Client VPN connectivity problems
I use the cisco VPN client to connect to our network, located behind a 515E. The client is authenticated and gets an ip address but cannot ping or connect with one of the hosts. The connection is to a network of customers that is also behind a 515E. I have successfully connected using the same policy to other places and have had no problem. What confuses me, is that we have used to have a Netscreen firewall before and he had a netscreen vpn client which connected since their network with a problem. Is that something they need for their firewall so that we can get through the traffic?
Try to turn on NAT - T on your pix, by setting up:
ISAKMP nat-traversal 20
and configure the client vpn accordingly:
http://www.Cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client
I think these discussions are useful:
Tags: Cisco Security
Similar Questions
-
Hello
We have a server to remote client, on which we need to connect via VPN. My VPN is able to connect. But any application that needs to connect via VPN does not work. I also can't ping on remote servers. While for others its works very well. I can't understand the problem, I tried to reinstall the VPN client.
I am using windows XP pro and the client VPN CISCO 4.0.3.
Hello
Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the forum TechNet for assistance:
TechNet Windows XP Service Pack 3 (SP3)
Hope the helps of information.
-
The VPN client VPN connection behind other PIX PIX
I have the following problem:
I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).
So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5
I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.
Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.
If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:
305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x
194.x.x.x is our customer s address IP PIX
I understand that somewhere access list is missing, but I can not understand.
Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.
Can you please help me?
Thank you in advan
The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.
I've cut and pasted here for you to read, I think that the problem mentioned below:
Question:
Hi Glenn,.
Following is possible?
I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.
The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?
My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.
Thank you very much for any help provided in advance.
Response from Glenn:
First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:
fixup protocol esp-ike
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.
If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:
ISAKMP nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.
ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.
A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.
NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.
Hope that helps.
-
ASA 5505 ASDM VPN connection problem
Hello
We are running a version of firewall ASA 5505 8.4 (4) 1. The ASDM version is 6.4 (9).
The problem is when the creation of remote access VPN connection, it works fine for about 2-3 days.
After that, the VPN client cannot connect more and gives the error code 789.
In this case, the VPN clients are clients of Windows 7 from different remote networks with the same problem scenario.
Windows 8.1 clients cannot connect at all and show the same error code...
All connections go through the keys defaultragroup and preshare match on both sides.
When the user to connect attemps I receive the following text in the log of the ASDM:
6 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, P1 retransmit msg sent to the WSF MM5 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, in double Phase 1 detected package. Retransmit the last packet.5 April 10, 2015 10:53:03 IP = 5.240.31.116, encrypted packet received with any HIS correspondent, dropWhen I implemented the remote login through ASDM I followed the instructions according to the following link:The steps were a little different, but almost the same, given that these instructions show an old versionI'm interested in trying the steps according to this link but not sure this will help me solve the problem id:Any help would be appreciated!Thank youHello
If you use local authentication (user name and password on the SAA), so why you would need this threshold?
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
!Remove it and try.
-
ASA 5510 IPSEC VPN connection problem
Hello
We have an ASA 5510 (ASA version 8.0) of remote access VPN configured and works most of the time, but there is a problem when you have more than one client that connects to the same office remotely. When the first VPN client is connected to the remote desktop, everything works fine, but when the second client connects to the VPN, it connects fine but do not get any traffice return to customer. I can see under monitor-> statistical VPN-> Sessions-> remote access-> Rx Bytes is 0. Both connections are from the same public IP address of the remote desktop. I changed some settings on NAT - T and a few other things, but without success.
Could someone help me please how to fix this?
Thank you very much.
Make sure that customers use because that probably her you're not. (default value is NAT - T).
Federico.
-
VPN connection problem: keep connection
I'm having a problem with the maintenance of VPN connection. I connect okay but the line VPN disconnects after about 2 minutes each time. I use XP Professional V2002, Service Pack 3. I have disabled the WIndows firewall, as I have F-Secure software suite with its active firewall. I connect laptop wireless via a Belkin router. I had no problem for months up until August when suddenly this problem appeared. I have disabled firewall F-secure, but that did not help. I also disabled the firewall on the router, but again without success. Can you please help?
