client VPN works do not via 3G
Hello
We have a vpn client that works more than wired internet connection, but it does not work via a 3G mobile connection. Please see the enclosed routing table.
Client: 10.129.42.2/24
Address public 3G: 10.138.28.162
Thanks in advance
Kind regards
Daniel
Customer Vpn Cisco 5.07 does not support WWAN (also called wireless data cards) devices on Windows 7 (32 bit) x 86 and x 64.
You use a card 3G speed?
Tags: Cisco Security
Similar Questions
-
Client VPN works does not properly in windows 7
I use the latest version of the VPN client in windows 7 for multiple users and each of them have problems, they connect apparently but when trying to access the network internal no navigation link is set up, someone has the same problem, nothing has been published in reclassification microsoft site this issue they claim, it should work perfectly but aparently not.
Any help will be greatly appreciated
We use VPN client v5.0.05.0290 without problem. Here is a link I found initially when testing with Windows 7 and VPN client... maybe it will help you solve your problem.
I didn't have to resort to this procedure on windows 7 pro 32-bit.
On a different note, can pass you the traffic to hosts on your internal network by IP address or hostname? I found a problem using the AnyConnect client - only to not configure the connection profile to indicate to the client that connects to what our internal domain name was... then my clients have not been able to establish connections incoming withougt manually by adding the domain name until the end of the hostname... shot in the dark...
Good luck!!
-
Client VPN will travel not connected via 877w
Hello
I've implemented a Cisco 877w and it works very well for web access
Client VPN on my laptop connects via the 877w and authenticates on my remote work ASA5510 firewall.
Problem is after you connect to the ASA, I can not connect anything internally work network (10.0.0.0/24), ping, etc. RDP is back with no answer.
I've attached the config, can someone tell me what I am missing, might access a list?
Thanks for your help
Chris
This router is made PAT/NAT, Ipsec blocking.
Activate Nat on the ASA course remote.
ISAKMP nat - t or crypto isakmp nat - t
HTH
Sangaré
Pls rate helpful messages
-
Client VPN suddenly does not work
An external interface address changed on this PIX 501 yesterday - all of a sudden their client VPN does not work. I checked that nothing in the config VPN configuration has changed. I now see a *(HASH.) ("OAK NOTIFY ISAKMP INFO: NO_PROPOSAL_CHOSEN") in the journal on the VPN client.
I crossed referenced on google - nothing in the statements of NAT, Access-list, or VPN configurations have changed. Any ideas?
Thank you
GregYour configuration is absolutely perfect.
Please, try the following:
no interface card VPN crypto outdoors
card crypto VPN outside interface
Remove and reapply the cryptomap on the external interface and see if that helps.
Thank you
Jeet Kumar
-
I have a problem with the VPN work is not on the computer.
Hello, I have a VPN from windows running between two computers running Windows 7. Recently it has stopped working, I can always correctly connect to the VPN and ping ip VPN but my mapped drives now say
"An error occurred when connecting Z: to."
\\blahblah\blah
Microsoft Windows network: The network path was not found.This connection has not been restored. "
There is no firewall or antivirus running, and I even resorted to a point of restoration a few days ago, when the network was working.
Original title: VPN doesn't work anymore
Hi Justin,
I would have you post your query in the TechNet Forums because it caters to an audience of it professionals.
Your question would be more out there.
Check out the link-
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads
Back to us for any issues related to Windows in the future. We will be happy to help you.
Thank you.
-
HFM Application works is not via the workspace
Hello
When I try to access the HFM application via the workspace I get the following error:
There was a communication error. The answer is:
http://Server/HFM/GlobalWorkspaceNav/BPM/modules/com/Hyperion/HFM/Web/appcontainer/ADF.asp <! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 / / IN" "http://www.w3.org/TR/html4/strict.dtd" >
< HTML > < HEAD > < TITLE > page can not be found < / TITLE >
< META HTTP-EQUIV = "Content-Type" Content = text/html"; charset = Windows-1252 ">"
< STYLE type = "text/css" >
BODY {make: verdana 8pt/12pt}
H1 {make: verdana 13pt/15pt}
H2 {make: verdana 8pt/12pt}
A:link {color: red}
A: visited {color: maroon}
< / STYLE >
< / HEAD > < BODY > < TABLE width = 500 border = 0 cellspacing = 10 > < TR > < TD >
< h1 > the page could not be found < / h1 >
The page you are looking for has been removed, had its name changed, or is temporarily unavailable.
