Customer VPN - client configuration isakmp crypto group missing

Hello

I have a 12.2 (7r) version running Cisco 2611XM

I am trying to get the vpn clients to connect to the router following this link:

http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

My problem is that when I try to add the group I do not get the group option.

That's what I get:

My_Router (config) #crypto isakmp client configuration?

network address Set for the client address pool

What I need to change the version of IOS, if yes what IOS should I use?

Any help is greatly appreciated. This is the show of the current router version

Cisco Internetwork Operating System software

(Tm) C2600 software IOS (C2600-IK9S-M), Version 12.2(17a), RELEASE SOFTWARE (fc1)

Updated Friday 19 June 03 16:35 by pwade

Image text-base: 0x8000808C database: 0x81280FF0

ROM: System Bootstrap, Version 12.2 (7r) [next 7r], RELEASE SOFTWARE (fc1)

My_Router uptime is 1 minute

System to regain the power ROM

System image file is "flash: c2600-ik9s - mz.122 - 17A .bin.

This product contains cryptographic features and is under the United States

States and local laws governing the import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third party approval to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. laws and local countries. By using this product you

agree to comply with the regulations and laws in force. If you are unable

to satisfy the United States and local laws, return the product.

A summary of U.S. laws governing Cisco cryptographic products to:

http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

If you need assistance please contact us by mail at

[email protected] / * /.

Cisco 2611XM (MPC860P) processor (revision 0 x 100) with 60416K / 5120K bytes of memory.

Card processor ID JAE072602F2 (1616341861)

M860 processor: Ref. 5, mask 2

Connection software.

X.25 software Version 3.0.0.

2 FastEthernet/IEEE 802.3 interfaces

2 network interfaces Serial (sync/async)

32 KB of non-volatile configuration memory.

32768 K bytes of processor onboard flash system (read/write)

Configuration register is 0 x 2102

Thank you

Randall

Randall,

TAC is more an organization of break-fix. The question that you run by being more a features/functionality with the version of the code, TAC will probably able to help.

Your best option is to upgrade the memory and upgrade the router to 12.3 Mainline or higher.

Let me know if it helps.

Kind regards

Arul

Tags: Cisco Security

Similar Questions

UC500 and IPsec VPN client - disconnects

Just throw a question out there.
I have a UC560 running uc500-advipservicesk9 - mz.151 - 2.T2 site HQ. Remote users, about 8 of them, attempt to connect via IPsec VPN (v5.0.07.0440) HQ clients to access files, etc.. The behavior I see is 5 users to connect successfully, but only 5. As soon as more users trying to connect, they have either:
1. connect with success for a minutes, then unmold
2. get a 412, remote peer is not responding
3. connect, but someone of another session kickoff.
Users use the same VPN profile, but with names of single user and passwords.

Here are some of the CPU configs for VPN clients
Configuration group customer crypto isakmp USER01
key *.
DNS 192.168.0.110
pool USER01_POOL
ACL USER01_ACL

local RAUTHEN AAA authentication login
permission of AAA local RAUTHOR network authenticated by FIS

Crypto isakmp USER01_PROF profile
match of group identity USER01
list of authentication of client RAUTHEN
RAUTHOR of ISAKMP authorization list.
client configuration address respond

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
lifetime 28800
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
life 3600
crypto ISAKMP policy 1000
BA 3des
preshared authentication
Group 2

I enabled debugging
Debug crypto ISAKMP
Debug crypto ipsec

Here are some of the things that I see on him debugs
604899: 16:41:13.333 Aug 21: ISAKMP: (2073): HASH payload processing. Message ID = 284724149
604900: 16:41:13.333 Aug 21: ISAKMP: (2073): treatment protocol NOTIFY DPD/R_U_THERE 1
0, message ID SPI = 284724149, a = 0x8E7C6E68
604901: 16:41:13.333 Aug 21: ISAKMP: (2073): error suppression node 284724149 FALSE reason 'informational (en) State 1.
604902: 16:41:13.333 Aug 21: ISAKMP: (2073): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
604903: 16:41:13.333 Aug 21: ISAKMP: (2073): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

