Client VPN connects but cannot ping all hosts

Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients.  I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX.  Can someone tell me what Miss me in my setup?

Thanks for your help.

Chi - pix # sh conf
: Saved
: Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname chi - pix
.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside pppoe setroute
IP address inside 192.168.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.11.1 - 10.10.11.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 list-access internet-traffic 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
Crypto-map dynamic dynmap 10 GvnPix-set transform-set
toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
toGvnPix interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool chiclient
vpngroup dns 192.168.5.1 Server chiclient
vpngroup wins 192.168.5.1 chiclient-Server
vpngroup chiclient com default domain
vpngroup split tunnel 101 chiclient
vpngroup idle 1800 chiclient-time
vpngroup password chiclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
VPDN group chi request dialout pppoe
VPDN group chi net localname
VPDN group chi ppp authentication pap
VPDN username password net *.
dhcpd address 192.168.5.2 - 192.168.5.33 inside
dhcpd dns xx
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 100
Cryptochecksum:
Chi - pix #.

On the PIX configuration seems correct.

I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?

How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.

Tags: Cisco Security

Similar Questions

  • VPN connects but cannot ping or access resources

    I hope this is an easy fix and it's something that I am missing.  I've been looking at this for several hours.

    Scenario:

    I Anyconnect Essentials so I use the SSL connection

    I changed my domain name and external IP in my setup, I write.

    My VPN connection seems to work very well.  In fact, I was able to connect to 3 locations with 3 different external IP address.

    1 location, I get IP address 192.168.30.10, as it should.  I can ping 192.168.1.1, but not the 192.168.1.6 which is my temporary resource, the firewall is disabled on 192.168.1.6.

    2 location, I get an IP of 192.168.30.11, as it should.  I was able to ping 192.168.30.10, could not sue 192.168.1.1 as the place closed.

    Any help would be appreciated, it's getting late so I hope I gave enough details.  I feel so close but yet so far.

    See the ciscoasa # running

    : Saved

    :

    ASA Version 8.2 (1)

    !

    ciscoasa hostname

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 22.22.22.246 255.255.255.252

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone CST - 6

    clock to summer time recurring CDT

    DNS lookup field inside

    DNS domain-lookup outside

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    ICMP-type of object-group ALLOWPING

    echo ICMP-object

    ICMP-object has exceeded the time

    response to echo ICMP-object

    Object-ICMP traceroute

    Object-ICMP source-quench

    ICMP-unreachable object

    access-list 10 scope ip allow a whole

    10 extended access-list allow icmp a whole

    pager lines 24

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    mask 192.168.30.10 - 192.168.30.25 255.255.255.0 IP local pool SSLClientPoolNew

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 192.168.1.0 255.255.255.0

    Route outside 0.0.0.0 0.0.0.0 22.22.22.245 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    network-acl 10

    WebVPN

    SVC request no svc default

    AAA authentication LOCAL telnet console

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Telnet 0.0.0.0 0.0.0.0 inside

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    management-access inside

    dhcpd dns 8.8.8.8

    dhcpd outside auto_config

    !

    dhcpd address 192.168.1.5 - 192.168.1.36 inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    allow inside

    allow outside

    AnyConnect essentials

    SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 image

    SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 2 image

    enable SVC

    tunnel-group-list activate

    internal SSLClientPolicy group strategy

    attributes of Group Policy SSLClientPolicy

    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

    field default value mondomaine.fr

    the address value SSLClientPoolNew pools

    WebVPN

    SVC Dungeon-Installer installed

    time to generate a new key of SVC 180

    SVC generate a new method ssl key

    SVC value vpngina modules

    attributes of Group Policy DfltGrpPolicy

    VPN-tunnel-Protocol webvpn

    username test encrypted password privilege 15 xxxxxxxxxxxxxx

    username ljb1 password encrypted xxxxxxxxxxxxxx

    type tunnel-group SSLClientProfile remote access

    attributes global-tunnel-group SSLClientProfile

    Group Policy - by default-SSLClientPolicy

    tunnel-group SSLClientProfile webvpn-attributes

    enable SSLVPNClient group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    Policy-map global_policy

    class inspection_default

    inspect the icmp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:ed683c7f1b86066d1d8c4fff6b08c592

    : end

    Patrick,

    'Re missing you the excemption NAT. Please add the following and try again:

    access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0

    NAT (inside) 0 access-list sheep

    Let us know if you still have problems after that.

    Raga

  • Remote access VPN client to connect but cannot ping inside the host, after that split tunnel is activated (config-joint)

    Hello

    I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.

    is hell config please kindly and I would like to know what might happen.

    hostname horse

    domain evergreen.com

    activate 2KFQnbNIdI.2KYOU encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    ins-guard

    !

    interface GigabitEthernet0/0

    LAN description

    nameif inside

    security-level 100

    192.168.200.1 IP address 255.255.255.0

    !

    interface GigabitEthernet0/1

    Description CONNECTION_TO_FREEMAN

    nameif outside

    security-level 0

    IP 196.1.1.1 255.255.255.248

    !

    interface GigabitEthernet0/2

    Description CONNECTION_TO_TIGHTMAN

    nameif backup

    security-level 0

    IP 197.1.1.1 255.255.255.248

    !

    interface GigabitEthernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    management only

    !

    boot system Disk0: / asa844-1 - k8.bin

    boot system Disk0: / asa707 - k8.bin

    passive FTP mode

    clock timezone WAT 1

    DNS server-group DefaultDNS

    domain green.com

    network of the NETWORK_OBJ_192.168.2.0_25 object

    Subnet 192.168.2.0 255.255.255.128

    network of the NETWORK_OBJ_192.168.202.0_24 object

    192.168.202.0 subnet 255.255.255.0

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    the DM_INLINE_NETWORK_1 object-group network

    object-network 192.168.200.0 255.255.255.0

    object-network 192.168.202.0 255.255.255.0

    the DM_INLINE_NETWORK_2 object-group network

    object-network 192.168.200.0 255.255.255.0

    object-network 192.168.202.0 255.255.255.0

    access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

    access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

    Access extensive list permits all ip a OUTSIDE_IN

    gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

    standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

    gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

    standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    backup of MTU 1500

    mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-645 - 206.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

    NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

    NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

    !

    network obj_any object

    dynamic NAT interface (inside, backup)

    Access-group interface inside INSIDE_OUT

    Access-group OUTSIDE_IN in interface outside

    Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10

    Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    Enable http server

    http 192.168.200.0 255.255.255.0 inside

    http 192.168.202.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    monitor SLA 100

    type echo protocol ipIcmpEcho 212.58.244.71 interface outside

    Timeout 3000

    frequency 5

    monitor als 100 calendar life never start-time now

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    backup of crypto backup_map interface card