< hr >
< p > please try the following: < /p >
< ul >
< li > make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly. < /li >
< li > if you have reached this page by clicking a link, please contact
the Web site administrator to alert them that the link is badly formatted.
< /li >
< li > click the back button to try another link. < /li >
< /ul >
< h2 > HTTP error 404 - file or directory not found. < br > Internet Information Services (IIS) < / h2 >
< hr >
information technology (for support staff) < p > < /p >
< ul >
< li > go to the Microsoft Product Support Services and perform a search by title for the words HTTP < /b > < b > and < b > 404 < /b >. < /li >
< li > < b > help IIS < /b >, which is accessible in IIS (inetmgr) Manager, to open
and search for topics titled < b > setting up a Web Site < /b >, common administrative tasks < /b > < b > and < b > on the Custom Error Messages < /b >. < /li >
< /ul >
< Table > < /TR > < / TABLE > < BODY / > < / HTML >
----------------------
I tried to reconfigure the web server (I use IIS) several times.
I have HFM 9.3 installed windows2003 server.
The rest of the components work fine through the workspace... dim library, library of the app etc.
Any help would be greatly appreciated. Thank you.You can also try the following:
1. from the IIS Manager > Web Service Extensions try to change the following:
Internet data connector = allowed
WebAnalysis = authorized
allowed = workspace
HR = accepted
AWB admitted =
WebDAV authorized =
then restart IIS2 edit web site properties by default in IIS to remove all entries in the ISAPI filters tab
KN
-
ASA550 VPN works do not, Cisco beginner needs help!
Hi people,
I have to spend at Cisco Juniper, and I can't get a VPN. I tried hollow CLI and ADSM, and in both cases, I don't see any incoming ipsec packets on the other end (Juniper SSG) when I ping a remote host on the other network.
Here is the config:
!
ASA Version 9.0 (1)
!
gw hostname
activate 7qkORHwefwefwefwefyAiVSEQH4Q encrypted password
7qkORHywefwefwefwefSEQH4Q encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the SDC_Beheer object
10.104.0.0 subnet 255.255.0.0
access extensive list ip 172.16.1.0 outside_cryptomap allow 255.255.255.0 object SDC_Beheer
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 object SDC_Beheer
inside_access_in of access allowed any ip an extended list
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 172.16.1.0 255.255.255.0 inside
Server SNMP location Bergen op Zoom
Server SNMP contact Joris Kemperman
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set esp - esp-sha-hmac DESSHA1 ikev1
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 5.200.1.5
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map interface card crypto outside
trustpool crypto ca policy
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 172.16.0.0 255.255.0.0 inside
SSH timeout 60
Console timeout 0dhcpd dns 8.8.8.8
dhcpd lease 3800
dhcpd field lindebaan73.local
dhcpd outside auto_config
!
dhcpd address 172.16.1.30 - 172.16.1.157 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_5.200.1.5 group strategy
attributes of Group Policy GroupPolicy_5.200.1.5
Ikev1 VPN-tunnel-Protocol
joris AewHowjZEPeq.vge encrypted privilege 15 password username
tunnel-group 5.200.1.5 type ipsec-l2l
tunnel-group 5.200.1.5 General-attributes
Group - default policy - GroupPolicy_5.200.1.5
IPSec-attributes tunnel-group 5.200.1.5
IKEv1 pre-shared-key D1nges!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2498ca347e17bcfa3a8a5ad9968e606c
: end______________
I think its either a NAT problem (ASA no tunnel traffic but simply translated and passed to the next router) or access list number.
It already took me a lot of time to spend on what goes wrong.
Anyone here who can help me?
Hello
You need to do no. NAT for the subnet you want to go through the tunnel.
Thus, to create a group of objects to destination as source allows src1 and dest 1
NAT (inside, outside) source static/dyn src1 CBC 1 destination dest1 dest1.
For more information:
https://supportforums.Cisco.com/document/44566/ASA-83-NAT-exemption-exam...
Kind regards
Kanwal
Note: Please check if they are useful.