581504: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node-1455244451
581505: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node 840814618
581506: 16:59:13.933 Aug 20: ISAKMP (2147): received 201.195.231.162 packet dport 4500 sport 37897 Global (R) QM_IDLE
581507: 16:59:13.933 Aug 20: ISAKMP: node set 801982813 to QM_IDLE
581508: 20 August 16:59:13.933: ISAKMP: (2147): HASH payload processing. Message ID = 801982813
581509: 16:59:13.933 Aug 20: ISAKMP: receives the payload type 18
581510: 16:59:13.933 Aug 20: ISAKMP: (2147): treatment remove with load useful reason
581511: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the doi = 0
581512: 16:59:13.933 Aug 20: ISAKMP: (2147): remove Protocol id = 1
581513: 16:59:13.933 Aug 20: ISAKMP: (2147): remove spi_size = 16
581514: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the spis num = 1
581515: 16:59:13.933 Aug 20: ISAKMP: (2147): delete_reason = 2
581516: 20 August 16:59:13.933: ISAKMP: (2147): load DELETE_WITH_REASON, processing of message ID = 801982813, reason: DELETE_BY_USER_COMMAND
581517: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

581518: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

581519: 16:59:13.933 Aug 20: ISAKMP: (2147): removal of State of SA reason 'Order BY user' (R) QM_IDLE (post 201.195.231.162)
581520: 16:59:13.933 Aug 20: ISAKMP: (2147): error suppression node 801982813 FALSE reason 'informational (en) State 1.
581521: 16:59:13.933 Aug 20: ISAKMP: node set-878597687 to QM_IDLE
581522: 20 August 16:59:13.937: ISAKMP: (2147): lot of 201.195.231.162 sending peer_port my_port 4500 37897 (R) QM_IDLE
581523: 16:59:13.937 Aug 20: ISAKMP: (2147): sending a packet IPv4 IKE.
581524: 16:59:13.937 Aug 20: ISAKMP: (2147): purge the node-878597687
581525: 16:59:13.937 Aug 20: ISAKMP: (2147): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
581526: 16:59:13.937 Aug 20: ISAKMP: (2147): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

I opened a case with TAC on this and they do not understand what is the cause. For them, it looks like a bug without papers. And their recommendation is to reboot, upgrade or try configuring L2TP for remote users.

Thank you

JP

JP,

An update of IOS is worth it, even if him debugs seems to indicate that there is a problem with the client. If possible, I always suggest test with another client to see if it is unique to the Cisco VPN Client on Win7. Regarding the limit of 20 tunnel, it is very probably the number of IPsec security associations. If you issue a 'show crypto eli', this example displays the number of Sessions that are currently active IPSec.

HTH,

Frank

[SOLVED] Native Iphone4s Cisco VPN client cannot establish the tunnel (victory clients do)

Hello

IPhone 4 s last IOS5 V 5.1.1 installed

I'm not able to make the native IPSEC VPN connection upset my company Cisco 877

Instead, all my computer laptop and netbook with Cisco VPN Client work installed fine when they connect remotely to society 877

Turn debugging 877, it seems Iphone successfully passes the 1 connection ike (actually Iphone wonder phase2 user/pass), but it hung to phase2 give me the error 'Negotiation with the VPN server has no' back

An idea or a known issue on this?

This is how I configured my VPN 877 part:

R1 (config) # aaa new-model

R1 (config) # aaa authentication default local connection

R1 (config) # aaa authentication login vpn_xauth_ml_1 local

R1 (config) # aaa authentication login local sslvpn

R1 (config) # aaa authorization network vpn_group_ml_1 local

R1 (config) # aaa - the id of the joint session

Crypto isakmp policy of R1 (config) # 1

R1(config-ISAKMP) # BA 3des

# Preshared authentication R1(config-ISAKMP)

Group R1(config-ISAKMP) # 2

R1(config-ISAKMP) #.

R1(config-ISAKMP) #crypto isakmp policy 2

R1(config-ISAKMP) # BA 3des

Md5 hash of R1(config-ISAKMP) #.

# Preshared authentication R1(config-ISAKMP)

Group R1(config-ISAKMP) # 2

Output R1(config-ISAKMP) #.

R1 (config) # CUSTOMER - VPN crypto isakmp client configuration group

R1(config-ISAKMP-Group) # key xxxxxxxx

R1(config-ISAKMP-Group) # 192.168.0.1 dns

R1(config-ISAKMP-Group) # VPN - pool

ACL R1(config-ISAKMP-Group) # 120

R1(config-ISAKMP-Group) max-users # 5

Output R1(config-ISAKMP-Group) #.