    Crypto ikev1 allow outside

    Crypto ikev1 enable backup

    IKEv1 crypto policy 10

    authentication crack

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 20

    authentication rsa - sig

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 30

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 40

    authentication crack

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 50

    authentication rsa - sig

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 60

    preshared authentication

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 70

    authentication crack

    aes encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 80

    authentication rsa - sig

    aes encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 90

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 100

    authentication crack

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 110

    authentication rsa - sig

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 120

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 130

    authentication crack

    the Encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 140

    authentication rsa - sig

    the Encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 150

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 86400

    !

    track 10 rtr 100 accessibility

    Telnet 192.168.200.0 255.255.255.0 inside

    Telnet 192.168.202.0 255.255.255.0 inside

    Telnet timeout 5

    SSH 192.168.202.0 255.255.255.0 inside

    SSH 192.168.200.0 255.255.255.0 inside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH timeout 15

    SSH group dh-Group1-sha1 key exchange

    Console timeout 0

    management-access inside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal group vpntunnel strategy

    Group vpntunnel policy attributes

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list vpntunnel_splitTunnelAcl

    field default value green.com

    internal vpntunnell group policy

    attributes of the strategy of group vpntunnell

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl

    field default value green.com

    Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password

    attributes of user name THE

    VPN-group-policy gbnlvpn

    tunnel-group vpntunnel type remote access

    tunnel-group vpntunnel General attributes

    address VPNPOOL pool

    strategy-group-by default vpntunnel

    tunnel-group vpntunnel ipsec-attributes

    IKEv1 pre-shared-key *.

    type tunnel-group vpntunnell remote access

    tunnel-group vpntunnell General-attributes

    address VPNPOOL2 pool

    Group Policy - by default-vpntunnell

    vpntunnell group of tunnel ipsec-attributes

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565

    Hello

    1 - Please run these commands:

    "crypto isakmp nat-traversal 30.

    "crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.

    The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.

    Please let me know.

    Thank you.

  • Cisco ipsec Vpn connects but cannot communicate with lan

    I have a version of cisco 1921 15.2 (4) M3 I install vpn ipsec and may have customers to connect but cannot ping anything inside.  A glimpse of what could be wrong with my config would be greatly appreciated.  I posted the configuration as well as running a few outings of ipsec.  I also tried with multiple operating systems using cisco vpn client and shrewsoft.  I am able to connect to the other VPN ipsec running 1921 both of these computers by using a client.

    Thanks for any assistance

    SH run

    !
    AAA new-model
    !
    !
    AAA authentication login radius_auth local radius group
    connection of AAA VPN_AUTHEN group local RADIUS authentication
    AAA authorization network_vpn_author LAN
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    clock timezone PST - 8 0
    clock to summer time recurring PST
    !
    no ip source route
    decline of the IP options
    IP cef
    !
    !
    !
    !
    !
    !
    no ip bootp Server
    no ip domain search
    domain IP XXX.local
    inspect the high IP 3000 max-incomplete
    inspect the low IP 2800 max-incomplete
    IP inspect a low minute 2800
    IP inspect a high minute 3000
    inspect the IP icmp SDM_LOW name
    inspect the IP name SDM_LOW esmtp
    inspect the tcp IP SDM_LOW name
    inspect the IP udp SDM_LOW name
    IP inspect name SDM_LOW ssh
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    Crypto pki trustpoint TP-self-signed-2909270577
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2909270577
    revocation checking no
    rsakeypair TP-self-signed-2909270577
    !
    !
    TP-self-signed-2909270577 crypto pki certificate chain
    certificate self-signed 01
    license udi pid CISCO1921/K9 sn FTX1715818R
    !
    !
    Archives
    The config log
    Enable logging
    size of logging 1000
    notify the contenttype in clear syslog
    the ADMIN_HOSTS object-group network
    71.X.X.X 71.X.X.X range
    !
    name of user name1 secret privilege 15 4 XXXXXXX