-
On ASA 5510 VPN works do not but the work stations
We have an ASA 8.2 (3) running and have two VPN site to site running on it. The second VPN we just establish the other day, and of the SAA itself, it seems to work. We are able to ping remote hosts from the ASA without problem. However, on this second VPN all hosts on our local network cannot reach the remote party... Trying to understand what could happen. Applicable config below (please forgive the mistakes and formatting):
interface Ethernet0/0
nameif outside
security-level 0
address IP WAN. IP. ADDR 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.21.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
nameif intf2
security-level 0
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
access extensive list ip 192.168.21.0 outside_cryptomap allow 255.255.255.0 10.50.50.0 255.255.255.0
Access-group acl_out in interface outside
Crypto ipsec transform-set esp-3des esp-sha-hmac ATLAS-TS
life crypto ipsec security association seconds 28800
card crypto mymap 2 match address outside_cryptomap
card crypto mymap 2 together peer PEER. WAN. IP. DEA
card crypto mymap 2 game of transformation-ATLAS-TS
map mymap 65535-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
ISAKMP crypto 10 nat-traversal
tunnel-group of PEERS. WAN. IP. ADDR type ipsec-l2l
tunnel-group of PEERS. WAN. IP. ADDR ipsec-attributes
pre-shared key *.
Hello
Seems to me that his dynamic State PAT shot meant for Internet traffic
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside) 1 0.0.0.0 0.0.0.0
is the intellectual property inside everything outside of any
dynamic translation of hen 1 (WAN. IP. ADDR.162 [Interface PAT])
translate_hits = 6186208, untranslate_hits = 145616
Additional information:
Translation dynamic 192.168.21.100/0 to WAN. IP. ADDR.162/12936 using subnet mask 255.255.255.255
So you might miss the NAT0 configuration for this connection
Do the following
Issue the command "Display running nat" and you should see a NAT0 configuration for the 'inside' interface. Something like that
NAT (inside) - 0 access list
Next, you will need to check the ACL configuration
See the list of access running
You can add local and remote network that need to communicate through that VPN L2L connection to this ACL
So for examples sake lets assume that your ASAs directly related "inside" subnet needs to access the remote network, and then you would add
ip 192.168.21.0 access list allow 255.255.255.0 10.50.50.0 255.255.255.0
So use the above configuration format with good source and network of destination, as well as the correct name of the ACL and add the required ACL lines and then try to host LAN connections.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Client VPN connects but not internal LAN access or Ping
Hi all.
I'm new on this forum and kindly asking for your help because I'm stuck.
I have an ADSL router cisco 877 which I configured easy VPN server.
Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.The configuration is below. Please let know us where I was going or what I missed.
[code]Building configuration...
Current configuration: 4574 bytes
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
enable password 7 13151601181B54382F
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login internal_affairs_vpn_1 local
AAA authorization exec default local
AAA authorization internal_affairs_vpn_group_1 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-2122144568
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2122144568
revocation checking no
rsakeypair TP-self-signed-2122144568
!
!
TP-self-signed-2122144568 crypto pki certificate chain
self-signed certificate 03
30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
9142DD9E B6E9D74A 899A 9653
quit smoking
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.10.1
!
IP dhcp pool dhcplan
Network 10.0.0.0 255.0.0.0
DNS-server 196.0.50.50 81.199.21.94
default router 10.10.10.1
Rental 7
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
name of the IP-server 81.199.21.94
!
!
!
VPN username password 7 095A5E07
username fred privilege 15 password 7 1411000E08
username ciscovpn password 7 01100F175804101F2F
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group internal_affairs_vpn
key *.
DNS 196.0.50.50 81.199.21.94
pool ippool
ACL 108
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic internal_affairs_DYNMAP_1 10
Set transform-set RIGHT
market arriere-route
!
!
card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
client configuration address card crypto internal_affairs_CMAP_1 answer
ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
!
Archives
The config log
hidekeys
!
!
!
Bridge IRB
!
!
interface Loopback0
2.2.2.2 the IP 255.255.255.255
!
ATM0 interface
no ip address
ATM vc-per-vp 512
No atm ilmi-keepalive
PVC 0/32
aal5snap encapsulation
Protocol ip inarp
!
DSL-automatic operation mode
Bridge-Group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description of the local lan interface
IP 10.10.10.1 255.0.0.0
IP nat inside
IP virtual-reassembly
!
interface BVI1
internet interface Description
IP 197.0.4.174 255.255.255.252
NAT outside IP
IP virtual-reassembly
internal_affairs_CMAP_1 card crypto
!
IP local pool ippool 192.168.192.1 192.168.192.200
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 196.0.4.173
!
IP http server
local IP http authentication
IP http secure server
IP nat inside source list interface BVI1 NAT overload
IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
!
NAT extended IP access list
allow an ip
!
access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
!
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
!
