Connected to the ASA via the "VPN Client" software, but cannot ping devices.

I have a network that looks like this:

I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.

I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).

On the SAA, including the "logging console notifications" value, I notice the following message is displayed:

"% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.

I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?

Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac

Hello

You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"

You would probably need

NAT (inside) 0-list of access inside_nat0_outside

He must manage the NAT0

Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.

I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.

-Jouni

Tags: Cisco Security

Similar Questions

  • Maintenance of the internal DNS after connecting to the VPN Client

    We connect to the VPN client, all day and I wanted to know if there is a way to continue to use our internal LAN DNS when you are connected. For example, when I connect to the VPN client, our mail server internal and the dns resolves the public IP address.

    Thank you

    You can set up the split-dns service, but which can be configured at the vpn your client device, because you only connect with vpn client and normally politicians vpn client get pushed vpn headend unit.

    Here is the split-dns command if your customer comes to run ASA firewall, and they allow you to configure:

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/S8.html#wp1404571

  • Connection to the VPN Client 5.0.07 returns error 443 (activity included)

    I got the Cisco VPN Client to work on my windows 8.1 box, but my windows 10 box gives me some issues.

    I am trying to connect to a Cisco VPN using Cisco VPN Client 5.0.07.0290. 10 Windows.  The first Cisco VPN would not install and I discovered that I had to install Citrix DNE before installing Cisco VPN. I did it and now the Cisco VPN client installs fine.

    Now, I get an error 443 with the following log information when I try to connect:

    ---

    Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\
     
    1 20:31:03.517 23/07/15 Sev = WARNING/2 CVPND/0xA3400017
    Download key failed.
     
    2 20:31:03.517 23/07/15 Sev = WARNING/3 IKE/0xE3000002
    Function download_key_entry failed with the error code of 0 x 00000000(ISAWIN:346)
     
    3 20:31:03.518 23/07/15 Sev = WARNING/3 IKE/0xE3000050
    Failed to load IPsec keys
     
    4 20:31:03.518 23/07/15 Sev = WARNING/2 IKE/0xE30000A7
    SW unexpected error during the processing of negotiator fast Mode:(Navigator:2263)
     
    5 20:31:03.533 23/07/15 Sev = WARNING/2 IPSEC/0xE3700003
    Function CniMemRealloc() failed with the error code of 0 x 00000000 (IPSecDrvBSafeMem:152)
    ---
     
    in the event logs, I see the following error message:

    Service Service VPN from Cisco Systems, Inc. is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

    ----
    Things I've tried:
     
    I took the SSL certificate to my computer that works (windows 8.1) and installed on my machine Windows 10 and ensured that it was valid. I then imported it in the Cisco client. It did not work.
     
    I checked the registry to ensure there was incorrect data in the DisplayName value, and that works.
     
    Any thoughts on what I might try next?

    Hello Onimallar,

    I had this same problem with my Windows 64-bit 10.  But on my 32-bit Windows 10 VM the Client VPN Cisco worked OK.  So I looked into the differences.  It seems that Setup 64-bit VPN client cannot change the network settings to add the network client 'DNE light filter' required for the properties of the network adapter.

    I tried the Citrix DNE update, and while that helped Cisco VPN Client install successfully on my 64-bit machine, it would not establish a connection.

    Using the differences, I removed the two of the DNE Updater and Cisco VPN Client, and then installed 64-bit Dell SonicWall VPN Client, as this has been installed in my VM 32 bits (the 32-bit version).  This added the workstation network DNE filter of my 64-bit machine.  I reinstalled the Cisco VPN Client successfully and was able to connect to a remote site with success.

    It worked for me.

    You can download the SonicWall VPN Client from:

    https://support.software.Dell.com/SonicWALL-Global-VPN-client/Windows%20...

  • Yellow triangle with! the wireless network connection in the task bar icon, but ok in Device Manager

