Client VPN connects but no IP traffic is passed...
I have a user in a hotel, his laptop was works well on remote connections previously, he gets the lock when it connects, but no IP traffic is passed. Is it pings it gets "host unreachable". I think he's behind a firewall of hotel, but nothing else that I can check to confirm? I was going to put the new client available for download (internet access works very well), he performs a version 4.7. I also tested his connection on a profile box test and it worked fine.
UM... so it is able to authenticate so I don't think that he coulkd be blocked... double check you are using have traversed nat enabled on your PIX...
ISAKMP nat-traversal 20
I hope that helps... Rate if he does!
Tags: Cisco Security
Similar Questions
-
Client VPN connects but not internal LAN access or Ping
Hi all.
I'm new on this forum and kindly asking for your help because I'm stuck.
I have an ADSL router cisco 877 which I configured easy VPN server.
Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.The configuration is below. Please let know us where I was going or what I missed.
[code]Building configuration...
Current configuration: 4574 bytes
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
enable password 7 13151601181B54382F
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login internal_affairs_vpn_1 local
AAA authorization exec default local
AAA authorization internal_affairs_vpn_group_1 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-2122144568
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2122144568
revocation checking no
rsakeypair TP-self-signed-2122144568
!
!
TP-self-signed-2122144568 crypto pki certificate chain
self-signed certificate 03
30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
9142DD9E B6E9D74A 899A 9653
quit smoking
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.10.1
!
IP dhcp pool dhcplan
Network 10.0.0.0 255.0.0.0
DNS-server 196.0.50.50 81.199.21.94
default router 10.10.10.1
Rental 7
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
name of the IP-server 81.199.21.94
!
!
!
VPN username password 7 095A5E07
username fred privilege 15 password 7 1411000E08
username ciscovpn password 7 01100F175804101F2F
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group internal_affairs_vpn
key *.
DNS 196.0.50.50 81.199.21.94
pool ippool
ACL 108
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic internal_affairs_DYNMAP_1 10
Set transform-set RIGHT
market arriere-route
!
!
card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
client configuration address card crypto internal_affairs_CMAP_1 answer
ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
!
Archives
The config log
hidekeys
!
!
!
Bridge IRB
!
!
interface Loopback0
2.2.2.2 the IP 255.255.255.255
!
ATM0 interface
no ip address
ATM vc-per-vp 512
No atm ilmi-keepalive
PVC 0/32
aal5snap encapsulation
Protocol ip inarp
!
DSL-automatic operation mode
Bridge-Group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description of the local lan interface
IP 10.10.10.1 255.0.0.0
IP nat inside
IP virtual-reassembly
!
interface BVI1
internet interface Description
IP 197.0.4.174 255.255.255.252
NAT outside IP
IP virtual-reassembly
internal_affairs_CMAP_1 card crypto
!
IP local pool ippool 192.168.192.1 192.168.192.200
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 196.0.4.173
!
IP http server
local IP http authentication
IP http secure server
IP nat inside source list interface BVI1 NAT overload
IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
!
NAT extended IP access list
allow an ip
!
access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
!
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
!
Line con 0
password 7 0216054818115F3348
no activation of the modem
line to 0
line vty 0 4
password 7 06160E325F59590B01
!
max-task-time 5000 Planner
endSince this is a named ACL, you need to change ACL configuration mode:
NAT extended IP access list
Then, make the changes.
Federico.
-
Client VPN connects but cannot ping all hosts
Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients. I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX. Can someone tell me what Miss me in my setup?
Thanks for your help.
Chi - pix # sh conf
: Saved
: Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname chi - pix
.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside pppoe setroute
IP address inside 192.168.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.11.1 - 10.10.11.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 list-access internet-traffic 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
Crypto-map dynamic dynmap 10 GvnPix-set transform-set
toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
toGvnPix interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool chiclient
vpngroup dns 192.168.5.1 Server chiclient
vpngroup wins 192.168.5.1 chiclient-Server
vpngroup chiclient com default domain
vpngroup split tunnel 101 chiclient
vpngroup idle 1800 chiclient-time
vpngroup password chiclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
VPDN group chi request dialout pppoe
VPDN group chi net localname
VPDN group chi ppp authentication pap
VPDN username password net *.
dhcpd address 192.168.5.2 - 192.168.5.33 inside
dhcpd dns xx
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 100
Cryptochecksum:
Chi - pix #.On the PIX configuration seems correct.