Line con 0
password 7 0216054818115F3348
no activation of the modem
line to 0
line vty 0 4
password 7 06160E325F59590B01
!
max-task-time 5000 Planner
endSince this is a named ACL, you need to change ACL configuration mode:
NAT extended IP access list
Then, make the changes.
Federico.
-
Client VPN with tunneling IPSEC over TCP transport does not
Hello world
Client VPN works well with tunneling IPSEC over UDP transport.
I test to see if it works when I chose the VPN client with ipsec over tcp.
Under the group policy, I disabled the IPSEC over UDP and home port 10000
But the VPN connection has failed.
What should I do to work VPN using IPSEC over TCP
Concerning
MAhesh
Mahesh,
You must use "ikev1 crypto ipsec-over-tcp port 10000.
As crypto isakmp ipsec-over-tcp work on image below 8.3
HTH
-
Traffic of Client VPN routing via VPN Site to Site
Hello
We have the following scenario:
- Office (192.168.2.x)
- Data Center (212.64.x.x)
- Home workers (192.168.2.x) (scope DHCP is in the office subnet)
Connections:
- Desktop to Data Center traffic is routed through a Site at IPSec VPN, which works very well.
- Welcome to the office is routed through a Site IPSec VPN Client.
The question we have right now, is the Client VPN works, and we have implemented a split tunnel which includes only the subnet of the Office for a list of network.
What I have to do, is to route all traffic to home' to 'Data Center' by site to Site VPN is configured.
I tried to add the ranges of IP data center to the list of Client VPN Split tunnel, but when I do that and try to connect at home, I just get a "connection timed out" or denied, as if she was protected by a firewall?
Could you please let me know what I missed?
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name skiddle.internal
enable password xxx encrypted
passwd xxx encrypted
names
name 188.39.51.101 dev.skiddle.com description Dev External
name 192.168.2.201 dev.skiddle.internal description Internal Dev server
name 164.177.128.202 www-1.skiddle.com description Skiddle web server
name 192.168.2.200 Newserver
name 217.150.106.82 Holly
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.3.250 255.255.255.0
!
!
time-range Workingtime
periodic weekdays 9:00 to 18:00
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server Newserver
domain-name skiddle.internal
same-security-traffic permit inter-interface
object-group service Mysql tcp
port-object eq 3306
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network rackspace-public-ips
description Rackspace Public IPs
network-object 164.177.132.16 255.255.255.252
network-object 164.177.132.72 255.255.255.252
network-object 212.64.147.184 255.255.255.248
network-object 164.177.128.200 255.255.255.252
object-group network Cuervo
description Test access for cuervo
network-object host Holly
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip any any
access-list outside_access_in remark ENABLES Watermark Wifi ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp 188.39.51.0 255.255.255.0 interface outside object-group DM_INLINE_TCP_4 time-range Workingtime
access-list outside_access_in remark ENABLES OUTSDIE ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_3
access-list outside_access_in remark Public Skiddle Network > Dev server
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 interface outside eq www
access-list outside_access_in extended permit tcp object-group rackspace-public-ips interface outside eq ssh
access-list outside_access_in remark OUTSIDE ACCESS TO DEV SERVER
access-list outside_access_in extended permit tcp object-group Cuervo interface outside object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 host dev.skiddle.internal object-group DM_INLINE_TCP_2 inactive
access-list inside_access_in_1 remark HTTP OUT
access-list inside_access_in_1 extended permit tcp any any eq www
access-list inside_access_in_1 remark HTTPS OUT
access-list inside_access_in_1 extended permit tcp any any eq https
access-list inside_access_in_1 remark SSH OUT
access-list inside_access_in_1 extended permit tcp any any eq ssh
access-list inside_access_in_1 remark MYSQL OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 object-group Mysql
access-list inside_access_in_1 remark SPHINX OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 eq 3312
access-list inside_access_in_1 remark DNS OUT
access-list inside_access_in_1 extended permit object-group TCPUDP host Newserver any eq domain
access-list inside_access_in_1 remark PING OUT
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 remark Draytek Admin
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 4433
access-list inside_access_in_1 remark Phone System
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 35300 log disable
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq 4500
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq isakmp
access-list inside_access_in_1 remark Office to Rackspace OUT
access-list inside_access_in_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_access_in_1 remark IMAP OUT
access-list inside_access_in_1 extended permit tcp any any eq imap4