Hi Rashmis,
Thanks for visiting the site of the community of Microsoft Windows XP. The question you have posted is related to VPN issues and would be better suited to the Technet community. Please visit the link below to find a community that will provide the support you want. http://social.technet.Microsoft.com/forums/en/categories/
Shawn - Support Engineer - MCP, MCDST
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think -
VPN connection problems...
I don't know what is happening or what Miss me...
I set up a vpn connection to my remote offices with a 5505. My main office, I have a 5510.
My remote offices, I can PING my main Office Server. However, when I go to set up a VPN through windows network sharing Center I can't get the connection to connect...
Am I doing something wrong or what step am I missing?
Thank you!!
Can you try to add this:
permit same-security-traffic inter-interface
permit same-security-traffic intra-interfaceI'd put it on two unless you have a reason not to. If there is no love after that we will break down the pppoe and vpn configuration.
Matt
-
ASA easy VPN connection problem
Hi guys,.
I configured easy VPN between 5510 and 5505. Every thing seems fine, however, if there is no traffic in the tunnel in the next few hours, I can not initial 5510 5505 (customer) traffic. But if I first traffice 5505, there is no problem.
Anyone know why?
Thank you
Hello
This is normal behavior, it is part of the easy vpn functionality. The 5505 will act as a remote for the 5510 vpn client. This isn't like a site to site vpn or both ends know the IP address of the remote peer, and so that each peer can initiate the connection, here the 5510 don't know on the network and 5505 IP when it will connect via the easy VPN.
If you want the tunnel to be put in place at both ends, I would say that you are using a classic site-to-site connection as described here:
http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/ASA5505/quick/guide/SITESITE.html
I hope this helps.
Kind regards
Bastien -
CLIENT VPN connection OK &; PING OK but no INTERNET or LAN
Hello
After spending too much time to make it work on a router configured and cannot do work and using too much of your time, I decide to test my installation again on a fresh clean router.
Why I do that before, it took me only 15 minutes to create this script (out of my mind), I know that you will do in 5 minutes or less, but I'm new to this world of CISCO.
The installation program is to follow:
TESTLAB:
NAS (DIFFICULTY IP 192.168.0.100/24)-> C2691, F0 F0/1 (FIX IP (DHCP = IP OF THE ISP) 192.168.0.1/24)/0-> INTERNET-> COMPUTER (MAC BOOK PRO)
With the bellows of script, when I connect a computer to the side LAN of ROUTER (F0/1), I get an IP address from the DHCP server, I am able to see everything on my LAN, go to the INTERNET, so this does not work well.
On another network, I am able to do a VPN over the INTERNET connection at my home testlab, but:
I can PING 192.168.0.1 (ROUTER) and 192.168.0.100 (SIN), but I do not have access to the INTERNET or to the NAS on my LAN TESTLAB.
I'm sure what I lack only a single line in an ACL or IP ROUTE, but I have no idea.
Thus, if one of you can give me some advice, you are welcome
Here below, I give you the script and the JOURNAL when I'm logged in, I do not delete any information, you will be able to see the real IP, it's just a TESTLAB.
Best regards
Didier
Router #sh run
Building configuration...
Current configuration: 2297 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot system flash: c2691-adventerprisek9 - mz.124 - 5a .bin
boot-end-marker
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
AAA - the id of the joint session
!
resources policy
!
IP cef
!
!
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.0.1
!
pool of dhcp IP LAN
import all
network 192.168.0.0 255.255.255.0
!
Fax fax-mail interface type
0 username cisco password Cisco
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group 3000client
key cisco123
DNS 8.8.8.8
domain cisco.com
pool ippool
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
interface FastEthernet0/0
DHCP IP address
NAT outside IP
IP virtual-reassembly
automatic speed
Half duplex
clientmap card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface FastEthernet0/1
the IP 192.168.0.1 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic speed
Half duplex
!
interface Serial1/0
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
interface Serial1/1
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
interface Serial1/2
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
interface Serial1/3
no ip address
Shutdown
series 0 restart delay
No terminal-dce-enable-calendar
!