R1 (config) # ip local pool VPN-pool 192.168.0.20 192.168.0.25

R1 (config) # crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac

R1 (config) # crypto ipsec VPN-profile-1 profile

R1(IPSec-Profile) # set the transform-set encrypt method 1

Tunnel type interface virtual-Template2 R1 (config) #.

R1(Config-if) # ip unnumbered FastEthernet0/0

R1(Config-if) # tunnel mode ipsec ipv4

Ipsec protection tunnel R1(Config-if) # VPN - profile - 1 profile

Profile of R1 (config) # isakmp crypto vpn-ike-profile-1

R1(conf-ISA-Prof) # match group identity CUSTOMER VPN

R1(conf-ISA-Prof) # vpn_xauth_ml_1 list client authentication

R1(conf-ISA-Prof) # isakmp authorization list vpn_group_ml_1

R1(conf-ISA-Prof) # client configuration address respond

R1(conf-ISA-Prof) virtual-model # 2

Then run AccessList 120 for desired traffic ("access-list 120 now allows ip any any")

I have configured my VPN Cisco "CUSTOMER-VPN" clients and relative password

Whenever they connect, they are prompted for the password and username phase2 then they join the VPN with an IP address from local subnet released.

With the same parameters required and confirmed in section ipsec VPN Iphone it does not work.

It's 877 isakmp debug output after that Iphone wonder name of user and password (then I suppose that phase 1 completed):

* 14:29:30.731 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH

* 14:29:30.735 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-1427983983

* 14:29:30.735 May 19: ISAKMP: Config payload RESPONSE

* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_NAME_V2 attribute

* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_PASSWORD_V2 attribute

* 14:29:30.735 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason "made with Exchange of request/response xauth.

* 14:29:30.735 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

* 14:29:30.735 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_REQ_SENT = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

* 14:29:30.743 May 19: ISAKMP: node set 1322685842 to CONF_XAUTH

* 19 May 14:29:30.747: ISAKMP: (2081): launch peer 151.38.197.143 config. ID = 1322685842

* 19 May 14:29:30.747: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_XAUTH

* 14:29:30.747 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.

* 14:29:30.747 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN

* 14:29:30.747 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_AAA_CONT_LOGIN_AWAIT = IKE_XAUTH_SET_SENT

* 14:29:31.299 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH

* 14:29:31.299 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID = 1322685842

* 14:29:31.299 May 19: ISAKMP: Config payload ACK

* 19 May 14:29:31.303: ISAKMP: (2081): XAUTH ACK processed

* 14:29:31.303 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE basis "Mode of Transaction.

* 14:29:31.303 May 19: ISAKMP: (2081): talking to a customer of the unit

* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_ACK

* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_SET_SENT = IKE_P1_COMPLETE

* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 19 May 14:29:31.303: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

* 14:29:31.315 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

* 14:29:31.315 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 14:29:31.623 may 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE

* 14:29:31.623 may 19: ISAKMP: node set-851463821 to QM_IDLE

* 14:29:31.623 may 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-851463821

* 14:29:31.623 may 19: ISAKMP: Config payload REQUEST

* 14:29:31.623 may 19: ISAKMP: (2081): verification of claim:

* 14:29:31.623 may 19: ISAKMP: IP4_ADDRESS

* 14:29:31.623 may 19: ISAKMP: IP4_NETMASK

* 14:29:31.623 may 19: ISAKMP: IP4_DNS

* 14:29:31.623 may 19: ISAKMP: IP4_NBNS

* 14:29:31.623 may 19: ISAKMP: ADDRESS_EXPIRY

* 14:29:31.623 may 19: ISAKMP: APPLICATION_VERSION

* 14:29:31.623 may 19: ISAKMP: MODECFG_BANNER

* 14:29:31.623 may 19: ISAKMP: domaine_par_defaut

* 14:29:31.623 may 19: ISAKMP: SPLIT_DNS

* 14:29:31.623 may 19: ISAKMP: SPLIT_INCLUDE

* 14:29:31.623 may 19: ISAKMP: INCLUDE_LOCAL_LAN

* 14:29:31.623 may 19: ISAKMP: PFS

* 14:29:31.623 may 19: ISAKMP: MODECFG_SAVEPWD

* 14:29:31.623 may 19: ISAKMP: FW_RECORD

* 14:29:31.623 may 19: ISAKMP: serveur_sauvegarde

* 14:29:31.623 may 19: ISAKMP: MODECFG_BROWSER_PROXY

* 14:29:31.627 May 19: ISAKMP/author: author asks for CUSTOMER-VPNsuccessfully group AAA