    !
    redundancy
    !
    !
    !
    !
    !
    property intellectual ssh time 60
    property intellectual ssh authentication-2 retries
    property intellectual ssh event logging
    property intellectual ssh version 2
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    ISAKMP crypto client configuration group roaming_vpn
    key XXXXX
    DNS 192.168.10.10 10.1.1.1
    XXX.local field
    pool VPN_POOL_1
    ACL client_vpn_traffic
    netmask 255.255.255.0
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    tunnel mode
    !
    !
    !
    crypto dynamic-map VPN_DYNMAP_1 1
    Set the security association idle time 1800
    game of transformation-ESP-3DES-SHA
    market arriere-route
    !
    !
    list of authentication of card crypto SDM_CMAP_1 client VPN_AUTHEN
    map SDM_CMAP_1 isakmp authorization list network_vpn_author crypto
    client configuration address map SDM_CMAP_1 crypto answer
    map SDM_CMAP_1 65535-isakmp dynamic VPN_DYNMAP_1 ipsec crypto
    !
    !
    !
    !
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    IP 76.W.E.R 255.255.255.248
    IP access-group ATT_Outside_In in
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    NAT outside IP
    inspect the SDM_LOW over IP
    IP virtual-reassembly in
    load-interval 30
    automatic duplex
    automatic speed
    No cdp enable
    No mop enabled
    map SDM_CMAP_1 crypto
    !
    interface GigabitEthernet0/1
    no ip address
    load-interval 30
    automatic duplex
    automatic speed
    !
    interface GigabitEthernet0/1.10
    encapsulation dot1Q 1 native
    IP 192.168.10.1 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    property intellectual accounting-access violations
    IP nat inside
    IP virtual-reassembly in
    !
    interface GigabitEthernet0/1.100
    encapsulation dot1Q 100
    10.1.1.254 IP address 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly in
    !
    interface GigabitEthernet0/1,200
    encapsulation dot1Q 200
    IP 10.1.2.254 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly in
    IP tcp adjust-mss 1452
    !
    local IP VPN_POOL_1 192.168.168.193 pool 192.168.168.254
    IP forward-Protocol ND
    !
    IP http server
    IP http authentication aaa-authentication of connection ADMIN_AUTHEN
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    IP nat inside source map route ATT_NAT_LIST interface GigabitEthernet0/0 overload
    IP nat inside source static tcp 192.168.10.10 25 expandable 25 76.W.E.R
    IP nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extensible
    IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 443 443
    IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 987 987
    IP route 0.0.0.0 0.0.0.0 76.W.E.F
    !
    ATT_Outside_In extended IP access list
    permit tcp object-group ADMIN_HOSTS any eq 22
    allow any host 76.W.E.R eq www tcp
    allow any host 76.W.E.R eq 443 tcp
    allow 987 tcp any host 76.W.E.R eq
    allow any host 76.W.E.R eq tcp smtp
    permit any any icmp echo response
    allow icmp a whole
    allow udp any any eq isakmp
    allow an esp
    allow a whole ahp
    permit any any eq non500-isakmp udp
    deny ip 10.0.0.0 0.255.255.255 everything
    deny ip 172.16.0.0 0.15.255.255 all
    deny ip 192.168.0.0 0.0.255.255 everything
    deny ip 127.0.0.0 0.255.255.255 everything
    refuse the ip 255.255.255.255 host everything
    refuse the host ip 0.0.0.0 everything
    NAT_LIST extended IP access list
    IP 10.1.0.0 allow 0.0.255.255 everything
    permit ip 192.168.10.0 0.0.0.255 any
    deny ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
    refuse the 10.1.1.0 ip 0.0.0.255 192.168.168.192 0.0.0.63
    deny ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
    client_vpn_traffic extended IP access list
    permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
    ip licensing 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
    IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
    !
    radius of the IP source-interface GigabitEthernet0/1.10
    Logging trap errors
    logging source hostname id
    logging source-interface GigabitEthernet0/1.10
    !
    ATT_NAT_LIST allowed 20 route map
    corresponds to the IP NAT_LIST
    is the interface GigabitEthernet0/0
    !
    !
    SNMP-server community [email protected] / * /! s RO
    Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start
    Server enable SNMP traps vrrp
    Server SNMP enable transceiver traps all the
    Server enable SNMP traps ds1
    Enable SNMP-Server intercepts the message-send-call failed remote server failure
    Enable SNMP-Server intercepts ATS
    Server enable SNMP traps eigrp
    Server enable SNMP traps ospf-change of State
    Enable SNMP-Server intercepts ospf errors
    SNMP Server enable ospf retransmit traps
    Server enable SNMP traps ospf lsa
    Server enable SNMP traps ospf nssa-trans-changes state cisco-change specific
    SNMP server activate interface specific cisco-ospf traps shamlink state change
    SNMP Server enable neighbor traps cisco-specific ospf to the State shamlink change
    Enable SNMP-Server intercepts specific to cisco ospf errors
    SNMP server activate specific cisco ospf retransmit traps
    Server enable SNMP traps ospf cisco specific lsa
    SNMP server activate license traps
    Server enable SNMP traps envmon
    traps to enable SNMP-Server ethernet cfm cc mep-top low-mep Dispatcher loop config
    Enable SNMP-Server intercepts ethernet cfm overlap missing mep mep-unknown service-up
    Server enable SNMP traps auth framework sec-violation
    Server enable SNMP traps c3g
    entity-sensor threshold traps SNMP-server enable
    Server enable SNMP traps adslline
    Server enable SNMP traps vdsl2line
    Server enable SNMP traps icsudsu
    Server enable SNMP traps ISDN call-information
    Server enable SNMP traps ISDN layer2
    Server enable SNMP traps ISDN chan-not-available
    Server enable SNMP traps ISDN ietf
    Server enable SNMP traps ds0-busyout
    Server enable SNMP traps ds1-loopback
    SNMP-Server enable traps energywise
    Server enable SNMP traps vstack
    SNMP traps enable mac-notification server
    Server enable SNMP traps bgp cbgp2
    Enable SNMP-Server intercepts isis
    Server enable SNMP traps ospfv3-change of State
    Enable SNMP-Server intercepts ospfv3 errors
    Server enable SNMP traps aaa_server
    Server enable SNMP traps atm subif
    Server enable SNMP traps cef resources-failure-change of State peer peer-fib-state-change inconsistency
    Server enable SNMP traps memory bufferpeak
    Server enable SNMP traps cnpd
    Server enable SNMP traps config-copy
    config SNMP-server enable traps
    Server enable SNMP traps config-ctid
    entity of traps activate SNMP Server
    Server enable SNMP traps fru-ctrl
    SNMP traps-policy resources enable server
    Server SNMP enable traps-Manager of event
    Server enable SNMP traps frames multi-links bundle-incompatibility
    SNMP traps-frame relay enable server
    Server enable SNMP traps subif frame relay
    Server enable SNMP traps hsrp
    Server enable SNMP traps ipmulticast
    Server enable SNMP traps msdp
    Server enable SNMP traps mvpn
    Server enable SNMP traps PNDH nhs
    Server enable SNMP traps PNDH nhc
    Server enable SNMP traps PNDH PSN
    Server enable SNMP traps PNDH exceeded quota
    Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change
    Server enable SNMP traps pppoe
    Enable SNMP-server holds the CPU threshold
    SNMP Server enable rsvp traps
    Server enable SNMP traps syslog
    Server enable SNMP traps l2tun session
    Server enable SNMP traps l2tun pseudowire status
    Server enable SNMP traps vtp
    Enable SNMP-Server intercepts waas
    Server enable SNMP traps ipsla
    Server enable SNMP traps bfd
    Server enable SNMP traps gdoi gm-early-registration
    Server enable SNMP traps gdoi full-save-gm
    Server enable SNMP traps gdoi gm-re-register
    Server enable SNMP traps gdoi gm - generate a new key-rcvd
    Server enable SNMP traps gdoi gm - generate a new key-fail
    Server enable SNMP traps gdoi ks - generate a new key-pushed
    Enable SNMP traps gdoi gm-incomplete-cfg Server
    Enable SNMP-Server intercepts gdoi ks-No.-rsa-keys
    Server enable SNMP traps gdoi ks-new-registration
    Server enable SNMP traps gdoi ks-reg-complete
    Enable SNMP-Server Firewall state of traps
    SNMP-Server enable traps ike policy add
    Enable SNMP-Server intercepts removal of ike policy
    Enable SNMP-Server intercepts start ike tunnel
    Enable SNMP-Server intercepts stop ike tunnel
    SNMP server activate ipsec cryptomap add traps
    SNMP server activate ipsec cryptomap remove traps
    SNMP server activate ipsec cryptomap attach traps
    SNMP server activate ipsec cryptomap detach traps
    Server SNMP traps enable ipsec tunnel beginning
    SNMP-Server enable traps stop ipsec tunnel
    Enable SNMP-server holds too many associations of ipsec security
    Enable SNMP-Server intercepts alarm ethernet cfm
    Enable SNMP-Server intercepts rf
    Server enable SNMP traps vrfmib vrf - up low-vrf vnet-trunk-up low-trunk-vnet
    Server RADIUS dead-criteria life 2
    RADIUS-server host 192.168.10.10
    Server RADIUS 2 timeout
    Server RADIUS XXXXXXX key
    !
    !
    !
    control plan
    !
    !