access-list inside_access_in_1 remark FTP OUT
access-list inside_access_in_1 extended permit tcp any any eq ftp
access-list inside_access_in_1 remark FTP DATA out
access-list inside_access_in_1 extended permit tcp any any eq ftp-data
access-list inside_access_in_1 remark SMTP Out
access-list inside_access_in_1 extended permit tcp any any eq smtp
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip any 192.168.2.128 255.255.255.224
access-list inside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list outside_1_cryptomap_1 extended permit tcp 192.168.2.0 255.255.255.0 object-group rackspace-public-ips eq ssh
access-list RACKSPACE-cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list RACKSPACE-TEST extended permit ip host 94.236.41.227 any
access-list RACKSPACE-TEST extended permit ip any host 94.236.41.227
access-list InternalForClientVPNSplitTunnel remark Inside for VPN
access-list InternalForClientVPNSplitTunnel standard permit 192.168.2.0 255.255.255.0
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.128.200 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.16 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.72 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 212.64.147.184 255.255.255.248
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm warnings
logging from-address [email protected]/* */
logging recipient-address [email protected]/* */ level errors
mtu inside 1500
mtu outside 1500
ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ipv6 access-list inside_access_ipv6_in permit tcp any any eq www
ipv6 access-list inside_access_ipv6_in permit tcp any any eq https
ipv6 access-list inside_access_ipv6_in permit tcp any any eq ssh
ipv6 access-list inside_access_ipv6_in permit icmp6 any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www dev.skiddle.internal www netmask 255.255.255.255
static (inside,outside) tcp interface ssh dev.skiddle.internal ssh netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable 4433
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map outside_map 1 match address RACKSPACE-cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 94.236.41.227
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxx
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcprelay server 192.68.2.200 inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source outside prefer
webvpn
port 444
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 regex "Intel Mac OS X"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy skiddlevpn internal
group-policy skiddlevpn attributes
dns-server value 192.168.2.200
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternalForClientVPNSplitTunnel
default-domain value skiddle.internal
username bensebborn password *** encrypted privilege 0
username bensebborn attributes
vpn-group-policy skiddlevpn
username benseb password gXdOhaMts7w/KavS encrypted privilege 15
tunnel-group 94.236.41.227 type ipsec-l2l
tunnel-group 94.236.41.227 ipsec-attributes
pre-shared-key *****
tunnel-group skiddlevpn type remote-access
tunnel-group skiddlevpn general-attributes
address-pool CiscoVPNDHCPPool
default-group-policy skiddlevpn
tunnel-group skiddlevpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
inspect ftp
!
service-policy global_policy global
smtp-server 164.177.128.203
prompt hostname context
call-home reporting anonymous
Cryptochecksum:6c2eb43fa1150f9a5bb178c716d8fe2b
: end
You must even-Security-enabled traffic intra-interface to allow communication between vpn VPN.
With respect,
Safwan
Remember messages useful rate.
-
Router Cisco client VPN SPlit tunnel does not work
Hello!
I have configured the Cisco VPN CLient on a 2821 router, and it works fine.
I could access the inside resourses normally >
the problem is that when I connect with VPN I lost internet connectivity?What wrong with my setup?
Below the current configuration of the router.
Kind regards!CISCO2821 #sh run
Building configuration...
Current configuration: 5834 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname CISCO2821
!
boot-start-marker
start the flash c2800nm-adventerprisek9 - mz.124 - 20.T.bin system
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 51200 warnings
!
AAA new-model
!
!
connection local VPN-LOCAL-AUTHENTIC AAA authentication
local AAA authorization network VPN-LOCAL-AUTHOR
!
!
AAA - the id of the joint session
!
dot11 syslog
IP source-route
!
!
IP cef
!
!
"yourdomain.com" of the IP domain name
8.8.8.8 IP name-server
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
voice-card 0
No dspfarm
!
!
username secret privilege 0 vpn 5 $1$ tCf1$ XAxQWtDRYdfy9g3JpVSvZ.
Archives
The config log
hidekeys
!
!
crypto ISAKMP policy 44
BA aes
preshared authentication
Group 2
life 44444
!
ISAKMP crypto group configuration of VPN client
key VPNVPNVPN
VPN-pool
ACL VPN-ACL-SPLIT
Max-users 5000
!
!
ISAKMP crypto ISAKMP-VPN-profile
identity VPN group match
list of authentication of client VPN-LOCAL-AUTHENTIC
VPN-LOCAL-AUTHOR of ISAKMP authorization list.
client configuration address respond
Configuration of VPN client group
virtual-model 44
!