* 14:29:31.627 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

* 14:29:31.627 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_CONFIG_AUTHOR_AAA_AWAIT

* 14:29:31.627 May 19: ISAKMP: (2081): attributes sent in the message:

* 19 May 14:29:31.627: address: 0.2.0.0

* 19 May 14:29:31.627: ISAKMP: (2081):address of 192.168.0.21 assignment

* 14:29:31.627 May 19: ISAKMP: sending private address: 192.168.0.21

* 14:29:31.627 May 19: ISAKMP: send the subnet mask: 255.255.255.0

* 14:29:31.631 May 19: ISAKMP: sending IP4_DNS server address: 192.168.0.1

* 14:29:31.631 May 19: ISAKMP: sending ADDRESS_EXPIRY seconds left to use the address: 3576

* 14:29:31.631 May 19: ISAKMP: string APPLICATION_VERSION sending: Cisco IOS software, software C870 (C870-ADVIPSERVICESK9-M), Version 12.4 (15) T7, VERSION of the SOFTWARE (fc3)

Technical support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Updated Friday 14 August 08 07:43 by prod_rel_team

* 14:29:31.631 May 19: ISAKMP: split shipment include the name Protocol 120 network 0.0.0.0 mask 0.0.0.0 0 src port 0, port 0 DST

* 14:29:31.631 May 19: ISAKMP: sending save the password answer value 0

* 19 May 14:29:31.631: ISAKMP: (2081): respond to peer 151.38.197.143 config. ID =-851463821

* 19 May 14:29:31.631: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_ADDR

* 14:29:31.631 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.

* 14:29:31.631 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason "error no.".

* 14:29:31.631 May 19: ISAKMP: (2081): talking to a customer of the unit

* 14:29:31.631 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR

* 14:29:31.631 May 19: ISAKMP: (2081): former State = new State IKE_CONFIG_AUTHOR_AAA_AWAIT = IKE_P1_COMPLETE

* 14:29:31.635 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

* 14:29:31.635 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

Here the Iphone remains unused for a few seconds...

* 14:29:48.391 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE

* 14:29:48.391 May 19: ISAKMP: node set 1834509506 to QM_IDLE

* 19 May 14:29:48.391: ISAKMP: (2081): HASH payload processing. Message ID = 1834509506

* 19 May 14:29:48.391: ISAKMP: (2081): treatment of payload to DELETE. Message ID = 1834509506

* 14:29:48.391 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.

* 14:29:48.395 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.

* 14:29:48.395 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)

* 14:29:48.395 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'informational (en) State 1.

* 19 May 14:29:48.395: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): rec would notify of ISAKMP

* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): remove all SAs shared with peer 151.38.197.143

* 14:29:48.395 May 19: ISAKMP: node set-1711408233 to QM_IDLE

* 19 May 14:29:48.395: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) QM_IDLE

* 14:29:48.395 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.

* 14:29:48.399 May 19: ISAKMP: (2081): purge the node-1711408233

* 14:29:48.399 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

* 14:29:48.399 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 14:29:48.399 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)

* 14:29:48.399 May 19: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.

* 14:29:48.399 May 19: ISAKMP (0:2081): return address 192.168.0.21 to pool

* 14:29:48.399 May 19: ISAKMP: Unlocking counterpart struct 0 x 84084990 for isadb_mark_sa_deleted(), count 0

* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool

* 14:29:48.399 May 19: ISAKMP: delete peer node by peer_reap for 151.38.197.143: 84084990

* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool

* 14:29:48.403 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason 'IKE deleted.

* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE reason 'IKE deleted.

* 14:29:48.403 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason 'IKE deleted.

* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'IKE deleted.

* 14:29:48.403 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 14:29:48.403 May 19: ISAKMP: (2081): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 19 May 14:29:48.403: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

It seems 877 comes even to assign a local ip address of LAN for Iphone (192.168.0.21) but then something goes wrong...

Any idea or suggestion on this?

Thank you very much

Hi Federico,.

Please let us know.

Please mark this message as answered while others will be able to learn the lessons.

Thank you.

Portu.