IP local pool ippool 14.1.1.100 14.1.1.200
!
IP http server
no ip http secure server
overload of IP nat inside source list NAT interface FastEthernet0/0
!
IP access-list standard NAT
allow a
!
control plan
!
Dial-peer cor custom
!
Line con 0
transportation out all
Speed 115200
line to 0
transportation out all
line vty 0 4
transport of entry all
transportation out all
!
end
To CONNECT the VPN CLIENT:
Cisco Systems VPN Client Version 4.9.01 (0100)
Copyright (C) 1998-2006 Cisco Systems, Inc. All rights reserved.
Type of client: Mac OS X
Running: the Darwin 10.6.0 Darwin kernel Version 10.6.0: Wed Nov 10 18:13:17 PST 2010; root:XNU-1504.9.26~3/RELEASE_I386 i386
1 08:04:22.991 27/01/2011 Sev = Info/4 CM / 0 x 43100002
Start the login process
2 08:04:22.992 27/01/2011 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0x0AD337FF, ADR Src: 0x0AD33702 (DRVIFACE:1158).
3 08:04:22.992 27/01/2011 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0x0A2581FF, ADR Src: 0x0A258102 (DRVIFACE:1158).
4 08:04:22.992 27/01/2011 Sev = Info/4 CM / 0 x 43100004
Establish a connection using Ethernet
5 08:04:22.992 27/01/2011 Sev = Info/4 CM / 0 x 43100024
Attempt to connect with the server "81.83.202.36".
6 08:04:22.992 27/01/2011 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (500).
7 08:04:22.992 27/01/2011 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (4500).
8 08:04:22.993 27/01/2011 Sev = Info/6 IKE/0x4300003B
Attempts to establish a connection with 81.83.202.36.
9 08:04:23.072 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 81.83.202.36
10 08:04:23.203 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
11 08:04:23.204 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" vid(unity),="" vid(dpd),="" vid(?),="" vid(xauth),="" vid(nat-t),="" ke,="" id,="" non,="" hash,="" nat-d,="" nat-d)="" from="">
12 08:04:23.204 27/01/2011 Sev = Info/5 IKE / 0 x 43000001
Peer is a compatible peer Cisco-Unity
13 08:04:23.204 27/01/2011 Sev = Info/5 IKE / 0 x 43000001
Peer supports the DPD
14 08:04:23.204 27/01/2011 Sev = Info/5 IKE / 0 x 43000001
Peer supports DWR and text DWR
15 08:04:23.204 27/01/2011 Sev = Info/5 IKE / 0 x 43000001
Peer supports XAUTH
16 08:04:23.204 27/01/2011 Sev = Info/5 IKE / 0 x 43000001
Peer supports NAT - T
17 08:04:23.282 27/01/2011 Sev = Info/6 IKE / 0 x 43000001
IOS Vendor ID successful construction
18 08:04:23.282 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 81.83.202.36
19 08:04:23.282 27/01/2011 Sev = Info/4 IKE / 0 x 43000083
IKE port in use - Local Port = 0x01F4, Remote Port = 0x01F4
20 08:04:23.282 27/01/2011 Sev = Info/5 IKE / 0 x 43000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is NOT behind a NAT device
21 08:04:23.282 27/01/2011 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 08:04:23.290 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
23 08:04:23.290 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
24 08:04:23.290 27/01/2011 Sev = Info/5 IKE / 0 x 43000045
Answering MACHINE-LIFE notify has value of 86400 seconds
25 08:04:23.290 27/01/2011 Sev = Info/5 IKE / 0 x 43000047
This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now
26 08:04:23.294 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
27 08:04:23.294 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" del)="" from="">
28 08:04:23.296 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
29 08:04:23.296 27/01/2011 Sev = WARNING/2 IKE / 0 x 83000062
Attempt to inbound connection from 81.83.202.36. Incoming connections are not allowed.