    I still need help: 11-24-10' uncorrected problem after all

    I have a laptop of refurbished HP older Pavilion ze5385US who has recently lost the wireless connection.  Now, I have to leave it plugged in to use, not practical at all.  I did the right click on the icon to open the network connections, left clicked wireless network connections and then clicked "repair this connection.  The uninstaslled of the computer, and then was not able to reinstall.  When I checked D, it was empty.  I thought it was where restoration stuff should have been.  So I downloaded and reinstalled much Express IEEE 802.11 PCI card Lan, until I found the one that the computer would be except.  Now, it appears in device very good Manager, but has theyellow cone with! on the icon in the status bar at the bottom.  When I raised it lights, it is said: 13 of (ANY) wireless network connection, speed: 11.0 Mbps, Signal strength: Excellent, status: limited or no connectivity.  When I choose "View available wireless networks", I get "Windows cannot configure this wireless connection.  Under network without wire/support/details of connections, Iget physical address: 00-02-8A-92-BE-0C, IP address: 169.254.196.112 subnet mask: 255.255.0.0, then the default gateway, DNS server, WINS server & have not enumerated values. I'm afraid to hit the repair again, it could wipe out the only map I've found so far that is accepted by my computer.  When I try to enter the knowledge base for WinXP, I get an error for this page, as well as several other help pages I tried the site of microsoft.com for help.  When I used configurationtool thewireless zero in respect of services & restart earlier, I had a red X on my icon, so I guess I've lost my card after all.  Can I disable this?  The map always shows as OK in Device Manager.  Any ideas anyone?  I need help here please.

    Hello

    I thank you and wish you the same.

    I see that your problem has been solved using the HP driver that you mentioned on Thursday, November 18 in your message and the Express.sys is a problem with Windows install.

    I suggest to install the version of Windows install 4.5 on the system from the link below and then update the driver from the link that was attached to your question before and check.

     

    Step 1:

    Install windows install 4.5

    Windows install 4.5 Redistributable

    http://www.Microsoft.com/downloads/en/details.aspx?FamilyId=5A58B56F-60B6-4412-95B9-54D056D6F9F4&displaylang=en

    Step 2:

    Update the driver from the link you mentioned in your previous post.

    I suggest you to check with TP-link if this model is compatible with Windows XP or not.

    http://www.TP-link.com/products/ProductList.asp?class=WLAN#S6

    Thanks and regards.

    Thahaseena M
    Microsoft Answers Support Engineer.
    Visit ourMicrosoft answers feedback Forum and let us know what you think.

  • The VPN client VPN connection behind other PIX PIX

    I have the following problem:

    I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

    So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

    I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

    Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

    If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

    305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

    194.x.x.x is our customer s address IP PIX

    I understand that somewhere access list is missing, but I can not understand.

    Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

    Can you please help me?

    Thank you in advan

    The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

    I've cut and pasted here for you to read, I think that the problem mentioned below:

    Question:

    Hi Glenn,.

    Following is possible?

    I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

    The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

    My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

    Thank you very much for any help provided in advance.

    Response from Glenn:

    First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

    fixup protocol esp-ike

    See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

    If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

    ISAKMP nat-traversal

    See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

    NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

    ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

    A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

    NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

    Hope that helps.

  • Group to be installed on the VPN Client

    We run IOS 8.2 (2). We configure VPN groups to authenticate locally to the ASA.  We have about 10 different groups (marketing, engineering, accounting, technical support, etc.) that I need the installation which is no problem.  My problem is that I have to configure 10 different groups on the VPN client based on their user name.  Is it possible to set up a generic group such as everyone on the VPN client and the users will no longer have access to resources based on their user name when they connect to the VPN client?

    Please let me know if you have any questions or need additional information.

    Thank you.

    Laura

    Hi Laura,

    You can have all users that connect to the same group.

    Then, individually on each user, create a VPN filter...

    username test attributes

    VPN-filter...

    Federico.

  • VPN site to site access via a VPN client

    Hi all

    From our headquarters, we use a vpn site-to-site to connect to another site and it works great.

    We have just configured the VPN client on our headquarters, remote VPN user can access the LAN in the seat.

    We need the remote user can also access the LAN on the other site, but it does not work.

    The site to site VPN and VPN client are configured on the same device, using even outside the interface.

    Vpn client address pool is already included in the address that is allowed to go through the site to site VPN.

    We would like to know if it is possible to access the site to site VPN, connecting to the VPN client and when the architecture is as above?

    in the case where we use different devices and different internet connection for client VPN and site to site VPN, we can access the other site by the remote user VPN LAN?

    Kind regards

    Since you already have 10.13.0.0/16 in your site to site crypto ACL, which already includes the pool vpn so you need not configure it specifically.

    You are missing the following command:

    permit same-security-traffic intra-interface

    ACL split tunnel should be standard ACL as follows:

    access list ACL-CL-VPN allow 10.13.0.0 255.255.0.0

    access list ACL-CL-VPN allow 10.14.0.0 255.255.248.0

  • Binds two ISP ASA to remote VPN Client to connect to instead of creating two profiles on the remote client

    Hello

    just a quick,

    TOPOLOGY

    ASA isps1 - 197.1.1.1 - outside

    ASA ISP2 - 196.1.1.1 - backup

    LAN IP - 192.168.202.100 - inside

    I have configured Tunnel on the interfaces (external and backup), but is to link both legs public to serve a thare as redundancy for vpn users and users of the vpn tunnel leave pointing inside IP whenever they want to establish vpn sssion, we want it to be one, so if an interface fails vpn users will not know , but he will try the second for the connection. instead of creating the profile for the two outside of the leg on the vpn client.

    is this possible?