Router and VPN Client for Internet Public on a matter of stick

I try to follow the http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml to allow VPN clients to receive their internet connection instead of tunneling while split. Internal resources are available, but the internet does not work when a client is connected? It seems that the VPN clients are not translated.

!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
preshared authentication
ISAKMP crypto key address x.x.x.x No.-xauth KeyString
!
ISAKMP crypto group customer VPN-users configuration
KeyString key
DNS 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
Crypto isakmp IKE-PROFILE profile
game of identity VPN-users group
client authentication list default
Default ISAKMP authorization list
initiate client configuration address
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set ESP-SHA-3DES esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec IPSEC_PROFILE1
game of transformation-ESP-3DES-SHA
Isakmp IKE PROFILE set
!
!
crypto dynamic-map 10 DYNMAP
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
map CLIENTMAP client to authenticate crypto list by default
map CLIENTMAP isakmp authorization list by default crypto
crypto map CLIENTMAP client configuration address respond
map CLIENTMAP 1 ipsec-isakmp crypto
defined peer x.x.x.x
game of transformation-ESP-3DES-SHA
PFS Group1 Set
match address 100
map CLIENTMAP 10-isakmp dynamic DYNMAP ipsec crypto
!
Archives
The config log
hidekeys
!
!
controller T1 2/0
framing sf
friend linecode
!
property intellectual ssh authentication-2 retries
!
!
!
!
interface Loopback0
IP 192.168.100.1 address 255.255.255.0
no ip unreachable
IP nat inside
IP virtual-reassembly
!
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
Description $ETH - WAN$ $FW_OUTSIDE$
IP address dhcp customer_id FastEthernet0/0 hostname 3725router
IP access-group 104 to
no ip unreachable
NAT outside IP
inspect the SDM_LOW over IP
sdm_ips_rule IP IP addresses in
IP virtual-reassembly
route SDM_RMAP_1 card intellectual property policy
automatic duplex
automatic speed
map CLIENTMAP crypto
!
interface Serial0/0
Description $FW_OUTSIDE$
the IP 10.0.0.1 255.255.240.0
IP access-group 105 to
Check IP unicast reverse path
no ip unreachable
inspect the SDM_LOW over IP
IP virtual-reassembly
Shutdown
2000000 clock frequency
map CLIENTMAP crypto
!
interface FastEthernet0/1
no ip address
no ip unreachable
IP virtual-reassembly
automatic speed
full-duplex
!
interface FastEthernet0/1.2
Description $FW_INSIDE$
encapsulation dot1Q 2
172.16.2.1 IP address 255.255.255.0
IP access-group 101 in
no ip unreachable
IP nat inside
IP virtual-reassembly
enable IPv6
!
interface FastEthernet0/1.3
Description $FW_INSIDE$
encapsulation dot1Q 3
172.16.3.1 IP address 255.255.255.0
IP access-group 102 to
no ip unreachable
IP nat inside
IP virtual-reassembly
enable IPv6
!
interface FastEthernet0/1.10
Description Vlan wireless comments
encapsulation dot1Q 100
172.16.100.1 IP address 255.255.255.0
IP access-group out 110
no ip unreachable
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.50
Description $Phones$
encapsulation dot1Q 50
IP 172.16.50.1 255.255.255.0
IP virtual-reassembly
!
interface Serial0/1
no ip address
no ip unreachable
Shutdown
2000000 clock frequency
!
interface Serial0/2
no ip address
Shutdown
!
interface Serial0/3
no ip address
Shutdown
!
interface Serial1/0
no ip address
Shutdown
!
BRI2/0 interface
no ip address
IP virtual-reassembly
encapsulation hdlc
Shutdown
!
type of interface virtual-Template1 tunnel
Description $FW_INSIDE$
IP unnumbered Loopback0
IP access-group 103 to
no ip unreachable
IP virtual-reassembly
ipv4 ipsec tunnel mode
Tunnel IPSEC_PROFILE1 ipsec protection profile
!
local IP 192.168.0.100 VPN_POOL pool 192.168.0.105
IP forward-Protocol ND
IP route 172.16.200.0 255.255.255.252 172.16.2.3
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
translation of nat IP udp-timeout 900
IP nat inside source map route SDM_RMAP_1 interface FastEthernet0/0 overload
!
logging source hostname id
record 172.16.3.3
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.15.255 no matter what newspaper
access-list 101 deny ip 192.168.0.0 0.0.0.255 any what newspaper
access-list 101 deny ip 172.16.3.0 0.0.0.255 any what newspaper
access-list 101 deny ip 255.255.255.255 host no matter what paper
access-list 101 deny ip 127.0.0.0 0.255.255.255 any what newspaper
access-list 101 tcp refuse any any newspaper of chargen Place1
access-list 101 tcp refuse any any eq whois newspaper
access-list 101 tcp refuse any any eq 93 newspaper
access-list 101 tcp refuse any any newspaper of the 135 139 range
access-list 101 tcp refuse any any eq 445 newspaper
access-list 101 tcp refuse any any newspaper exec 518 range
access-list 101 tcp refuse any any eq uucp log
access list 101 ip allow a whole
access-list 101 deny ip 172.16.100.0 0.0.0.255 any what newspaper
access-list 102 deny ip 172.16.2.0 0.0.0.255 any what newspaper
access-list 102 deny ip 10.0.0.0 0.0.15.255 no matter what newspaper
access-list 102 deny ip 192.168.0.0 0.0.0.255 any what newspaper
access-list 102 refuse host 255.255.255.255 ip no matter what paper
access-list 102 deny ip 127.0.0.0 0.255.255.255 any what newspaper
access ip-list 102 permit a whole
access-list 103 deny ip 172.16.2.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.0.15.255 everything
access-list 103 deny ip 172.16.3.0 0.0.0.255 any
access-list 103 refuse host ip 255.255.255.255 everything
access-list 103 deny ip 127.0.0.0 0.255.255.255 everything
103 ip access list allow a whole