!
Crypto ipsec transform-set VPN - SET esp - aes esp-sha-hmac
!
Crypto ipsec VPN-profile
transformation-VPN-SET game
Set isakmp VPN ISAKMP-PROFILE
!
!
interface GigabitEthernet0/0
IP 192.168.2.214 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
interface FastEthernet0/0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
type of interface virtual-Template44 tunnel
IP unnumbered GigabitEthernet0/0
ipv4 ipsec tunnel mode
Tunnel ipsec VPN-PROFILE protection profile
!
interface Dialer0
no ip address
IP mtu 1452
IP virtual-reassembly
Shutdown
!
local pool IP VPN-POOL 192.168.1.150 192.168.1.250
IP forward-Protocol ND
IP http server
IP 8081 http port
23 class IP http access
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source list ACL - NAT interface GigabitEthernet0/0 overload
!
IP access-list standard ACL-TELNET
allow a
!
extended ACL - NAT IP access list
ip permit 192.168.1.0 0.0.0.255 any
IP extended ACL-VPN-SPLIT access list
ip permit 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
scope of access to IP-VPN-ACL-SPLIT list
!
control plan
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------
Professional configuration Cisco (Cisco CP) is installed on this device
and it provides the default username "cisco" single use. If you have
already used the username "cisco" to connect to the router and your IOS image
supports the option "unique" user, that user name is already expired.
You will not be able to connect to the router with the username when you leave
This session.
It is strongly recommended that you create a new user name with a privilege level
15 using the following command.
username
secret privilege 15 0 Replace
and with the username and password you want use.
-----------------------------------------------------------------------
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
ACL-TELNET access class in
exec-timeout 30 0
privilege level 15
Synchronous recording
transport input telnet ssh
line vty 5 15
ACL-TELNET access class in
exec-timeout 30 0
privilege level 15
Synchronous recording
transport input telnet ssh
line vty 16 988
ACL-TELNET access class in
exec-timeout 30 0
Synchronous recording
transport input telnet ssh
!
Scheduler allocate 20000 1000
end
CISCO2821 #.
I think that you made a mistake with your ACL name. the ACL applied is "VPN-ACL-SPLIT" which is an empty ACL. You must switch to that of "ACL-VPN-SPLIT" that has the entry "ip 192.168.1.0 allow 0.0.0.255 192.168.1.0 0.0.0.255" inside.
-
ASA 5520 8.0 (4) port depending on the ACLs vpn works not
Hi all
I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)
Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.
THX in advance
Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:
-
RA VPN doesn't work is not on the second external interface
I've temporarily came from two Internet service providers in our ASA 5510. Which works very well. I tried to configure the VPN to our second outside interface (outside-XO) and who does not. The first/original VPN works great. Can someone look at the config and tell me if I did something wrong. It is not a customer number, because it is able to connect fine on the first interface. Thank you.
ASA Version 7.1 (2)
!
hostname FW01
dot.com domain name
activate the password * encrypted
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP address *.229.200 255.255.255.192
!
interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 192.168.2.3 address 255.255.255.0
!
interface Ethernet0/2
nameif outside-XO
security-level 0
IP address *.157.100 255.255.255.192
!
interface Management0/0
nameif management
security-level 100
IP 192.168.14.254 255.255.255.0
management only
!
passwd * encrypted
banner login attention is a private network. Unauthorized intruders will BE prosecuted to the extent of the ACT!
