attributed to what to split tunnel?
-
Easy traffic between remote sites via Cisco VPN
We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN. Everything has been great to work until this problem has been discovered today:
When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.
Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.
There is no need for DATA connection between the remote desktop, our only concern is the voice.
By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).
Thanks in advance.
Thanks for your quick response.
I am sorry, I assumed that the clients have been configured in client mode.
No need to remove the SDM_POOL_1, given that customers already have configured NEM.
But add:
Configuration group customer isakmp crypto CliniEasyVPN
network extension mode
You are able to ping to talked to the other?
Please make this change:
105 extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
* Of course free to do trafficking of translated on the shelves.
Let me know if you have any questions.
Thank you.
Portu.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Access even if remote site 2 site VPN
Hello
I'm under VPN between two sites using 2 ASA 5505.
Also, I want that RA - VPN which is accommodated in the two ASA.
My need is to remove one of access VPN - RA and keep only one, but must be able to reach the second site.
I did a split with two LANs tunnel. But I still not able to get the directions in my computer when I connect to the RA - VPN.
Is this possible? And how?
A few things that should be configured to access remote access vpn remote vpn site to site LAN:
(1) on cryptography from site to site tunnel ACL, it must include the subnet remote vpn client ip pool as follows:
On the SAA ending the vpn client: ip allow
On the ASA distance that ends the tunnel from site to site: ip allow
(2) on the SAA ending the vpn client: same-security-traffic permit intra interface
(3) on the ASA distance that ends the tunnel from site to site: NAT ACL exemption must include the Remote LAN traffic to the subnet IP Pool.
In addition, ACL split tunnel which includes two subnets which I believe you already configured.
Hope that helps.
-
Hello
I would like to know if CISCO 857 allows customers of Cisco VPN remote apart from site to site VPN software. I have heard that all cable cisco VPN devices allow connections to cisco VPN client software, is it true?
Thanks a lot for your help
Juan Manuel
Juan,
Let me explain a little further in order to clarify some of the terminology used, which could lead to confusion.
Router Cisco VPN may terminate the following types of tunnels.
Lan to Lan tunnels has.
b. dynamic tunnels of Lan to Lan
c. connections from VPN clients
d. ends for easy VPN clients
a & b are very similar
c & d are very similar
except - option c uses VPN (software) clients installed on the PC or MAC systems
Option d, material uses to connect to the IOS routers. You can use a router or a PIX firewall or a 3002 or ASA to connect to the Cisco router that would act as an IOS Easy VPN server. But the device to connect to the easy VPN server is called an easy VPN client.
Hope that explains the terminology a little more in detail.
To answer your question, safety feature Easy VPN client and server support.
And what you're trying to accomplish is option c. Thus, security feature option should work well for you.
Hope that explains your queries.
The rate of this post, if that helps!
Thank you
Gilbert
Maybe you are looking for
-
Satellite S50-B-15N - keyboard does not work
Hello hope someone can help me here... have a laptop Satellite S50-B-15N, my fixed keyboard keys don't work (in the letter I (outside)...which means that I can't type my password and access my laptop... I have windows 10 update since it was released.
-
Last Microsoft updates (KB2660465, KB2647516 and KB2661637) causes XP to hang
Just installed the latest updates from Microsoft on XP Service Pack 3, after the user connects, there literally minutes 10 to 20 minutes of watching a black screen and a cursor of the mouse so that it loads. Tried to boot in safe mode and uninstalled
-
I tried to connect to the network several times but its still saying 'not connected' but I can go to the internet and all...and I also try to fix or diagnose, but its still not not workin...Please help idk what 2 do more...
-
Error update Firmware on PS-100F Array
Hi team, I have two paintings PS-100F. I've updated a table 3.3.1 in 4.0.7 using ftp and serial cable. However I'm unable to update the second table. I can copy the .tgz OK: it is an ls: FTP > lsCommand PORT 200 successful.150 opening ASCII mode conn
-
I recently changed my laptop and transfer on multimedia files for the new laptop. The files are in WMA format, and when I try to read, I got an error message as below: "Your media usage rights were corrupted or are no longer valid. This can happen if