Note access-list 104 SDM_ACL category = 17
access-list 104 allow the host ip 192.168.0.100 everything
access-list 104 allow the host ip 192.168.0.101 everything
access-list 104 allow the host ip 192.168.0.102 everything
access-list 104 allow the host ip 192.168.0.103 everything
104 allow host 192.168.0.104 ip access-list all
access-list 104 allow the host ip 192.168.0.105 everything
access-list 104. allow ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 allow host ip 192.168.0.100 172.16.0.0 0.0.255.255
access-list 104 allow host 192.168.0.101 ip 172.16.0.0 0.0.255.255
access-list 104 allow host 192.168.0.102 ip 172.16.0.0 0.0.255.255
access-list 104 allow host ip 192.168.0.103 172.16.0.0 0.0.255.255
access-list 104 allow host 192.168.0.104 ip 172.16.0.0 0.0.255.255
access-list 104 allow host ip 192.168.0.105 172.16.0.0 0.0.255.255
access-list 104. allow ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 permit udp host 205.152.132.23 eq field all
access-list 104 permit udp host 205.152.144.23 eq field all
Access-list 104 remark Auto generated by SDM for NTP 129.6.15.29 (123)
access-list 104 permit udp host 129.6.15.29 eq ntp ntp any eq
access-list allow 104 of the ahp an entire
access-list 104 allow esp a whole
access-list allow 104 a 41
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny ip 10.0.0.0 0.0.15.255 no matter what newspaper
access-list 104 deny ip 172.16.2.0 0.0.0.255 any what newspaper
access-list 104 deny ip 192.168.0.0 0.0.0.255 any what newspaper
access-list 104 deny ip 172.16.3.0 0.0.0.255 any what newspaper
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo response
access-list 104 permit icmp any one time exceed
access-list 104 allow all unreachable icmp
access-list 104 permit icmp any any echo
access-list 104 refuse icmp any any newspaper mask-request
access-list 104 refuse icmp any any redirect newspaper
access-list 104 deny ip 10.0.0.0 0.255.255.255 any what newspaper
access-list 104 deny ip 172.16.0.0 0.15.255.255 no matter what newspaper
access-list 104 deny ip 192.168.0.0 0.0.255.255 any what newspaper
access-list 104 deny ip 127.0.0.0 0.255.255.255 any what newspaper
104 refuse 224.0.0.0 ip access-list 15.255.255.255 no matter what newspaper
104 refuse host 255.255.255.255 ip access-list no matter what paper
access-list 104 tcp refuse any any newspaper of the range 6000-6063
access-list 104 tcp refuse any any eq newspaper 6667
access-list 104 tcp refuse any any 12345 12346 range journal
access-list 104 tcp refuse any any eq 31337 newspaper
access-list 104 deny udp any any eq 2049 newspaper
access-list 104 deny udp any any eq 31337 newspaper
access-list 104 deny udp any any 33400 34400 range journal
access-list 104 deny ip any any newspaper
Note access-list 105 SDM_ACL category = 17
access-list 105 allow the host ip 192.168.0.100 everything
access-list 105 allow the host ip 192.168.0.101 everything
access-list 105 allow the host ip 192.168.0.102 everything
access-list 105 allow the host ip 192.168.0.103 everything
access-list 105 192.168.0.104 ip host allow all
access-list 105 allow the host ip 192.168.0.105 everything
access-list 105 host ip 192.168.0.100 permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.101 permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.102 permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.103 permit 172.16.0.0 0.0.255.255
access-list 105 192.168.0.104 ip host permit 172.16.0.0 0.0.255.255
access-list 105 host ip 192.168.0.105 permit 172.16.0.0 0.0.255.255
access-list 105 allow ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp any host 10.0.0.1 eq non500-isakmp
access-list 105 permit udp any host 10.0.0.1 eq isakmp
access-list 105 allow esp any host 10.0.0.1
access-list 105 allow ahp any host 10.0.0.1
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
access-list 105 allow ahp 10.0.0.2 10.0.0.1 host
access-list 105 allow esp 10.0.0.2 10.0.0.1 host
access-list 105 permit udp host 10.0.0.2 10.0.0.1 host eq isakmp
access-list 105 permit udp host 10.0.0.2 10.0.0.1 host eq non500-isakmp
access-list 105 allow ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny ip 172.16.2.0 0.0.0.255 any
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 deny ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 exceeded the time
access-list 105 permit icmp any host 10.0.0.1 inaccessible
access-list 105 deny ip 10.0.0.0 0.255.255.255 everything
access-list 105 deny ip 172.16.0.0 0.15.255.255 all
access-list 105 deny ip 192.168.0.0 0.0.255.255 everything
access-list 105 deny ip 127.0.0.0 0.255.255.255 everything
105 refuse host 255.255.255.255 ip access-list all
access-list 105 refuse host ip 0.0.0.0 everything
access-list 105 deny ip any any newspaper
access-list 110 deny ip 172.16.2.0 0.0.0.255 any
access-list 110 deny ip 172.16.3.0 0.0.0.255 any
access ip-list 110 permit a whole
access-list 115 permit ip 172.16.0.0 0.0.255.255 everything
access-list 115 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 allow ip 172.16.0.0 0.0.255.255 everything
access-list 150 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.101
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.102
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.103
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.104
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.105
access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
public RO SNMP-server community
IPv6 route: / 0 Tunnel0
!
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 150
set ip next-hop 192.168.100.2
!
SDM_RMAP_1 allowed 10 route map
corresponds to the IP 150
set ip next-hop 192.168.100.2