boot system Disk0: / asa712 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT 2 Sun Mar 2:00 1 Sun Nov 02:00
DNS server-group DefaultDNS
dot.com domain name
permit same-security-traffic intra-interface
object-group service tcp Server
HTTPS and www description
EQ object of the https port
port-object eq www
object-group service tcp Mail
SMTP POP3 access description
EQ Port pop3 object
EQ smtp port object
port-object eq 32000
non-standard tcp service object-group
Port Description 1429 and 1431
port-object eq 1431
port-object eq 1429
object-group service DNS tcp - udp
Description to allow outside DNS resolution
area of port-object eq
object-group service FTP tcp
FTP description
port-object eq ftp
SMTPMail tcp service object-group
Description SMTP only access
EQ smtp port object
IQWebServer tcp service object-group
Www and port 8082 description access
port-object eq www
EQ object Port 8082
EQ object of the https port
port-object eq 8999
SFTP tcp service object-group
Description SFTP_SSH
EQ port ssh object
outside_access_in list extended access permit tcp any host *. *.229.201 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.229.202 object-group Mail
outside_access_in list extended access permit tcp any host *. *.229.202 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.229.202 object-group DNS
outside_access_in list extended access permit tcp any host *. *.229.203 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.229.204 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.229.205 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.229.208 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.101 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.102 object-group Mail
outside_access_in list extended access permit tcp any host *. *.157.102 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.102 object-group DNS
outside_access_in list extended access permit tcp any host *. *.157.103 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.157.104 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.105 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.157.108 - a group of Web server objects
access-list 150 extended permit tcp any any eq smtp
access-list sheep extended ip 192.168.0.0 allow 255.255.0.0 10.1.1.0 255.255.255.0
access-list sheep extended permits all ip 10.1.1.0 255.255.255.240
Splt_tnl list standard access allowed 192.168.0.0 255.255.0.0
Splt_tnl list standard access allowed 10.1.1.0 255.255.255.0
access-list extended webcap permit tcp any host *. * eq.164.210 smtp
access-list extended webcap permit tcp host * smtp eq.164.210 all
pager lines 24
Enable logging
logging asdm-buffer-size 200
buffered logging critical
exploitation forest asdm errors
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
outside-XO MTU 1500
mask 10.1.1.1 - 10.1.1.15 255.255.255.0 IP local pool VPNpool
mask 192.168.14.244 - 192.168.14.253 255.255.255.0 IP local pool VPNCisco
ICMP allow any inside
ASDM image disk0: / asdm512.bin
enable ASDM history
ARP timeout 14400
Global (outside) 1 *. *.229.194
Global (outside-XO) 1 *. *. 157.66
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.0.0 255.255.0.0
public static tcp (indoor, outdoor) * domaine.229.202 192.168.14.166 netmask 255.255.255.255 area
public static tcp (indoor, outdoor) *.229.202 www 192.168.14.2 www netmask 255.255.255.255
public static tcp (indoor, outdoor) *.229.202 smtp smtp 192.168.14.2 mask 255.255.255.255 subnet
public static tcp (indoor, outdoor) *.229.202 192.168.14.2 pop3 pop3 netmask 255.255.255.255
public static tcp (indoor, outdoor) *.229.202 32000 192.168.14.2 32000 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.6.229.203 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.28.229.204 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.205.229.205 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.29.229.208 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.3.229.201 netmask 255.255.255.255
TCP static (inside, outside-XO) *. * domaine.157.102 192.168.14.166 netmask 255.255.255.255 area
TCP static (inside, outside-XO) *. *.157.102 www 192.168.14.2 www netmask 255.255.255.255
TCP static (inside, outside-XO) *. *.157.102 smtp smtp 192.168.14.2 mask 255.255.255.255 subnet
TCP static (inside, outside-XO) *. *.157.102 192.168.14.2 pop3 pop3 netmask 255.255.255.255
TCP static (inside, outside-XO) *. *.157.102 32000 192.168.14.2 32000 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.3.157.101 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.6.157.103 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.28.157.104 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.205.157.105 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.29.157.108 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Access-group outside_access_in in interface outside-XO
Route outside 0.0.0.0 0.0.0.0 *. * 1.229.193
Route inside 192.168.0.0 255.255.0.0 192.168.2.1 1
Route outside-XO 0.0.0.0 0.0.0.0 *. * 2.157.65
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
attributes of Group Policy DfltGrpPolicy
No banner
WINS server no
DNS server no
DHCP-network-scope no
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout 480
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec
disable the password-storage
disable the IP-comp
Re-xauth disable
Group-lock no
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
by default no
Split-dns no
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout 30
disable the IP-phone-bypass
disable the leap-bypass
disable the NEM
Dungeon-client-config backup servers
the firewall client no
rule of access-client-none
WebVPN
url-entry functions
HTML-content-filter none
Home page no
4 Keep-alive-ignore
gzip http-comp
no filter
list of URLS no
value of customization DfltCustomization
port - forward, no
port-forward-name value access to applications
SSO-Server no
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information
SVC no
SVC Dungeon-Installer installed
SVC keepalive no
generate a new key SVC time no
method to generate a new key of SVC no
client of dpd-interval SVC no
dpd-interval SVC bridge no
deflate compression of SVC
Cisco strategy of Group internal
Cisco group policy attributes
value of server WINS 192.168.14.4 192.168.14.11
value of 192.168.14.4 DNS server 192.168.14.11
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Splt_tnl
field default value *.com
username * password * encrypted
username * password * encrypted privilege 0
username * password * encrypted
username * password * encrypted
username * password * encrypted
username * password * encrypted privilege 15
username * password * encrypted privilege 15
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 192.168.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.14.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside-XO
SNMP-server host within the public 192.168.14.27 of the community
location of the SNMP server *.