I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?
How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.
-
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
-
VPN connected but no visible network
so I have a windows 7 (VPN server) desktop computer and a windows laptop 7 (VPN client) and I have set up the incoming VPN connection on my desktop and a client VPN connection on my laptop. When I go and establish a VPN connection, it says that I'm connected on my laptop and my desktop but I can't access my network resources. Ive been cracking as a result for a few weeks now and have gotten nowhere with it, any help would be greatly appreciated. Thank you!
I can't access something like \\ServerName\ShareName I can't do a ping them either. address ranges are not the same on the server or client networks. the funny this is that it says I am connected at both ends, the customer declares that ipv4 has no internet access on the vpn which is fine because all I want is access to the network and it shows that I have an ip address assigned on the vpn map. side server but it is said that ipv4 and ipv6 are not connected, but if I do "ipconfig/all" he shows me his ip address on the vpn.
client side, I've disabled 'Gateway on remote network use default' so that I can still have access to the internet on the im client that is connected to the vpn. on the side server, I tried selecting "Assign addresses automatically using DHCP" as well as "specify IP addresses (with a beach which is on the client and the server ip address range).» I have also "Allow the calling computer to specify its own IP address" selected on the server.
When I finally fell a VPN server on a Vista box I got the address assigned to the configuration of clients like that.
http://theillustratednetwork.MVPs.org/Vista/PPTP/VPNSetup06.jpg
The address range was the same that the server of the LAN address range, in this case, I used 192.168.10.X on the local network.
http://theillustratednetwork.MVPs.org/Vista/PPTP/ExampleVistaVPNNetwork.PDF
Customer recevrait.31 ou.32...
Of course assumed that the customer was or would not be on a LAN 192.168.10.X to start. If it was so I could have problems connecting to shares on my LAN Server.
MS - MVP Windows Desktop Experience
"When all else fails try what the captain suggested before you started...". » -
I am trying to create a VPN connection, but when I get to the step that allows me to create the VPN, the radial buttons are grayed out, it is a Windows component is missing and does not allow me to create VPN. I am running Windows XP Home addition. I recently got a Malware attack and had the quarantine and fix trojen attempts. After the restoration, I found that my previous VPN connection was broken. When I tried to add a new connection, I'm stuck on the screen connection virtual network in the the radial button private network connection wizard is grayed out, he could not check.
Hello
Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Windows XP TechNet forum. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en/itproxpsp/threads
-
I am trying to create a VPN connection, but it does not work
I am trying to create a VPN connection, but it does not work
The wizard cannot establish a connection. And if I try to record simply does not connect
It does not work. If I try to click on find the problem, there simply
do nothing.
I tried it on another pc, where it worked. So the problem is not the
router or data network. And the curious thing is that I installed it before, but only from one day to the other, the VPN connection was missing.It does not create even a the connection icon
Thank youTry a system restore to a Date before the problem began:
Restore point:
http://www.howtogeek.com/HOWTO/Windows-Vista/using-Windows-Vista-system-restore/
Do Safe Mode system restore, if it is impossible to do in Normal Mode.
Try typing F8 at startup and in the list of Boot selections, select Mode safe using ARROW top to go there > and then press ENTER.
Try a restore of the system once, to choose a Restore Point prior to your problem...
Click Start > programs > Accessories > system tools > system restore > choose another time > next > etc.
http://www.windowsvistauserguide.com/system_restore.htm
Read the above for a very good graph shows how backward more than 5 days in the System Restore Points by checking the correct box.
See you soon.
Mick Murphy - Microsoft partner
-
I created a vpn connection, but can I create a shortcut to connect every time?
I created a vpn connection, but can I create a shortcut to connect every time?
I created a vpn connection, but can I create a shortcut to connect every time?
Open network and sharing Center, go to the Edit card settings window and drag the VPN icon on your desktop.
-
Client VPN connectivity problems
I use the cisco VPN client to connect to our network, located behind a 515E. The client is authenticated and gets an ip address but cannot ping or connect with one of the hosts. The connection is to a network of customers that is also behind a 515E. I have successfully connected using the same policy to other places and have had no problem. What confuses me, is that we have used to have a Netscreen firewall before and he had a netscreen vpn client which connected since their network with a problem. Is that something they need for their firewall so that we can get through the traffic?