    Hi Rammany.

    In your case, you have only an ASA that connects with 2 ISP in another segment IP... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your condition is you want to have the VPN client who must be consulted with backup. If 196.x.x.x link fails, it should automatically take 197.x.x.x link. That too we should not have the config set in the VPN client backup server. You don have the possibility of having standby active also in asa single.

    I think n so it will work with your current design.

    This option is if your VPN client supports host name resolution (DNS). You can have the VPN created for both the public IP address share the same host name keeping the bond as the primary address 1 and 2 a secondary address. It will work alone.

    Hope someother experts in our forum can help you with that.

  • The VPN client connection

    Is it possible to configure the VPN client to set up some sort of login and password so when you run, connects automatically without writing the user name and password.

    This must be the vpn client without making any changes on the vpn server.

    No idea how to do this?

    Kind regards

    to 4.0.2 4.6 & 4.8 Yes - in the profile .pcf file, make sure that

    SaveUserPassword = 1

    This will keep the user name & password in the profile, when you click on it - it should fine connection.

    You must also activate the user store password: -.

    In the pix / asa - under the client VPN profile:-

    allow password-storage

    HTH.

  • IP address of the VPN client must demonstrate external IP of ASA 5505

    Hi guys,.

    We have a small project with the Government which has some difficult requiment with security.

    Current situation;

    1 site the Government has allowed a public IP address of our company to access their server in-house.

    2. in our office, staff can connect to their server using RDP by Cisco ASA 5505 I configured with two or three clicks.

    3. this ASA was outside (public) Government of authorized IP address.

    Request amended;

    1. given the increase in the tasks, our staff must have access to the Government of the home server.

    2. Government will not grant vpn access to them directly.

    3. they ask us to provide our staff VPN then RDP access to the Government site.

    I have install VPN and it connects very well with no problems just for the connection itself.

    But if I check using www.whatismyIPaddress.com, he demonstrated local IP address that they got by their ISP not CISCO ASA 5505 outside the interface.

    The problem is unlike Microsoft ISA 2006 VPN which shows the external public IP address when a client connects to the VPN server, Cisco vpn client shows that it is the local IP address that is not in its list in the Government site.

    I'm more like Ms. guy then Cisco as I did ' t have a lot of chances to play with Cisco, sorry about that.

    Is that what I missed in the middle of config or needs a setting more to achieve this?

    How can I make client VPN to show it's IP address to the interface of Cisco ASA rather than the IP address of the local ISP?

    Thanks in advance,

    Charlie

    have you added "same-security-traffic permit intra-interface" like I said in the previous post?

  • ASA problem inside the VPN client routing

    Hello

    I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.

    Here are a few relevant config:

    network object obj - 192.168.245.0

    192.168.245.0 subnet 255.255.255.0

    192.168.245.1 - 192.168.245.50 vpn IP local pool

    NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary

    Out of Packet trace:

    Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33

    Phase: 1

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit rule

    Additional information:

    MAC access list

    Phase: 2

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 192.168.245.33 255.255.255.255 outside

    Phase: 3

    Type: ACCESS-LIST

    Subtype: Journal

    Result: ALLOW

    Config:

    Access-group acl-Interior interface inside

    access list acl-Interior extended icmp permitted an echo

    Additional information:

    Phase: 4

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Phase: 5

    Type: INSPECT

    Subtype: np - inspect

    Result: ALLOW

    Config:

    Additional information:

    Phase: 6

    Type:

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Phase: 7

    Type: NAT

    Subtype:

    Result: ALLOW

    Config:

    NAT (inside, outside) static source any any destination static obj - 192.168.245.0

    obj - 192.168.245.0 no-proxy-arp-search to itinerary

    Additional information:

    Definition of static 0/x.x.x.x-x.x.x.x/0

    Phase: 8

    Type: VPN

    Subtype: encrypt

    Result: ALLOW

    Config:

    Additional information:

    Phase: 9

    Type: CREATING STREAMS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    New workflow created with the 277723432 id, package sent to the next module

    Result:

    input interface: inside

    entry status: to the top

    entry-line-status: to the top

    output interface: outside

    the status of the output: to the top

    output-line-status: to the top

    Action: allow

    There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.

    Check if the firewall is enabled on your host from the client ravpn and blocking your pings.