30 08:04:23.298 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
31 08:04:23.298 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
32 08:04:23.298 27/01/2011 Sev = Info/4 CM / 0 x 43100015
Launch application xAuth
33 08:04:23.416 27/01/2011 Sev = Info/4 IPSEC / 0 x 43700008
IPSec driver started successfully
34 08:04:23.416 27/01/2011 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
35 08:04:23.416 27/01/2011 Sev = Info/6 IPSEC/0x4370002C
Sent 29 packages, 0 were fragmented.
36 08:04:27.320 27/01/2011 Sev = Info/4 CM / 0 x 43100017
xAuth application returned
37 08:04:27.320 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 81.83.202.36
38 08:04:27.333 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
39 08:04:27.333 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
40 08:04:27.333 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 81.83.202.36
41 08:04:27.333 27/01/2011 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
42 08:04:27.334 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 81.83.202.36
43 08:04:27.351 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
44 08:04:27.351 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
45 08:04:27.351 27/01/2011 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 14.1.1.101
46 08:04:27.351 27/01/2011 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 8.8.8.8
47 08:04:27.351 27/01/2011 Sev = Info/5 IKE / 0 x 83000017
MODE_CFG_REPLY: The attribute (INTERNAL_ADDRESS_EXPIRY) and the (134744072) value received is not supported
48 08:04:27.351 27/01/2011 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000
49 08:04:27.351 27/01/2011 Sev = Info/5 IKE/0x4300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = cisco.com
50 08:04:27.351 27/01/2011 Sev = Info/5 IKE / 0 x 83000015
MODE_CFG_REPLY: Attribute received no data MODECFG_UNITY_SPLITDNS_NAME
51 08:04:27.351 27/01/2011 Sev = Info/4 CVPND / 0 x 43400018
Separation of privileges: opening file: (/ etc/opt/cisco-vpnclient/Profiles/DRI.pcf).
52 08:04:27.352 27/01/2011 Sev = Info/5 IKE/0x4300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = software Cisco IOS, software 2600 (C2691-ADVENTERPRISEK9-M), Version 12.4(5a), VERSION of the SOFTWARE (fc3)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Last updated Sunday, January 14, 06 05:00 by alnguyen
53 08:04:27.352 27/01/2011 Sev = Info/4 CM / 0 x 43100019
Data in mode Config received
54 08:04:27.353 27/01/2011 Sev = Info/4 IKE / 0 x 43000056
Received a request from key driver: local IP = 81.83.203.94, GW IP = 81.83.202.36, Remote IP = 0.0.0.0
55 08:04:27.353 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to 81.83.202.36
56 08:04:27.359 27/01/2011 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
57 08:04:27.371 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
58 08:04:27.371 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">
59 08:04:27.371 27/01/2011 Sev = Info/5 IKE / 0 x 43000045
Answering MACHINE-LIFE notify has value of 3600 seconds
60 08:04:27.371 27/01/2011 Sev = Info/5 IKE / 0 x 43000046
Answering MACHINE-LIFE notification has the value 4608000 kb
61 08:04:27.371 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK QM * (HASH) at 81.83.202.36
62 08:04:27.371 27/01/2011 Sev = Info/5 IKE / 0 x 43000059
IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x289044F5 0xA3A7DAF8 = 1DBA3942)
63 08:04:27.372 27/01/2011 Sev = Info/5 IKE / 0 x 43000025
OUTGOING ESP SPI support: 0xA3A7DAF8
64 08:04:27.372 27/01/2011 Sev = Info/5 IKE / 0 x 43000026
Charges INBOUND ESP SPI: 0x289044F5
65 08:04:27.372 27/01/2011 Sev = Info/4 CM/0x4310001A
A secure connection established
66 08:04:27.372 27/01/2011 Sev = Info/4 CVPND/0x4340001E
Separation of privileges: reduce the MTU on the main interface.
67 08:04:27.373 27/01/2011 Sev = Info/4 CVPND/0x4340001B
Separation of privileges: /etc/resolv.conf file backup.
68 08:04:27.373 27/01/2011 Sev = Info/4 CVPND/0x4340001D
Separation of privileges: chown (/ var/run/resolv.conf.vpnbackup, uid = 0 gid = 1).