Try to turn on NAT - T on your pix, by setting up:
ISAKMP nat-traversal 20
and configure the client vpn accordingly:
http://www.Cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client
I think these discussions are useful:
-
The VPN client VPN connection behind other PIX PIX
I have the following problem:
I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).
So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5
I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.
Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.
If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:
305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x
194.x.x.x is our customer s address IP PIX
I understand that somewhere access list is missing, but I can not understand.
Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.
Can you please help me?
Thank you in advan
The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.
I've cut and pasted here for you to read, I think that the problem mentioned below:
Question:
Hi Glenn,.
Following is possible?
I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.
The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?
My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.
Thank you very much for any help provided in advance.
Response from Glenn:
First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:
fixup protocol esp-ike
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.
If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:
ISAKMP nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.
ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.
A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.
NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.
Hope that helps.
-
VPN connects but stops internet surfing
Dear all,
When I connect to my corporate network through the vpn cisco client, it connects successfully and all required applications runs BUT
Internet traffic stops, resulting, no. Browsing, etc etc.
Please let know us, if I need to check the configuration of the vpn client or do I need to add something to my cisco 2811 router,
Kind regards
Junaid
There are two ways to achieve this. If you want your users to use their local ISP gateway, you will want to configure the tunneling split for the customer group. Split tunneling is configured on the router and identifies which networks should be protected by the tunnel. Alternatively, you can tunnel all traffic from the client to the hub router when connected and set up hairpin of routing for Internet access. Here's the configs to sample from each.
EasyVPN w / split Tunneling sample:
VPN Client Internet audience on a stick:
-
Cisco ipsec Vpn connects but cannot communicate with lan
I have a version of cisco 1921 15.2 (4) M3 I install vpn ipsec and may have customers to connect but cannot ping anything inside. A glimpse of what could be wrong with my config would be greatly appreciated. I posted the configuration as well as running a few outings of ipsec. I also tried with multiple operating systems using cisco vpn client and shrewsoft. I am able to connect to the other VPN ipsec running 1921 both of these computers by using a client.
Thanks for any assistance
SH run
!
AAA new-model
!
!
AAA authentication login radius_auth local radius group
connection of AAA VPN_AUTHEN group local RADIUS authentication
AAA authorization network_vpn_author LAN
!
!
!
!
!
AAA - the id of the joint session
clock timezone PST - 8 0
clock to summer time recurring PST
!
no ip source route
decline of the IP options
IP cef
!
!
!
!
!
!
no ip bootp Server
no ip domain search
domain IP XXX.local
inspect the high IP 3000 max-incomplete
inspect the low IP 2800 max-incomplete
IP inspect a low minute 2800
IP inspect a high minute 3000
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW esmtp
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
IP inspect name SDM_LOW ssh
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-2909270577
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2909270577
revocation checking no
rsakeypair TP-self-signed-2909270577
!
!
TP-self-signed-2909270577 crypto pki certificate chain
certificate self-signed 01
license udi pid CISCO1921/K9 sn FTX1715818R
!
!
Archives
The config log
Enable logging
size of logging 1000
notify the contenttype in clear syslog
the ADMIN_HOSTS object-group network
71.X.X.X 71.X.X.X range
!
name of user name1 secret privilege 15 4 XXXXXXX!
redundancy
!
!
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group roaming_vpn
key XXXXX
DNS 192.168.10.10 10.1.1.1
XXX.local field
pool VPN_POOL_1
ACL client_vpn_traffic
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
!
!
crypto dynamic-map VPN_DYNMAP_1 1
Set the security association idle time 1800
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
list of authentication of card crypto SDM_CMAP_1 client VPN_AUTHEN
map SDM_CMAP_1 isakmp authorization list network_vpn_author crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic VPN_DYNMAP_1 ipsec crypto
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 76.W.E.R 255.255.255.248
IP access-group ATT_Outside_In in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the SDM_LOW over IP
IP virtual-reassembly in
load-interval 30
automatic duplex
automatic speed
No cdp enable
No mop enabled
map SDM_CMAP_1 crypto
!
interface GigabitEthernet0/1
no ip address
load-interval 30
automatic duplex
automatic speed
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 1 native
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
property intellectual accounting-access violations
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
10.1.1.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1,200
encapsulation dot1Q 200
IP 10.1.2.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
local IP VPN_POOL_1 192.168.168.193 pool 192.168.168.254
IP forward-Protocol ND
!