    Line con 0
    privilege level 15
    connection of authentication radius_auth
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport of entry all
    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    privilege level 15
    connection of authentication radius_auth
    entry ssh transport
    line vty 5 15
    privilege level 15
    connection of authentication radius_auth
    entry ssh transport
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    Server NTP 192.168.10.10
    NTP 64.250.229.100 Server
    !
    end

    Router ipsec crypto #sh her

    Interface: GigabitEthernet0/0
    Tag crypto map: SDM_CMAP_1, local addr 76.W.E.R

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.168.213/255.255.255.255/0/0)
    current_peer 75.X.X.X port 2642
    LICENCE, flags is {}
    #pkts program: 1953, #pkts encrypt: 1953, #pkts digest: 1953
    #pkts decaps: 1963, #pkts decrypt: 1963, #pkts check: 1963
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 76.W.E.R, remote Start crypto. : 75.X.X.X
    Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
    current outbound SPI: 0x5D423270 (1564619376)
    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:
    SPI: 0x2A5177DD (709982173)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel UDP-program}
    Conn ID: 2115, flow_id: VPN:115 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4301748/2809)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE (ACTIVE)

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x5D423270 (1564619376)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel UDP-program}
    Conn ID: 2116, flow_id: VPN:116 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4301637/2809)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE (ACTIVE)

    outgoing ah sas:

    outgoing CFP sas:

    Routing crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    76.W.E.R 75.X.X.X QM_IDLE 1055 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    In your acl, nat, you will need to refuse your VPN traffic before you allow the subnet at all. Just put all the declarations of refusal before the declarations of licence.

    Sent by Cisco Support technique iPhone App

  • Client VPN connects but not internal LAN access or Ping

    Hi all.

    I'm new on this forum and kindly asking for your help because I'm stuck.

    I have an ADSL router cisco 877 which I configured easy VPN server.
    Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.

    The configuration is below. Please let know us where I was going or what I missed.
    [code]

    Building configuration...

    Current configuration: 4574 bytes
    !
    version 12.4
    no service button
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
    enable password 7 13151601181B54382F
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    AAA authentication login internal_affairs_vpn_1 local
    AAA authorization exec default local
    AAA authorization internal_affairs_vpn_group_1 LAN
    !
    !
    AAA - the id of the joint session
    !
    Crypto pki trustpoint TP-self-signed-2122144568
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2122144568
    revocation checking no
    rsakeypair TP-self-signed-2122144568
    !
    !
    TP-self-signed-2122144568 crypto pki certificate chain
    self-signed certificate 03
    30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
    31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
    34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
    F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
    4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
    D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
    30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
    551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
    04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
    0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
    86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
    313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
    E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
    33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
    9142DD9E B6E9D74A 899A 9653
    quit smoking
    dot11 syslog
    IP cef
    No dhcp use connected vrf ip
    DHCP excluded-address IP 10.10.10.1
    !
    IP dhcp pool dhcplan
    Network 10.0.0.0 255.0.0.0
    DNS-server 196.0.50.50 81.199.21.94
    default router 10.10.10.1
    Rental 7
    !
    !
    property intellectual auth-proxy max-nodata-& 3
    property intellectual admission max-nodata-& 3
    name of the IP-server 81.199.21.94
    !
    !
    !
    VPN username password 7 095A5E07
    username fred privilege 15 password 7 1411000E08
    username ciscovpn password 7 01100F175804101F2F
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    ISAKMP crypto client configuration group internal_affairs_vpn
    key *.
    DNS 196.0.50.50 81.199.21.94
    pool ippool
    ACL 108
    !
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
    !
    Crypto-map dynamic internal_affairs_DYNMAP_1 10
    Set transform-set RIGHT
    market arriere-route
    !
    !
    card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
    card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
    client configuration address card crypto internal_affairs_CMAP_1 answer
    ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
    !
    Archives
    The config log
    hidekeys
    !
    !
    !
    Bridge IRB
    !
    !
    interface Loopback0
    2.2.2.2 the IP 255.255.255.255
    !
    ATM0 interface
    no ip address
    ATM vc-per-vp 512
    No atm ilmi-keepalive
    PVC 0/32
    aal5snap encapsulation
    Protocol ip inarp
    !
    DSL-automatic operation mode
    Bridge-Group 1
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description of the local lan interface
    IP 10.10.10.1 255.0.0.0
    IP nat inside
    IP virtual-reassembly
    !
    interface BVI1
    internet interface Description
    IP 197.0.4.174 255.255.255.252
    NAT outside IP
    IP virtual-reassembly
    internal_affairs_CMAP_1 card crypto
    !
    IP local pool ippool 192.168.192.1 192.168.192.200
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 196.0.4.173
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP nat inside source list interface BVI1 NAT overload
    IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
    !
    NAT extended IP access list
    allow an ip
    !
    access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
    !
    !
    !
    control plan
    !
    Bridge Protocol ieee 1
    1 channel ip bridge
    !
    Line con 0
    password 7 0216054818115F3348
    no activation of the modem
    line to 0
    line vty 0 4
    password 7 06160E325F59590B01
    !
    max-task-time 5000 Planner
    end

    Since this is a named ACL, you need to change ACL configuration mode:

    NAT extended IP access list

    Then, make the changes.

    Federico.

  • established - VPN connection, but cannot connect to the server?

    vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4

    Thank you

    ASA Version 8.2 (1)

    !

    hostname ciscoasa5505

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.0.3 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 208.0.0.162 255.255.255.248

    !