69 08:04:27.373 27/01/2011 Sev = Info/4 CVPND / 0 x 43400018
Separation of privileges: opening file: (/ var/run/resolv.conf).
70 08:04:27.377 27/01/2011 Sev = Info/4 CM/0x4310003B
Look at address added to 81.83.203.94. Current host name: d5153cb5e.access.telenet.be, current address (s): 81.83.203.94, 10.211.55.2, 10.37.129.2.
71 08:04:27.860 27/01/2011 Sev = Info/4 IPSEC / 0 x 43700010
Creates a new key structure
72 08:04:27.860 27/01/2011 Sev = Info/4 IPSEC/0x4370000F
Adding key with SPI = 0xf8daa7a3 in the list of keys
73 08:04:27.860 27/01/2011 Sev = Info/4 IPSEC / 0 x 43700010
Creates a new key structure
74 08:04:27.860 27/01/2011 Sev = Info/4 IPSEC/0x4370000F
Adding key with SPI = 0xf5449028 in the list of keys
75 08:04:37.360 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to 81.83.202.36
76 08:04:37.360 27/01/2011 Sev = Info/6 IKE/0x4300003D
Sending DPD request to 81.83.202.36, our seq # = 2293347010
77 08:04:37.382 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
78 08:04:37.382 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
79 08:04:37.382 27/01/2011 Sev = Info/5 IKE / 0 x 43000040
DPD ACK from 81.83.202.36, seq # receipt = 2293347010, seq # expected = 2293347010
80 08:04:47.859 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to 81.83.202.36
81 08:04:47.860 27/01/2011 Sev = Info/6 IKE/0x4300003D
Sending DPD request to 81.83.202.36, our seq # = 2293347011
82 08:04:47.867 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
83 08:04:47.867 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
84 08:04:47.867 27/01/2011 Sev = Info/5 IKE / 0 x 43000040
DPD ACK from 81.83.202.36, seq # receipt = 2293347011, seq # expected = 2293347011
85 08:05:03.865 27/01/2011 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to 81.83.202.36
86 08:05:03.865 27/01/2011 Sev = Info/6 IKE/0x4300003D
Sending DPD request to 81.83.202.36, our seq # = 2293347012
87 08:05:03.872 27/01/2011 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 81.83.202.36
88 08:05:03.872 27/01/2011 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
89 08:05:03.872 27/01/2011 Sev = Info/5 IKE / 0 x 43000040
DPD ACK from 81.83.202.36, seq # receipt = 2293347012, seq # expected = 2293347012
You must configure split tunnel as well as the NAT ACL must refuse/free of traffic between the local network to IP Pool as follows:
(1) create split tunnel ACL:
access-list 150 permit ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
ISAKMP crypto client configuration group 3000client
ACL 150
(2) you must configure an ACL extended for NAT:
access-list 170 deny ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 170 allow ip 192.168.0.0 0.0.0.255 any
overload of IP nat inside source list 170 interface FastEthernet0/0
no nat ip inside the source list NAT interface FastEthernet0/0 overload
clear the ip nat trans *.
Hope that solves this problem.
-
My ASA5505Plus to connect to the internet and a laptop, the laptop can access the internet.
a VPN client connect to the ASA but cannot access internal or external IPs
I see that the default gateway is wrong, but cannot find how to change it:
********************************
The connection-specific DNS suffix. :
... Description: Cisco Systems VPN card
Physical address.... : 00-05-9A-3C-78-00
DHCP active...: No.
... The IP address: 192.168.200.5
... Subnet mask: 255.255.255.0.
... Default gateway. : 192.168.200.1.
DNS servers...: 4.2.2.2.