IP http server
IP http authentication aaa-authentication of connection ADMIN_AUTHEN
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source map route ATT_NAT_LIST interface GigabitEthernet0/0 overload
IP nat inside source static tcp 192.168.10.10 25 expandable 25 76.W.E.R
IP nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extensible
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 443 443
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 987 987
IP route 0.0.0.0 0.0.0.0 76.W.E.F
!
ATT_Outside_In extended IP access list
permit tcp object-group ADMIN_HOSTS any eq 22
allow any host 76.W.E.R eq www tcp
allow any host 76.W.E.R eq 443 tcp
allow 987 tcp any host 76.W.E.R eq
allow any host 76.W.E.R eq tcp smtp
permit any any icmp echo response
allow icmp a whole
allow udp any any eq isakmp
allow an esp
allow a whole ahp
permit any any eq non500-isakmp udp
deny ip 10.0.0.0 0.255.255.255 everything
deny ip 172.16.0.0 0.15.255.255 all
deny ip 192.168.0.0 0.0.255.255 everything
deny ip 127.0.0.0 0.255.255.255 everything
refuse the ip 255.255.255.255 host everything
refuse the host ip 0.0.0.0 everything
NAT_LIST extended IP access list
IP 10.1.0.0 allow 0.0.255.255 everything
permit ip 192.168.10.0 0.0.0.255 any
deny ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
refuse the 10.1.1.0 ip 0.0.0.255 192.168.168.192 0.0.0.63
deny ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
client_vpn_traffic extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
ip licensing 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
!
radius of the IP source-interface GigabitEthernet0/1.10
Logging trap errors
logging source hostname id
logging source-interface GigabitEthernet0/1.10
!
ATT_NAT_LIST allowed 20 route map
corresponds to the IP NAT_LIST
is the interface GigabitEthernet0/0
!
!
SNMP-server community [email protected] / * /! s RO
Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start
Server enable SNMP traps vrrp
Server SNMP enable transceiver traps all the
Server enable SNMP traps ds1
Enable SNMP-Server intercepts the message-send-call failed remote server failure
Enable SNMP-Server intercepts ATS
Server enable SNMP traps eigrp
Server enable SNMP traps ospf-change of State
Enable SNMP-Server intercepts ospf errors
SNMP Server enable ospf retransmit traps
Server enable SNMP traps ospf lsa
Server enable SNMP traps ospf nssa-trans-changes state cisco-change specific
SNMP server activate interface specific cisco-ospf traps shamlink state change
SNMP Server enable neighbor traps cisco-specific ospf to the State shamlink change
Enable SNMP-Server intercepts specific to cisco ospf errors
SNMP server activate specific cisco ospf retransmit traps
Server enable SNMP traps ospf cisco specific lsa
SNMP server activate license traps
Server enable SNMP traps envmon
traps to enable SNMP-Server ethernet cfm cc mep-top low-mep Dispatcher loop config
Enable SNMP-Server intercepts ethernet cfm overlap missing mep mep-unknown service-up
Server enable SNMP traps auth framework sec-violation
Server enable SNMP traps c3g
entity-sensor threshold traps SNMP-server enable
Server enable SNMP traps adslline
Server enable SNMP traps vdsl2line
Server enable SNMP traps icsudsu
Server enable SNMP traps ISDN call-information
Server enable SNMP traps ISDN layer2
Server enable SNMP traps ISDN chan-not-available
Server enable SNMP traps ISDN ietf
Server enable SNMP traps ds0-busyout
Server enable SNMP traps ds1-loopback
SNMP-Server enable traps energywise
Server enable SNMP traps vstack
SNMP traps enable mac-notification server
Server enable SNMP traps bgp cbgp2
Enable SNMP-Server intercepts isis
Server enable SNMP traps ospfv3-change of State
Enable SNMP-Server intercepts ospfv3 errors
Server enable SNMP traps aaa_server
Server enable SNMP traps atm subif
Server enable SNMP traps cef resources-failure-change of State peer peer-fib-state-change inconsistency
Server enable SNMP traps memory bufferpeak
Server enable SNMP traps cnpd
Server enable SNMP traps config-copy
config SNMP-server enable traps
Server enable SNMP traps config-ctid
entity of traps activate SNMP Server
Server enable SNMP traps fru-ctrl
SNMP traps-policy resources enable server
Server SNMP enable traps-Manager of event
Server enable SNMP traps frames multi-links bundle-incompatibility
SNMP traps-frame relay enable server
Server enable SNMP traps subif frame relay
Server enable SNMP traps hsrp
Server enable SNMP traps ipmulticast