Based on my own tests in the laboratory, you can do this with and without a routing policy. You can configure the road of politics on the virtual template interface and direct traffic to the closure where ip nat inside is enabled, or you can simply configure ip nat inside on the interface of virtual model and remove the routing strategy.

crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

ISAKMP crypto group customer VPN-users configuration
key cisco123
DNS 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
Crypto isakmp IKE-PROFILE profile
game of identity VPN-users group
client authentication list default
Default ISAKMP authorization list
initiate client configuration address
client configuration address respond
virtual-model 1

Crypto ipsec transform-set ESP-SHA-3DES esp - aes 256 esp-sha-hmac

Profile of crypto ipsec IPSEC_PROFILE1
game of transformation-ESP-3DES-SHA
Isakmp IKE PROFILE set

crypto dynamic-map 10 DYNMAP
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
map CLIENTMAP 10-isakmp dynamic DYNMAP ipsec crypto

interface GigabitEthernet0/0
IP 1.1.1.1 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
map CLIENTMAP crypto

type of interface virtual-Template1 tunnel
IP unnumbered GigabitEthernet0/0
IP nat inside
IP virtual-reassembly
ipv4 ipsec tunnel mode
Tunnel IPSEC_PROFILE1 ipsec protection profile

local IP 192.168.0.100 VPN_POOL pool 192.168.0.105

overload of IP nat inside source list 150 interface GigabitEthernet0/0

access-list 150 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.101
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.102
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.103
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.104
access-list 150 deny ip 172.16.0.0 0.0.255.255 welcome 192.168.0.105
access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any

***************************************************************************************

Inside global internal local outside global local outdoor Pro
ICMP 1.1.1.1:1 192.168.0.102:1 4.2.2.2:1 4.2.2.2:1

877W customer VPN to the top, but no traffic

Hi guru of cisco

Help me please to solve the problem of traffic of VPN client. I am able to connect to cisco, but failed to get a network, except the router access.