************************************
I hope that's why I can't access either the laptop (192.168.200.2), Telnet (192.168.200.4) or through the internet via the customer management. I don't know if that part is configured correctly
configuration see attachment
Ofir,
Try the following
IP local pool VPN_Pool 172.16.20.1 - 172.16.20.254 netmask 255.255.255.0
inside_nat0_outbound 192.168.200.0 ip access list allow 255.255.255.0 172.16.20.0 255.255.255.0
no access list inside_nat0_outbound extended permits all ip 192.168.200.4 255.255.255.252
allow no extended access list inside_nat0_outbound 255.255.255.0 IP 192.168.200.0 192.168.200.0 255.255.255.0
Split_T 192.168.200.0 ip access list allow 255.255.255.0 172.16.20.0 255.255.255.0
tunnel-group test general attributes
address pool VPN_Pool
no address pool test
test group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_T
Crypto isakmp nat-traversal 20
management-access inside
Concerning
-
Client VPN connects but cannot ping all hosts
Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients. I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX. Can someone tell me what Miss me in my setup?
Thanks for your help.
Chi - pix # sh conf
: Saved
: Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname chi - pix
.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside pppoe setroute
IP address inside 192.168.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.11.1 - 10.10.11.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 list-access internet-traffic 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
Crypto-map dynamic dynmap 10 GvnPix-set transform-set
toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
toGvnPix interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool chiclient
vpngroup dns 192.168.5.1 Server chiclient
vpngroup wins 192.168.5.1 chiclient-Server
vpngroup chiclient com default domain
vpngroup split tunnel 101 chiclient
vpngroup idle 1800 chiclient-time
vpngroup password chiclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
VPDN group chi request dialout pppoe
VPDN group chi net localname
VPDN group chi ppp authentication pap
VPDN username password net *.
dhcpd address 192.168.5.2 - 192.168.5.33 inside
dhcpd dns xx
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 100
Cryptochecksum:
Chi - pix #.On the PIX configuration seems correct.
I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?
How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.
-
How to limit the client VPN connection time in Router2821
I have install a cisco router with VPN (client) 2821 and it works very well.
All the configurations that I did via CLI
But I want a customer to have vpn user:
Connection time maximum 30 min
Maximum idle time 15 min
Where should I put this command?
Kind regards!
Hi Lasandro,
Looks like max connect timer is not yet available, but the timeout is.
You can configure in the dynamic plan using the command 'set security association idle-timeout' .
Or apply globally with periods of inactivity of 60secs just to check:
"crypto ipsec security association idle time 60.
HTH.
Portu.
Please note all useful messages.
-
Client VPN connects but not internal LAN access or Ping
Hi all.
I'm new on this forum and kindly asking for your help because I'm stuck.
I have an ADSL router cisco 877 which I configured easy VPN server.
Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.The configuration is below. Please let know us where I was going or what I missed.
[code]Building configuration...
Current configuration: 4574 bytes
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
enable password 7 13151601181B54382F
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login internal_affairs_vpn_1 local
AAA authorization exec default local
AAA authorization internal_affairs_vpn_group_1 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-2122144568
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2122144568
revocation checking no
rsakeypair TP-self-signed-2122144568
!
!
TP-self-signed-2122144568 crypto pki certificate chain
self-signed certificate 03
30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
9142DD9E B6E9D74A 899A 9653
quit smoking
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.10.1
!
IP dhcp pool dhcplan
Network 10.0.0.0 255.0.0.0
DNS-server 196.0.50.50 81.199.21.94
default router 10.10.10.1
Rental 7
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
name of the IP-server 81.199.21.94
!
!
!
VPN username password 7 095A5E07
username fred privilege 15 password 7 1411000E08
username ciscovpn password 7 01100F175804101F2F
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group internal_affairs_vpn
key *.
DNS 196.0.50.50 81.199.21.94
pool ippool
ACL 108
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic internal_affairs_DYNMAP_1 10
Set transform-set RIGHT
market arriere-route
!
!
card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
client configuration address card crypto internal_affairs_CMAP_1 answer
ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
!
Archives
The config log
hidekeys
!
!
!
Bridge IRB
!
!
interface Loopback0
2.2.2.2 the IP 255.255.255.255
!
ATM0 interface
no ip address
ATM vc-per-vp 512
No atm ilmi-keepalive
PVC 0/32
aal5snap encapsulation
Protocol ip inarp
!