Server enable SNMP traps msdp
Server enable SNMP traps mvpn
Server enable SNMP traps PNDH nhs
Server enable SNMP traps PNDH nhc
Server enable SNMP traps PNDH PSN
Server enable SNMP traps PNDH exceeded quota
Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change
Server enable SNMP traps pppoe
Enable SNMP-server holds the CPU threshold
SNMP Server enable rsvp traps
Server enable SNMP traps syslog
Server enable SNMP traps l2tun session
Server enable SNMP traps l2tun pseudowire status
Server enable SNMP traps vtp
Enable SNMP-Server intercepts waas
Server enable SNMP traps ipsla
Server enable SNMP traps bfd
Server enable SNMP traps gdoi gm-early-registration
Server enable SNMP traps gdoi full-save-gm
Server enable SNMP traps gdoi gm-re-register
Server enable SNMP traps gdoi gm - generate a new key-rcvd
Server enable SNMP traps gdoi gm - generate a new key-fail
Server enable SNMP traps gdoi ks - generate a new key-pushed
Enable SNMP traps gdoi gm-incomplete-cfg Server
Enable SNMP-Server intercepts gdoi ks-No.-rsa-keys
Server enable SNMP traps gdoi ks-new-registration
Server enable SNMP traps gdoi ks-reg-complete
Enable SNMP-Server Firewall state of traps
SNMP-Server enable traps ike policy add
Enable SNMP-Server intercepts removal of ike policy
Enable SNMP-Server intercepts start ike tunnel
Enable SNMP-Server intercepts stop ike tunnel
SNMP server activate ipsec cryptomap add traps
SNMP server activate ipsec cryptomap remove traps
SNMP server activate ipsec cryptomap attach traps
SNMP server activate ipsec cryptomap detach traps
Server SNMP traps enable ipsec tunnel beginning
SNMP-Server enable traps stop ipsec tunnel
Enable SNMP-server holds too many associations of ipsec security
Enable SNMP-Server intercepts alarm ethernet cfm
Enable SNMP-Server intercepts rf
Server enable SNMP traps vrfmib vrf - up low-vrf vnet-trunk-up low-trunk-vnet
Server RADIUS dead-criteria life 2
RADIUS-server host 192.168.10.10
Server RADIUS 2 timeout
Server RADIUS XXXXXXX key
!
!
!
control plan
!
!Line con 0
privilege level 15
connection of authentication radius_auth
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
privilege level 15
connection of authentication radius_auth
entry ssh transport
line vty 5 15
privilege level 15
connection of authentication radius_auth
entry ssh transport
!
Scheduler allocate 20000 1000
NTP-Calendar Update
Server NTP 192.168.10.10
NTP 64.250.229.100 Server
!
endRouter ipsec crypto #sh her
Interface: GigabitEthernet0/0
Tag crypto map: SDM_CMAP_1, local addr 76.W.E.Rprotégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.168.213/255.255.255.255/0/0)
current_peer 75.X.X.X port 2642
LICENCE, flags is {}
#pkts program: 1953, #pkts encrypt: 1953, #pkts digest: 1953
#pkts decaps: 1963, #pkts decrypt: 1963, #pkts check: 1963
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 76.W.E.R, remote Start crypto. : 75.X.X.X
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
current outbound SPI: 0x5D423270 (1564619376)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
SPI: 0x2A5177DD (709982173)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2115, flow_id: VPN:115 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301748/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x5D423270 (1564619376)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2116, flow_id: VPN:116 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301637/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)outgoing ah sas:
outgoing CFP sas:
Routing crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
76.W.E.R 75.X.X.X QM_IDLE 1055 ACTIVEIPv6 Crypto ISAKMP Security Association
In your acl, nat, you will need to refuse your VPN traffic before you allow the subnet at all. Just put all the declarations of refusal before the declarations of licence.
Sent by Cisco Support technique iPhone App
-
VPN connected but unable to reach other interfaces
I have installation of remote access vpn and I can connect without any problems. I assigned the vpn a pool of addresses at the end of my home subnet of the interface. When it is connected I can ping any device on that subnet, I can also connect to my passage on the same subnet via my browser. I can't access however all devices located in my DMZ when logged in. This is a new configuration, I tested, but I need the vpn user to use rdp to connect to machines in the DMZ. I enclose my config that any advice would be greatly appreciated.