    interface Vlan5

    Shutdown

    prior to interface Vlan1

    nameif dmz

    security-level 50

    IP address dhcp setroute

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS lookup field inside

    DNS server-group DefaultDNS

    192.168.0.4 server name

    Server name 208.0.0.11

    permit same-security-traffic intra-interface

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service TS-780-tcp - udp

    port-object eq 780

    object-group service Graphon tcp - udp

    port-object eq 491

    Allworx-2088 udp service object-group

    port-object eq 2088

    object-group service allworx-15000 udp

    15000 15511 object-port Beach

    object-group service udp allworx-2088

    port-object eq 2088

    object-group service allworx-5060 udp

    port-object eq sip

    object-group service allworx-8081 tcp

    EQ port 8081 object

    object-group service web-allworx tcp

    EQ object of port 8080

    allworx udp service object-group

    16001 16010 object-port Beach

    object-group service allworx-udp

    object-port range 16384-16393

    object-group service remote tcp - udp

    port-object eq 779

    object-group service billing1 tcp - udp

    EQ object of port 8080

    object-group service billing-1521 tcp - udp

    port-object eq 1521

    object-group service billing-6233 tcp - udp

    6233 6234 object-port Beach

    object-group service billing2-3389 tcp - udp

    EQ port 3389 object

    object-group service olivia-3389 tcp - udp

    EQ port 3389 object

    object-group service olivia-777-tcp - udp

    port-object eq 777

    netgroup group of objects

    network-object host 192.168.0.15

    network-object host 192.168.0.4

    object-group service allworx1 tcp - udp

    8080 description

    EQ object of port 8080

    allworx_15000 udp service object-group

    15000 15511 object-port Beach

    allworx_16384 udp service object-group

    object-port range 16384-16393

    DM_INLINE_UDP_1 udp service object-group

    purpose of group allworx_16384

    object-port range 16384 16403

    object-group service allworx-5061 udp

    range of object-port 5061 5062

    object-group service ananit tcp - udp

    port-object eq 880

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389

    outside_access_in list extended access permit tcp any host 208.0.0.164 eq https

    outside_access_in list extended access permit tcp any host 208.0.0.164 eq www

    outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field

    outside_access_in list extended access permit tcp any host 208.0.0.162 eq www

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group

    outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777

    outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object

    outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060

    outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive

    outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081

    outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000

    outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group

    outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group

    outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

    permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0

    Ping list extended access permit icmp any any echo response

    inside_access_in of access allowed any ip an extended list

    permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0

    access-list 1 standard allow 192.168.0.0 255.255.255.0

    pager lines 24

    Enable logging

    logging buffered stored notifications

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    MTU 1500 dmz

    IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool

    192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    NAT (outside) 1 192.168.0.0 255.255.255.0

    alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255

    public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area

    public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255

    public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area

    public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255

    static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255

    inside_access_in access to the interface inside group

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1

    Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.0.0 255.255.255.0 inside

    http 192.168.0.3 255.255.255.255 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Sysopt noproxyarp inside

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_cryptomap

    card crypto outside_map 1 set pfs

    peer set card crypto outside_map 1 108.0.0.97

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    card crypto outside_map 20 match address outside_20_cryptomap

    card crypto outside_map 20 set pfs

    peer set card crypto outside_map 20 69.0.0.54

    outside_map crypto 20 card value transform-set ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life no

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    sha hash

    Group 1

    life no

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    identifying client DHCP-client interface dmz

    dhcpd outside auto_config

    !

    dhcpd address 192.168.0.20 - 192.168.0.50 inside

    dhcpd dns 192.168.0.4 208.0.0.11 interface inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

    enable SVC

    tunnel-group-list activate

    attributes of Group Policy DfltGrpPolicy

    internal group anyconnect strategy

    attributes of the strategy group anyconnect

    VPN-tunnel-Protocol svc webvpn

    WebVPN

    list of URLS no

    SVC request enable

    encrypted olivia Zta1M8bCsJst9NAs password username

    username of graciela CdnZ0hm9o72q6Ddj encrypted password

    tunnel-group 69.0.0.54 type ipsec-l2l

    IPSec-attributes tunnel-group 69.0.0.54

    pre-shared-key *.

    tunnel-group 108.0.0.97 type ipsec-l2l

    IPSec-attributes tunnel-group 108.0.0.97

    pre-shared-key *.

    tunnel-group anyconnect type remote access

    tunnel-group anyconnect General attributes

    remote address pool

    strategy-group-by default anyconnect

    tunnel-group anyconnect webvpn-attributes

    Group-alias anyconnect enable

    !

    Global class-card class

    match default-inspection-traffic

    !

    !

    World-Policy policy-map

    Global category

    inspect the icmp

    !

    service-policy-international policy global

    : end

    ASDM location 208.0.0.164 255.255.255.255 inside

    ASDM location 192.168.0.15 255.255.255.255 inside

    ASDM location 192.168.50.0 255.255.255.0 inside

    ASDM location 192.168.1.0 255.255.255.0 inside

    don't allow no asdm history

    Right now your nat 0 (NAT exemption) follows the access list:

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

    Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.

    Then try to add an entry to the list of access as:

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0

    It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.

  • Client VPN connects but no IP traffic is passed...

    I have a user in a hotel, his laptop was works well on remote connections previously, he gets the lock when it connects, but no IP traffic is passed. Is it pings it gets "host unreachable". I think he's behind a firewall of hotel, but nothing else that I can check to confirm? I was going to put the new client available for download (internet access works very well), he performs a version 4.7. I also tested his connection on a profile box test and it worked fine.

    UM... so it is able to authenticate so I don't think that he coulkd be blocked... double check you are using have traversed nat enabled on your PIX...

    ISAKMP nat-traversal 20

    I hope that helps... Rate if he does!

  • Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

    Hello

    I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

    When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

    However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

    VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

    Please help me I need to find a solution as soon as POSSIBLE!

    Thank you in advance.

    Hello

    Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

    No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

    NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

    After re-configured this way, make sure that this command is also available:

    Sysopt connection permit VPN

    This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

    Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

    XXXX--> server IP

    AAAA--> VPN IP of the user

    Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

    Thank you

    David Castro,

  • ASA 5505 IPSEC VPN connected but cannot access the local network

    ASA: 8.2.5

    ASDM: 6.4.5

    LAN: 10.1.0.0/22

    Pool VPN: 172.16.10.0/24

    Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

    I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

    Here is my setup, wrong set up anything?

    ASA Version 8.2 (5)

    !

    hostname asatest

    domain XXX.com

    activate 8Fw1QFqthX2n4uD3 encrypted password

    g9NiG6oUPjkYrHNt encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 10.1.1.253 255.255.252.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    address IP XXX.XXX.XXX.XXX 255.255.255.240

    !

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS server-group DefaultDNS

    domain vff.com

    vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

    access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

    pager lines 24

    Enable logging

    timestamp of the record

    logging trap warnings

    asdm of logging of information

    logging - the id of the device hostname

    host of logging inside the 10.1.1.230

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA-server protocol nt AD

    AAA-server host 10.1.1.108 AD (inside)

    NT-auth-domain controller 10.1.1.108

    Enable http server

    http 10.1.0.0 255.255.252.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 10.1.0.0 255.255.252.0 inside

    SSH timeout 20

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal group vpntest strategy

    Group vpntest policy attributes

    value of 10.1.1.108 WINS server

    Server DNS 10.1.1.108 value

    Protocol-tunnel-VPN IPSec l2tp ipsec

    disable the password-storage

    disable the IP-comp

    Re-xauth disable

    disable the PFS

    IPSec-udp disable

    IPSec-udp-port 10000

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list vpntest_splitTunnelAcl

    value by default-domain XXX.com

    disable the split-tunnel-all dns

    Dungeon-client-config backup servers

    the address value vpnpool pools

    admin WeiepwREwT66BhE9 encrypted privilege 15 password username

    username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

    the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

    tunnel-group vpntest type remote access

    tunnel-group vpntest General attributes

    address vpnpool pool

    authentication-server-group AD

    authentication-server-group (inside) AD

    Group Policy - by default-vpntest

    band-Kingdom

    vpntest group tunnel ipsec-attributes

    pre-shared-key BEKey123456

    NOCHECK Peer-id-validate

    !