  • IP address connection sets using the VPN Client

    Hello world. I'm using a VPN Client when I establish a VPN Tunnel with a 1600 router, and I have a question.

    Can I assign a fixed IP address in the client, instead the router send to random addresses from customer?

    What I would he do this?

    It would be in the configuration of the VPN client, or in the configuration of the router?

    If so, I'm doing this?

    Do I need another tool, or other software or hardware to do?

    any help is hope...

    Thank you...

    Hello

    I don't think that there is a simple way to do this.

    However, if you create a different groupname for the user who needs a static IP address, I think you should be good to go

    So what you need to do, create a new pool of addresses. Make the start and end ip address be the same (this is the address to which you want to assign to the VPN user)

    Configure another ipsec on the router group and bind the new pool to this group

    Ask your VPN client to connect to this group

    Hope that helps

    Jean Marc

  • Help, I changed the password of root ESXi via powerCli, now I can not connect with the web client or the console.

    Help, I've changed the root ESXi via powerCli password, now I can not connect with the web client or the console, but I can still connect to powerCli. The command I used was;

    SE connect-VIServer esxihostname-user root - password newpasswd

    This production network btw, I have connected to each host and run the above command, these ESXi hosts are not on a domain

    y at - it something I have left out. I really appreciate any assistance that you people can provide.

    Thank you, Joe

    It is probably a longshot, but a lot of things in the land of windows is not sensitive to capital letters as Unix is.  I wonder if your new password you put through powerCLI mixed uppercase in it and if the capitalization was abandoned by command windows powerCLI Analyzer, or he interpreted as all capitals or something.   If you can still get through the powerCLI you could try to reset the password again to something simple without capitalization mixed case and if your password on ESXi strategy requires a special character, try something different than a "$", like a "_" (I find that a '_' is less likely than some other special characters (, as a '-' or a ' / ' to cause problems with analyzers.).

    Edit:

    Another thing, you can try before playing with the password once again, is to create a different username ESXi using powerCLI and see if the password ends up what you think, it should be, and if you can get with the client vsphere using it.  In this way, you can find out if there are some problems with certain characters or Cap through command powerCLI Analyzer without losing your remaining root by powerCLI access.  After some tests, you can understand what went wrong with your initial password change and may be able to fix it with less risk of losing access.  I also assume that you can not create a new username on ESXi who is able to change the root password no matter what authority give you it, otherwise, you could create a new username with PowerCLI, then connect to the client vsphere with it and change the password to root from there.

  • The VPN client user authentication

    When users connect to our network remotely via VPN user name field is already filled with the last person who logged. I know that they just delete the username and enter their own, but is there a way the client can be configured to where the username field will be always empty for all those who want access to the network via VPN? We have an ASA 5510 with version 7.0 (8) and a windows 2003 with IAS server for windows authentication. Thank you!

    Hello

    In FCP, you can configure a single line is not editable by the user (or the vpn client).

    Simply insert an attack! Like this

    ! Username =

    ! SaveUserPassword = 0

    ! UserPassword =

    ! enc_UserPassword =

    Subsequently the vpn client will not save registrations for these settings more.

  • E3000 resets occasionally wired port when connecting to the VPN PPTP using Windows 7.

    I've had an E3000 for a few months now and a couple of times per week that the router loses wired Ethernet connectivity while PPTP VPN connects via Windows 7. The router does not actually resets itself... but darkens light of wired connection, the computer establishing VPN, and connectivity to the router is lost. Within 30 to 45 seconds, the port becomes active, once more, and to establish the VPN connection. I've not seen this on a wireless connection, but I do not often, which may be why. Similarly, I have not seen this on my Vista or XP wired computers using the Windows VPN client... but then again I can't use them often enough to meet the problem.

    I see this mostly on my Windows 7 (x 64) SP1, it also appeared pre - SP1, development equipped PC IP6 disabled on the PPTP VPN. And I don't see that on the establishment of a connection... once the connection has been made I can be operational for hours (5/6 or more a day) with no issue.

    While this issue causes me all real headaches like this doesn't happen on the connection... I thought someone should know.

    abandoned,

    Gave to your suggestion to try, but did nothing to eliminate the problem. The router was already on the version the most recent but re-flashed in any case. I ran 3 days on an old Windows XP machine connected to a different port on the router, I had 3 days to do work, and I've never had the drop on the VPN port. But this morning back on my Windows 7 machine... the port fell during my first attempt... I then had no problem, the rest of the day. Despite her disconnect and reconnect a PPTP VPN a few times more. Go figure.

    Let's consider this resolved... as I don't want to lose too much everyones time hassling with something that seems to be minor. Thanks for the help!

Maybe you are looking for