contact SNMP Network Admin Server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
dynamic-map of crypto-XO_dyn_map 10 outside the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
outside-XO_map 65535 ipsec-isakmp crypto map outside Dynamics-XO_dyn_map
card crypto outside-XO_map interface outside-XO
ISAKMP allows outside
ISAKMP enable outside-XO
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
ISAKMP nat-traversal 20
IPSec-attributes tunnel-group DefaultL2LGroup
ISAKMP keepalive retry threshold 600 10
IPSec-attributes tunnel-group DefaultRAGroup
ISAKMP keepalive retry threshold 600 10
tunnel-group, type Cisco ipsec-ra
attributes global-tunnel-group Cisco
address pool VPNpool
Group Policy - by default-Cisco
tunnel-group Cisco ipsec-attributes
pre-shared-key *.
ISAKMP keepalive retry threshold 600 10
Telnet 192.168.0.0 255.255.0.0 inside
Telnet 192.168.14.109 255.255.255.255 inside
Telnet 192.168.14.36 255.255.255.255 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 10
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
INSPECT class-map
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class INSPECT
inspect the dns
inspect the http
inspect the icmp
inspect the tftp
inspect the ftp
inspect the h323 ras
inspect h323 h225
inspect the snmp
inspect the sip
inspect esmtp
class inspection_default
inspect the ftp
!
global service-policy global_policy
TFTP server inside 192.168.14.21 TFTP-root /.
192.168.14.2 SMTP server
Cryptochecksum:5eedeb06395378ed1c308a70d253c1b6
: endHello
Should work.
What I think is the routes:
Route outside 0.0.0.0 0.0.0.0 *. * 1.229.193
Route outside-XO 0.0.0.0 0.0.0.0 *. * 2.157.65If the first interface is ok, the ASA does not go to route packets via the second interface, so VPN will be not through this interface.
On the client, can you PING the two IPs outside of ASA or only the first?
Try to add a static route on the SAA to secondary education outside interface pointing to the address of the customer and try to connect via VPN and see if it works.
Orders:
HS cry isa his
HS cry ips its
Will be a big help as well, when the VPN connection attempt failed.
Federico.
-
Client VPN does not start when you use RDP
I have a few people that RDP in Windows 2000 Server. The console client VPN starts very well (4.7 4.6 & tried). When accessing remotely via RDP, you try to start the VPN client throws the error:
"Error 56: the Service VPN from Cisco Systems Inc. has not been started." Please start this service and try again. »
Helpful service is started and it works very well from the console.
If this is the case, then I guess that this version may have a bug.
personally, I always use the v4.0.3(a). I was testing v4.6, however, it kept crashing my machine so finally that I dropped.
Maybe you are looking for
-
Why FireFox v10 hangs my PC HP?
FF itself yesterday upgraded to v10. Five PC accidents since then. Crashes stop as soon as FF v10 has been remove. Have run several malware detectors. So far, no nothing.
-
Satellite L505-138 - CPU upgrade question
Hello I have a Toshiba Satellite L505-138 Parts no: psls9e-00u00wg3Series: No.: 1a511094k The processor I have now is the i3 330 I want to spend to i7Is this possible and can you link me where to buy the right one which suitable to my laptop
-
Confusion/Questions about Java
Running Windows XP Pro, SP2 I just downloaded and installed the latest version of Java (update version 6, 15). 1. when I look under Program Files / Java, I found 3 files: JRE 1.5.0 dated 09/11/2005 JRE 1.6.0_0, dated 2007-06-21 JRE 6, date dated 02/0
-
I hope it is clear: I have a WIFI WRT100 router. A configuration of the 3 computer LAN connected (either by wireless or) cable from the host computer XP on a laptop MACBook Pro using OS 5.X. The network of the host named MSHOME. I have a wireless pri
-
How to create content for my DMP - 4310G
Hi all I am very new to my Cisco DMP - 4310g. I'm looking for some quick knowledge about how to get the content created and sent to play on my DMP. When looking for a player of signage, that I fell on the DMP - 4310g, reading the Cisco's Web site tha