    !

    privilege level 3 mode exec cmd command perfmon

    privilege level 3 mode exec cmd ping command

    mode privileged exec command cmd level 3

    logging of the privilege level 3 mode exec cmd commands

    privilege level 3 exec command failover mode cmd

    privilege level 3 mode exec command packet cmd - draw

    privilege show import at the level 5 exec mode command

    privilege level 5 see fashion exec running-config command

    order of privilege show level 3 exec mode reload

    privilege level 3 exec mode control fashion show

    privilege see the level 3 exec firewall command mode

    privilege see the level 3 exec mode command ASP.

    processor mode privileged exec command to see the level 3

    privilege command shell see the level 3 exec mode

    privilege show level 3 exec command clock mode

    privilege exec mode level 3 dns-hosts command show

    privilege see the level 3 exec command access-list mode

    logging of orders privilege see the level 3 exec mode

    privilege, level 3 see the exec command mode vlan

    privilege show level 3 exec command ip mode

    privilege, level 3 see fashion exec command ipv6

    privilege, level 3 see the exec command failover mode

    privilege, level 3 see fashion exec command asdm

    exec mode privilege see the level 3 command arp

    command routing privilege see the level 3 exec mode

    privilege, level 3 see fashion exec command ospf

    privilege, level 3 see the exec command in aaa-server mode

    AAA mode privileged exec command to see the level 3

    privilege, level 3 see fashion exec command eigrp

    privilege see the level 3 exec mode command crypto

    privilege, level 3 see fashion exec command vpn-sessiondb

    privilege level 3 exec mode command ssh show

    privilege, level 3 see fashion exec command dhcpd

    privilege, level 3 see the vpnclient command exec mode

    privilege, level 3 see fashion exec command vpn

    privilege level see the 3 blocks from exec mode command

    privilege, level 3 see fashion exec command wccp

    privilege see the level 3 exec command mode dynamic filters

    privilege, level 3 see the exec command in webvpn mode

    privilege control module see the level 3 exec mode

    privilege, level 3 see fashion exec command uauth

    privilege see the level 3 exec command compression mode

    level 3 for the show privilege mode configure the command interface

    level 3 for the show privilege mode set clock command

    level 3 for the show privilege mode configure the access-list command

    level 3 for the show privilege mode set up the registration of the order

    level 3 for the show privilege mode configure ip command

    level 3 for the show privilege mode configure command failover

    level 5 mode see the privilege set up command asdm

    level 3 for the show privilege mode configure arp command

    level 3 for the show privilege mode configure the command routing

    level 3 for the show privilege mode configure aaa-order server

    level mode 3 privilege see the command configure aaa

    level 3 for the show privilege mode configure command crypto

    level 3 for the show privilege mode configure ssh command

    level 3 for the show privilege mode configure command dhcpd

    level 5 mode see the privilege set privilege to command

    privilege level clear 3 mode exec command dns host

    logging of the privilege clear level 3 exec mode commands

    clear level 3 arp command mode privileged exec

    AAA-server of privilege clear level 3 exec mode command

    privilege clear level 3 exec mode command crypto

    privilege clear level 3 exec command mode dynamic filters

    level 3 for the privilege cmd mode configure command failover

    clear level 3 privilege mode set the logging of command

    privilege mode clear level 3 Configure arp command

    clear level 3 privilege mode configure command crypto

    clear level 3 privilege mode configure aaa-order server

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

    : end

    Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

    The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

    On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

  • VPN upward, but cannot ping through

    Hello

    Have a problem where two places trying to connect. first location has a cisco 861 and a uc500 for the phone system.  The second location uses a UC520 for phones and the router. Here are the configurations of the 861 and the UC520.  Any help would be greatly appereciated!

    Cisco 861

    Current configuration: 7635 bytes

    !

    version 15.0

    no service button

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    encryption password service

    !

    !

    boot-start-marker

    boot-end-marker

    !

    logging buffered 51200 warnings

    !

    No aaa new-model

    iomem 10 memory size

    PCTime-5 timezone clock

    PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00

    !

    Crypto pki trustpoint TP-self-signed-1477458744

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 1477458744

    revocation checking no

    rsakeypair TP-self-signed-1477458744

    !

    !

    TP-self-signed-1477458744 crypto pki certificate chain

    quit smoking

    IP source-route

    !

    !

    !

    !

    IP cef

    no ip domain search

    IP domain name

    8.8.8.8 IP name-server

    IP-server names 8.8.4.4

    !

    !

    license udi pid CISCO861-K9 sn fff

    !

    !

    username admin

    !

    !

    !

    !

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto key xxx address 2.2.2.140 No.-xauth

    !

    !

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-md5-hmac TS

    !

    Profile of crypto ipsec SDM_Profile1

    game of transformation-ESP-3DES-SHA

    !

    !

    MYmap 1 ipsec-isakmp crypto map

    defined by peer 1.1.1.140

    game of transformation-ESP-3DES-SHA

    match address SDM_1

    !

    !

    !

    !

    !

    interface FastEthernet0

    !

    interface FastEthernet1

    !

    interface FastEthernet2

    !

    interface FastEthernet3

    !

    interface FastEthernet4

    IP 1.1.1.130 255.255.255.240

    Check IP unicast reverse path

    NAT outside IP

    IP virtual-reassembly

    full duplex

    automatic speed

    crypto mymap map

    !

    interface Vlan1

    Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW

    10.1.1.1 IP address 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    IP tcp adjust-mss 1452

    !

    IP forward-Protocol ND

    IP http server

    23 class IP http access

    local IP http authentication

    IP http secure server

    IP http timeout policy slowed down 60 life 86400 request 10000

    !

    IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4

    IP nat inside source static tcp 10.1.1.23 80 1.1.1.133 80 extensible

    IP nat inside source static 10.1.1.23 1.1.1.133

    1

    IP route 0.0.0.0 0.0.0.0 1.1.1.129

    !