Output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (1)
!
hostname ASA1
domain name
activate the encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 10.10.10.3
name 10.10.10.4
name 10.10.10.5
name 10.10.10.6
name 10.10.10.7
name 10.10.10.8
!
interface Ethernet0/0
nameif outside
security-level 0
address IP 38. ***. ***. 2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.1.168.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
IP 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS domain-lookup DMZ
DNS server-group DefaultDNS
Server name *. 28.0.45
Server name *. 28.0.61
domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
Outside_access_in list extended access permit tcp any host 38. ***. ***. 5 eq 3389
access allowed extensive list icmp a whole Access extensive list ip 192.1.168.0 Outside_nat0_outbound allow 255.255.255.0 192.1.168.240 255.255.255.240
Outside_nat0_outbound to access extended list ip 10.10.10.0 allow 255.255.255.0 192.1.168.240 255.255.255.240
Fruitionvpn_splitTunnelAcl_2 list standard access allowed 10.10.10.0 255.255.255.0
Standard access list Fruitionvpn_splitTunnelAcl_2 allow 192.1.168.0 255.255.255.0
Standard access list Fruitionvpn_splitTunnelAcl_2 allow 38.101.248.0 255.255.255.0
Access extensive list ip 192.1.168.0 Inside_nat0_outbound allow 255.255.255.0 192.1.168.240 255.255.255.240
Allow Outside_nat0_outbound_1 to access ip 38 extended list. ***. ***. 0 255.255.255.0 192.1.168.240 255.255.255.240
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
192.1.168.240 - 192.1.168.254 vpn IP local pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Overall (101 outside interface)
Global (DMZ) 2 10.10.10.2 - 10.10.10.254 netmask 255.255.255.0
NAT (outside) 0-list of access Outside_nat0_outbound
NAT (0 Outside_nat0_outbound_1 list of outdoor outdoor access)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 101 192.1.168.0 255.255.255.0
NAT (DMZ) 101 10.10.10.0 255.255.255.0
static (DMZ, outside) 38. ***. ***. 5 Webserver2 netmask 255.255.255.255
Access-group Outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 38. ***. ***. 1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
management_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
crypto management_map interface card management
card crypto DMZ_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto DMZ_map DMZ interface
card crypto Inside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Inside_map interface card crypto inside
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP enable DMZ
activate the crypto isakmp management
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.1.168.3 - 192.1.168.254 inside
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Fruitionvpn group strategy
attributes of Group Policy Fruitionvpn
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Fruitionvpn_splitTunnelAcl_2
fruition of value by default-field
username privilege 15 encrypted password y4A2QiB9t5hlOCGW ksuber
username ksuber attributes
VPN-group-policy Fruitionvpn
type tunnel-group Fruitionvpn remote access
attributes global-tunnel-group Fruitionvpn
vpn address pool
Group Policy - by default-Fruitionvpn
IPSec-attributes tunnel-group Fruitionvpn
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a5ec2459f53c4f1fa34d267a6903bea9
: end
a few suggestions
1. use a network address in a different subnet within the network for the client vpn IP pool. saying 192.168.10.0/24
2. enable nat 0 on dmz interface
no_nat_dmz 10.10.10.0 ip access list allow 255.255.255.0 192.168.10.0 255.255.255.0
NAT (DMZ) 0-list of access no_nat_dmz
-
established - VPN connection, but cannot connect to the server?
vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4
Thank you
ASA Version 8.2 (1)
!
hostname ciscoasa5505
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.0.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 208.0.0.162 255.255.255.248
!