DSL-automatic operation mode
Bridge-Group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description of the local lan interface
IP 10.10.10.1 255.0.0.0
IP nat inside
IP virtual-reassembly
!
interface BVI1
internet interface Description
IP 197.0.4.174 255.255.255.252
NAT outside IP
IP virtual-reassembly
internal_affairs_CMAP_1 card crypto
!
IP local pool ippool 192.168.192.1 192.168.192.200
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 196.0.4.173
!
IP http server
local IP http authentication
IP http secure server
IP nat inside source list interface BVI1 NAT overload
IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
!
NAT extended IP access list
allow an ip
!
access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
!
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
!
Line con 0
password 7 0216054818115F3348
no activation of the modem
line to 0
line vty 0 4
password 7 06160E325F59590B01
!
max-task-time 5000 Planner
endSince this is a named ACL, you need to change ACL configuration mode:
NAT extended IP access list
Then, make the changes.
Federico.
-
application forms client side connection problem-oracle 11g Server
I installed the application oracle 11 g 2 on windows 2008r2 server. Installation of Weblogic. All installations were successful. But when the URL for forms running it prompts for the name of user and password and identification of database information. The application seems to be frozen and we have to refresh and again in the authentication credentials several times to get the application connected to... Please give me a solution for this.
(Version of Java on the client 1.6.0.25 Client os xp/win7/32/64bits version)
Tried the solutions are (but failed to solve the problem)
1. change the browser and the version of the browser.
2. change the java version.
3. in the paper of the forms it says error fatal client-side...
[2013 09-17 T 10: 53:52.073 - 07:00] [WLS_FORMS] [ERROR] [FRM-91230] [oracle. . forms servlet] [tid: 11] [username: < anonymous >] [ecid: 0000K4h3dF95qYWFLzQLOA1IE4TU00009y, 0] [SRC_CLASS: oracle. . forms servlet. ] [RunformProcess] [APP: formsapp #11. 1.2] [SRC_METHOD: fromFrmwebToODL] fatal to the RUNNING process error: timeout on the connection to the Java client]
Hello, I am writing to inform you all to say that I found the solution. In any case, I saw there were some messages saying to change the version of Java on the client side I made, but did not work. But the solution I've found is as explained below.
There are some parameters in the Java on your computer to be modified in order to use it.
- Go to the control panel.
- Select Java.
- After the control panel opening Java go to move the tag.
- Disable the Java plug-in to uncheck 'enable the plugin from new generation... '. ' as shown below
- Apply the changes and restart the browser.
- URL will work.
- Recommended for this IE browser
Post edited by: LasheenMihik
-
Jabber Client several connections problem
Hi all
We have this weird problem where the user is automatically signed out on a regular basis and re-login, it gets an error "you have been out of the Cisco Jabber because several connections are not allowed."
How can I determine if the user has signed places more than 1.
try looking in the file under the roaming folder. file name should be cachetftpconfigstore or jabber - config.xml file
Maybe you are looking for
-
According to Apple, as the mini iPad 2 is still supported for iOS 10 whenever I try the update nothing happens. I tried iTunes and settings on the device, but not love. Is it possible to manually force the update to start?
-
First of all, I am in a current Mavericks OS on a Mac Powerbook with Firefox 39.0. First of all, I started to receive messages that I need Flash Player to see this or this new video, so I installed a copy, maybe not the "best" source. then I started
-
I use an iMac running OSX6. The ikon of firefox in the dock requires the closing and re-opening every timeI have access to firefox. Previously the ikon would remain open and my firefox home page appears afterby clicking on. Showing my bookmarks, etc.
-
pilot of the blue tooth for windows 7 for samsung galaxy s5
Samsung told me that they do not provide the blue tooth for a Windows 7 driver for their cell phone Galaxy S5. They said that the manufacturer of the PC is responsible for this. I don't see any blue tooth of any kind device drivers provided by HP, so
-
Part number Elitebook 840 G1 docking station?
Hello I am based in the Canada and are looking for the right manufacturer for a docking station for an Elitebook 840 G1. Thanbks for your help