    SDM_1 extended IP access list

    Note CCP_ACL category = 20

    ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    ip licensing 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

    ip licensing 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    IP 172.16.4.0 allow 0.0.0.255 10.0.0.0 0.0.0.255

    IP 172.16.4.0 allow 0.0.0.255 172.16.6.0 0.0.0.255

    IP 172.16.4.0 allow 0.0.0.255 192.168.2.0 0.0.0.255

    ip licensing 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

    ip licensing 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

    ip licensing 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

    Note rule IPSec

    VPN-TRAFFIC extended IP access list

    Note CCP_ACL category = 16

    ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    Licensing ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

    !

    Note CCP_ACL the access list 1 = 16 category

    access-list 1 permit 0.0.0.0 255.255.255.0

    access-list 1 permit one

    access-list 23 allow 10.1.1.0 0.0.0.255

    access-list 23 allow one

    Access-list 100 category CCP_ACL = 2 Note

    Note access-list 100 IPSec rule

    access-list 100 deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    access ip-list 100 permit a whole

    access-list 100 permit ip 0.0.0.0 255.255.255.0 any

    access-list 100 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

    access-list 100 deny ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

    access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 100 deny ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 100 deny ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

    access-list 100 deny ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

    access-list 100 deny ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

    Note access-list 101 category CCP_ACL = 4

    access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

    access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

    access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

    access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 101 permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

    access-list 101 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    access-list 101 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

    not run cdp

    allowed SDM_RMAP_1 1 route map

    corresponds to the IP 100

    !

    !

    control plan

    !

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    Cisco UC520

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    address 1.1.1.130 Panasonic key crypto isakmp xauth No.

    !

    Configuration group customer isakmp crypto EZVPN_GROUP_1

    key 8888

    DNS 64.132.94.250 216.136.95.1

    pool SDM_POOL_1

    ACL 105

    Save-password

    10 Max-users

    ISAKMP crypto sdm-ike-profile-1 profile

    match of group identity EZVPN_GROUP_1

    list of authentication of client Foxtrot_sdm_easyvpn_xauth_ml_1

    Foxtrot_sdm_easyvpn_group_ml_1 of ISAKMP authorization list.

    client configuration address respond

    virtual-model 1

    !

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    !

    Profile of crypto ipsec SDM_Profile1

    game of transformation-ESP-3DES-SHA

    isakmp-profile sdm-ike-profile-1 game

    !

    !

    MYmap 1 ipsec-isakmp crypto map

    defined by peer 1.1.1.130

    game of transformation-ESP-3DES-SHA

    match address 100

    !

    Archives

    The config log

    Enable logging

    size of logging 600

    hidekeys

    !

    !

    Telnet IP interface-source BVI100

    TFTP IP source-interface Loopback0

    !

    class-map correspondence-everything sdm_p2p_kazaa

    fasttrack Protocol game

    match Protocol kazaa2

    class-map correspondence-everything sdm_p2p_edonkey

    match the edonkey Protocol

    class-map correspondence-everything sdm_p2p_gnutella

    gnutella Protocol game

    class-map correspondence-everything sdm_p2p_bittorrent

    bittorrent Protocol game

    !

    Bridge IRB

    !

    interface Loopback0

    IP 10.1.10.2 255.255.255.252

    IP nat inside

    IP virtual-reassembly

    !

    interface FastEthernet0/0

    IP 2.2.2.140 255.255.255.0

    NAT outside IP

    IP virtual-reassembly

    Speed 100

    full-duplex

    crypto mymap map

    !

    the integrated-Service-Engine0/0 interface

    description Locator is initialized with default IMAP group

    BVI100 IP unnumbered

    IP nat inside

    IP virtual-reassembly

    the ip address of the service module 172.16.6.2 255.255.255.0

    Service-module ip default gateway - 172.16.6.1

    !

    type of interface virtual-Template1 tunnel

    BVI1 IP unnumbered

    ipv4 ipsec tunnel mode

    Tunnel SDM_Profile1 ipsec protection profile

    !

    interface Vlan1

    no ip address

    IP nat inside

    IP virtual-reassembly

    Bridge-Group 1

    !

    interface Vlan100

    no ip address

    IP nat inside

    IP virtual-reassembly

    Bridge-group 100

    !

    interface BVI1

    10.0.0.250 IP address 255.255.255.0

    10.0.0.6 IP helper-address

    IP nat inside

    IP virtual-reassembly

    !

    interface BVI100

    IP 172.16.6.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    H323-gateway voip interface

    H323-gateway voip bind port 172.16.6.1

    !

    local IP 192.168.2.10 SDM_POOL_1 pool 192.168.2.19

    IP forward-Protocol ND

    IP route 0.0.0.0 0.0.0.0 2.2.2.1

    IP route 172.16.6.2 255.255.255.255 integrated-Service-Engine0/0

    !

    IP http server

    local IP http authentication

    IP http secure server

    IP http access path flash: / gui

    overload of IP nat inside source list INSIDE_NAT interface FastEthernet0/0

    IP nat inside source static tcp 10.0.0.7 80 2.2.2.142 80 extensible

    !

    INSIDE_NAT extended IP access list

    deny ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255

    deny ip any 10.1.1.0 0.0.0.255

    deny ip any 192.168.3.0 0.0.0.255

    deny ip any 172.16.4.0 0.0.0.255

    deny ip 10.1.10.0 0.0.0.255 192.168.2.0 0.0.0.255

    deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

    deny ip 172.16.6.0 0.0.0.255 192.168.2.0 0.0.0.255

    ip permit 10.1.10.0 0.0.0.255 any

    Licensing ip 10.0.0.0 0.0.0.255 any

    IP 172.16.6.0 allow 0.0.0.255 any

    NAT_CUSTOMERS extended IP access list

    allow any host 2.2.2.140 eq 4550 tcp

    !

    access-list 100 permit ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255

    access-list 100 permit ip 172.16.6.0 0.0.0.255 10.1.1.0 0.0.0.255

    access-list 100 permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255

    access-list 100 permit ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255

    access-list 100 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

    access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

    access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.4.0 0.0.0.255

    access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255

    access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255

    access-list 105 allow ip 172.16.4.0 0.0.0.255 any

    access-list 105 allow ip 10.1.1.0 0.0.0.255 any

    access-list 105 allow ip 192.168.3.0 0.0.0.255 any

    Note access-list 105 SDM_ACL category = 4

    access-list 105 allow ip 10.1.10.0 0.0.0.3 all

    access-list 105 allow ip 10.0.0.0 0.0.0.255 any

    access-list 105 allow ip 172.16.6.0 0.0.0.255 any

    public RO SNMP-server community

    Hi, Marshal.

    Good news, I give you 5 stars

    Please mark this question as answered.

    Good day.

  • VPN client connected but no ping nor access to privat network

    Hello

    I have a 1802w installed, a VPN client that can connect to the router and L2L connection, which works very well.