interface Vlan5
Shutdown
prior to interface Vlan1
nameif dmz
security-level 50
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS server-group DefaultDNS
192.168.0.4 server name
Server name 208.0.0.11
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service TS-780-tcp - udp
port-object eq 780
object-group service Graphon tcp - udp
port-object eq 491
Allworx-2088 udp service object-group
port-object eq 2088
object-group service allworx-15000 udp
15000 15511 object-port Beach
object-group service udp allworx-2088
port-object eq 2088
object-group service allworx-5060 udp
port-object eq sip
object-group service allworx-8081 tcp
EQ port 8081 object
object-group service web-allworx tcp
EQ object of port 8080
allworx udp service object-group
16001 16010 object-port Beach
object-group service allworx-udp
object-port range 16384-16393
object-group service remote tcp - udp
port-object eq 779
object-group service billing1 tcp - udp
EQ object of port 8080
object-group service billing-1521 tcp - udp
port-object eq 1521
object-group service billing-6233 tcp - udp
6233 6234 object-port Beach
object-group service billing2-3389 tcp - udp
EQ port 3389 object
object-group service olivia-3389 tcp - udp
EQ port 3389 object
object-group service olivia-777-tcp - udp
port-object eq 777
netgroup group of objects
network-object host 192.168.0.15
network-object host 192.168.0.4
object-group service allworx1 tcp - udp
8080 description
EQ object of port 8080
allworx_15000 udp service object-group
15000 15511 object-port Beach
allworx_16384 udp service object-group
object-port range 16384-16393
DM_INLINE_UDP_1 udp service object-group
purpose of group allworx_16384
object-port range 16384 16403
object-group service allworx-5061 udp
range of object-port 5061 5062
object-group service ananit tcp - udp
port-object eq 880
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389
outside_access_in list extended access permit tcp any host 208.0.0.164 eq https
outside_access_in list extended access permit tcp any host 208.0.0.164 eq www
outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field
outside_access_in list extended access permit tcp any host 208.0.0.162 eq www
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group
outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777
outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object
outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060
outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive
outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081
outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000
outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group
outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061
outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group
outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0
Ping list extended access permit icmp any any echo response
inside_access_in of access allowed any ip an extended list
permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
access-list 1 standard allow 192.168.0.0 255.255.255.0
pager lines 24
Enable logging
logging buffered stored notifications
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool
192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 1 192.168.0.0 255.255.255.0
alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255
public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area
public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255
public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area
public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255
static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1
Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.3 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt noproxyarp inside
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 108.0.0.97
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 20 match address outside_20_cryptomap
card crypto outside_map 20 set pfs
peer set card crypto outside_map 20 69.0.0.54
outside_map crypto 20 card value transform-set ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life no
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 1
life no
Telnet timeout 5
SSH timeout 5
Console timeout 0
identifying client DHCP-client interface dmz
dhcpd outside auto_config
!
dhcpd address 192.168.0.20 - 192.168.0.50 inside
dhcpd dns 192.168.0.4 208.0.0.11 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
internal group anyconnect strategy
attributes of the strategy group anyconnect
VPN-tunnel-Protocol svc webvpn
WebVPN
list of URLS no
SVC request enable
encrypted olivia Zta1M8bCsJst9NAs password username
username of graciela CdnZ0hm9o72q6Ddj encrypted password
tunnel-group 69.0.0.54 type ipsec-l2l
IPSec-attributes tunnel-group 69.0.0.54
pre-shared-key *.
tunnel-group 108.0.0.97 type ipsec-l2l
IPSec-attributes tunnel-group 108.0.0.97
pre-shared-key *.
tunnel-group anyconnect type remote access
tunnel-group anyconnect General attributes
remote address pool
strategy-group-by default anyconnect
tunnel-group anyconnect webvpn-attributes
Group-alias anyconnect enable
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the icmp
!
service-policy-international policy global
: end
ASDM location 208.0.0.164 255.255.255.255 inside
ASDM location 192.168.0.15 255.255.255.255 inside
ASDM location 192.168.50.0 255.255.255.0 inside
ASDM location 192.168.1.0 255.255.255.0 inside
don't allow no asdm history
Right now your nat 0 (NAT exemption) follows the access list:
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.
Then try to add an entry to the list of access as:
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0
It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.
-
VPN connects but can't access internal devices
Thanks in advance for any help that can be provided.
I use AnyConnect to create a VPN with an ASA 5505. Once connected, the client needs to access a device behind a router in 1941.
Internally, (without using VPN), all my itinerary runs correctly. My VPN client can connect and when I put a route on my router from 1941, I am able to ping this particular device. But my VPN client cannot appear ping all the remaining devices on the same internal range as the ASA 5505 or whatever happened on 1941.
Device far router VPN Client ASA 5505 1941 Workstation
192.168.201.20---> outside IP x.x.x.x / / internal 192.168.101.1 192.168.101.56 192.168.101.2 / / 192.168.8.1 192.168.8.150
Client connects and get the IP address of the ASA
Cannot ping it cannot ping
Can ping the internal IP address of 1941
* (after creating a static route)
I was playing with my setup intensively to try to make this work. Split tunneling is enabled and is required.