    On the router, I see that the client is connected, but no traffic passes. In sh crypto ipsec, I see that traffic is decrypted, but no packtets are encypted.

    Can someone point me in the right direction? I have the confs and debugs attached. Thanks for the help in advance.

    Erich

    Erich,

    Looking at your configuration, two things:

    1 - is the current running configuration. I see your Tunnel L2L is configured with an address of correspondence of 101, but I don't see a 101 ACL set on the router.

    2. your Split Tunnel must be reconfigured. Which means, the source and destination must be exchanged.

    SplitList extended IP access list

    permit ip 192.168.2.0 0.0.0.255 192.168.111.0 0.0.0.255

    Split Tunneling

    http://www.Cisco.com/en/us/Tech/tk59/technologies_configuration_example09186a00800a393b.shtml#Con4

    Also, the IP address pool you assign to clients, ensure that they are not part of a LAN on your side. If so, you can then run in routing problems.

    Kind regards

    Arul

    * Please note all useful messages *.

  • Remote VPN cannot ping any host on remote site

    Hi all!

    I tried to deploy remote vpn on my asa 5515-x. And my VPN client properly connected, but I can't ping any host on a remote network.

    Here is my configuration:

    ASA 1.0000 Version 2

    !

    names of

    !

    interface GigabitEthernet0/0

    nameif inside

    security-level 100

    IP 192.168.10.252 255.255.255.0

    !

    interface GigabitEthernet0/1

    nameif outside

    security-level 0

    IP x.x.x.x 255.255.255.252

    !

    interface GigabitEthernet0/2

    DMZ description

    nameif dmz

    security-level 50

    IP 192.168.20.252 255.255.255.0

    !

    interface GigabitEthernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/4

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/5

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.2.40 255.255.255.0

    management only

    !

    boot system Disk0: / asa861-2-smp - k8.bin

    passive FTP mode

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    internal subnet object-

    192.168.10.0 subnet 255.255.255.0

    network dmz subnet object

    subnet 192.168.20.0 255.255.255.0

    Note to access-list LAN_VLAN_10 split_tunnel

    split_tunnel list standard access allowed 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    management of MTU 1500

    MTU 1500 dmz

    IP local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ASDM image disk0: / asdm - 714.bin

    don't allow no asdm history

    ARP timeout 14400

    !

    internal subnet object-

    NAT dynamic interface (indoor, outdoor)

    network dmz subnet object

    NAT (dmz, outside) dynamic interface

    Route outside 0.0.0.0 0.0.0.0 93.174.55.181 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    AAA authentication LOCAL telnet console

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.0.0 255.255.0.0 management

    http 192.168.10.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set esp - esp-md5-hmac ikev1 firstset

    Crypto-map dynamic dyn1 ikev1 transform-set firstset 1 set

    dynamic mymap 1 dyn1 ipsec-isakmp crypto map

    mymap outside crypto map interface

    Crypto ikev1 allow outside

    IKEv1 crypto policy 1

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 43200

    Telnet 0.0.0.0 0.0.0.0 inside

    Telnet 0.0.0.0 0.0.0.0 management

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 management

    SSH timeout 5

    Console timeout 0

    interface ID client DHCP-client to the outside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal group testgroup strategy

    testgroup group policy attributes

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list split_tunnel

    user1 fvosA8L1anfyxTw3 encrypted password username

    tunnel-group testgroup type remote access

    tunnel-group testgroup General attributes

    address testpool pool

    strategy-group-by default testgroup

    testgroup group tunnel ipsec-attributes

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    What's wrong?

    TNX!

    Hello

    I would like to change the current reserve of VPN to something overlapping to the LAN.

    You're also missing NAT0 for the VPN Client connection that is your problem more likely.

    You can try these changes

    mask of 192.168.100.1 - local 192.168.100.254 pool POOL VPN IP 255.255.255.0

    tunnel-group testgroup General attributes

    No address testpool pool

    address VPN-POOL pool

    no ip local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

    the object of the LAN network

    192.168.10.0 subnet 255.255.255.0

    network of the VPN-POOL object

    255.255.255.0 subnet 192.168.100.0

    NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

    You can also change your settings for encryption for anything other than a. You can use AES.

    Hope this helps

    Let us know if this helped.

    Don't forget to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

  • VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

    I tried to set up a simple customer vpn using this document

    http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

    VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

    6.3 (5) PIX version

    interface ethernet0 car

    Auto interface ethernet1

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the encrypted password of VmHKIhnF4Gs5AWk3

    VmHKIhnF4Gs5AWk3 encrypted passwd

    hostname VOIPLABPIX

    domain voicelab.com

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside 208.x.x.11 255.255.255.0

    IP address inside 172.10.2.2 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

    history of PDM activate

    ARP timeout 14400

    NAT (inside) - 0 102 access list

    Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

    Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    http 172.0.0.0 255.0.0.0 inside

    http 0.0.0.0 0.0.0.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

    Crypto-map dynamic map2 10 set transform-set trmset1

    map map1 10 ipsec-isakmp crypto dynamic map2

    client authentication card crypto LOCAL map1

    map1 outside crypto map interface

    ISAKMP allows outside

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 encryption aes-256

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address voicelabpool pool cuclab

    vpngroup dns 204.x.x.10 Server cuclab

    vpngroup cuclab by default-field voicelab.com

    vpngroup split tunnel 101 cuclab

    vpngroup idle 1800 cuclab-time

    vpngroup password cuclab *.

    Telnet timeout 5

    SSH 208.x.x.11 255.255.255.255 outside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 172.10.1.2 255.255.255.255 inside

    SSH timeout 60

    Console timeout 0

    username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

    Terminal width 80

    Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

    : end

    Try to turn on NAT - T

    PIX (config) #isakmp nat-traversal 20

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

    HTH

  • Cisco vpn client to connect but can not access to the internal network

    Hi all

    I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network

    Any help would be much appreciated.

    Hi Samir,

    I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    (The link above includes split tunneling, but this is just an option.

    Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.

    Let me know if this can help,

    See you soon,.

    Christian V

  • Client VPN connectivity problems

    I use the cisco VPN client to connect to our network, located behind a 515E. The client is authenticated and gets an ip address but cannot ping or connect with one of the hosts. The connection is to a network of customers that is also behind a 515E. I have successfully connected using the same policy to other places and have had no problem. What confuses me, is that we have used to have a Netscreen firewall before and he had a netscreen vpn client which connected since their network with a problem. Is that something they need for their firewall so that we can get through the traffic?

    Try to turn on NAT - T on your pix, by setting up:

    ISAKMP nat-traversal 20

    and configure the client vpn accordingly:

    http://www.Cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

    I think these discussions are useful:

    http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7dda4

    http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7fe80

Maybe you are looking for