Here is my current config:
hostnameMYHOST
activate mUUvr2NINofYuSh2 encrypted password
UNDrnIuGV0tAPtz2 encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 7
!
interface Vlan1
nameif inside
security-level 100
192.168.101.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP x.x.x.x 255.255.0.0
!
interface Vlan7
prior to interface Vlan1
nameif DMZ
security-level 20
IP 137.57.183.1 255.255.255.0
!
passive FTP mode
clock timezone STD - 7
DNS domain-lookup outside
the obj_any_dmz object-group network
192.168.101.0 IP Access-list extended sheep 255.255.255.0 allow all
192.168.201.0 IP Access-list extended sheep 255.255.255.0 allow all
tunneling split list of permitted access standard 192.168.101.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
mask 192.168.101.125 - 192.168.101.130 255.255.255.0 IP local pool Internal_Range
IP local pool vpn_pool 192.168.201.20 - 192.168.201.30 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (DMZ) 10 137.57.183.0 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ca trustpoint ASDM_TrustPoint1
registration auto
name of the object CN = MYHOST
ClientX_cert key pair
Configure CRL
string encryption ca ASDM_TrustPoint1 certificates
certificate 0f817951
308201e7 a0030201 30820150 0202040f 0d06092a 81795130 864886f7 0d 010105
05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d 30
1b06092a 864886f7 0d 010902 160e4149 4d452d56 504e2d42 41545553 301e170d
31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
30150603 55040313 0e41494d 452-5650 4e2d4241 54555331 1d301b06 092 d has 8648
86f70d01 0902160e 41494d 45 2d56504e 424154 55533081 9f300d06 092 2d has 8648
86f70d01 01010500 03818d 30818902 00 818100c 9 ff840bf4 cfb8d394 2 c 940430
1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300 d 0609 2a 864886
8181007e f70d0101 05050003 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd 622 dc3d3821
fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
63ebd49d 30dd06f4 e0fa25
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 40
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 DMZ
SSH timeout 10
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
SSL-trust outside ASDM_TrustPoint1 point
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
internal ClientX_access group strategy
attributes of Group Policy ClientX_access
4.2.2.2 DNS server value
VPN-tunnel-Protocol svc
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunneling
access.local value by default-field
the address value vpn_pool pools
IPv6 address pools no
WebVPN
SVC mtu 1406
generate a new key SVC time no
SVC generate a new method ssl key
username privilege 15 encrypted password ykAxQ227nzontdIh ClientX
ClientX username attributes
VPN-group-policy ClientX_access
type of service admin
tunnel-group ClientX type remote access
attributes global-tunnel-group ClientX
address pool Internal_Range
Group Policy - by default-ClientX_access
type tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
Group Policy - by default-ClientX_access
type tunnel-group ClientX_access remote access
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:da38065247f7334a5408b7ada3af29ae
: end
OK, lets go on... ;-)
Split tunneling: the ACL must include all the networks you want to join via the VPN:
tunneling split list of permitted access standard 192.168.101.0 255.255.255.0
tunneling split list of permitted access standard 192.168.8.0 255.255.255.0
NAT: Do not use 'everything' in the nat exemption, but specify all the traffic that should not be natted:
IP 192.168.101.0 allow Access-list extended sheep 255.255.255.0 192.168.201.0 255.255.255.0
IP 192.168.8.0 allow Access-list extended sheep 255.255.255.0 192.168.201.0 255.255.255.0
Routing: The 1941 needs a route for the vpn-pool pointing on the SAA (just in case there is no default route to the ASA)
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni
Maybe you are looking for
-
I'm a little surprised that out of all the applications that AT & T charged the Backflip with they did not add visual voicemail which would have been their most useful application. Does Anyon know if the Backflip can handel VVM? Can handel material t
-
Library of photos on iCloud Drive as well as Dropbox?
Hello. Is it possible to store my library of Photos both on iCloud drive like Dropbox? I like the iCloud drive, because it automatically syncs with all my devices, and I like Dropbox, since it will be an additional backup if something goes wrong with
-
my screen, including the background, icons and toolbar are on the side, I know I must have hit some button to do this way I can just understand how go back... Help, please
-
Lost Adobe flash player in July can play more games on facebook, is downloaded Adobe and still does not.
-
error code 217@0944ab6d
This mounted my wife and prevents him to go on the internet on that I have no problem getting!