I also want to block all P2P traffic except 1 IP 192.168.10.7.

Thank you

He is out of #show cry ipsec his

Interface: virtual-Access4
Tag crypto map: addr virtual-Access4-head-0, local a.a.a.a

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.251/255.255.255.255/0/0)
current_peer b.b.b.b port 56604
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 26, #pkts decrypt: 26, #pkts check: 26
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

-More - local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b
-More - path mtu 1500, mtu 1500 ip, ip mtu IDB virtual-Access4
-More - spi outgoing current: 0 x 66870874 (1720125556)
-More-
-More - esp sas on arrival:
-More - spi: 0xBDA0E6DE (3181438686)
-More - transform: esp-3des esp-sha-hmac.
-Other - running parameters = {Tunnel,}
-More - conn id: 369, flow_id: Motorola SEC 1.0:369, card crypto: Virtual-Access4-head-0
-More calendar - its: service life remaining (k/s) key: (4543855/3494)
-More size - IV: 8 bytes
-More - support for replay detection: Y
-Other - status: ACTIVE
-More-
-Other - arrival ah sas:
-More-
-More - CFP sas on arrival:
-More-
-More - outgoing esp sas:
-More - spi: 0 x 66870874 (1720125556)
-More - transform: esp-3des esp-sha-hmac.
-Other - running parameters = {Tunnel,}
-More - conn id: 370, flow_id: Motorola SEC 1.0:370, card crypto: Virtual-Access4-head-0
-More calendar - its: service life remaining (k/s) key: (4543859/3494)
-More size - IV: 8 bytes
-More - support for replay detection: Y
-Other - status: ACTIVE
-More-
-More - out ah sas:
-More-
-More - out CFP sas:

And the config of the router:

version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
sequence numbers service
No dhcp service
!
router host name
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
logging buffered 52000
recording console critical
enable secret 5
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authentication login ciscocp_vpn_xauth_ml_2 local
AAA of authentication ppp default local
AAA authorization exec default local
AAA authorization network default authenticated if
AAA authorization ciscocp_vpn_group_ml_1 LAN
AAA authorization network if authenticated local_auth
AAA authorization ciscocp_vpn_group_ml_2 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1933852417
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1933852417
revocation checking no
rsakeypair TP-self-signed-1933852417
!
!
TP-self-signed-1933852417 crypto pki certificate chain
certificate self-signed 01
30820252 308201BB A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31393333 38353234 6174652D 3137301E 170 3130 30383137 31323438
31365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 39333338 65642D
35323431 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C0D8 05ECA4BC 68540261 576BAD7D 23F29679 B60A7B38 35211BCF 78F2271C
2FDB24CC B 949640, 9 D68C9308 58BAAB0A 5FBD8123 42 12922 F2AE7C93 6EF24910
AD777AB3 DD923F06 CB6B6106 9C08AA81 E7CEB073 1F6BC114 B0B1756D ECF976CC
C0073FB2 2C056FD9 7F361152 0DCB08C4 3EA559F5 575EF2F4 1A5FD373 552348B 0
010001A 3 7 509F0203 HAS 1 130101 FF040530 030101FF 30250603 307830 0F060355
551D 1104 1E301C82 1A6A6572 6963686F 2 D 727472 72696368 6F2E636F 312E6A65
2E6E7A30 1 230418 30168014 E1FAAC42 678187 3 D2BFEF05 6F70C504 1F060355
00D12F67 301D 0603 551D0E04 160414E1 FAAC426F 678187 2 BFEF0500 70C5043D
D12F6730 0D06092A 864886F7 0D DFC4C826 E8C4CD12 010104 05000381 8100A 630
4D8C4BB8 B9928B43 4C8B91A2 F6A400B5 97EB0BF7 7ACFE10A BA90056B 6E34FE2F
DAC133EC F0E847DD A7AA6B78 C01AE543 597E7149 85 HAS 17614 EEFEFF4B 076E1758
44A250D9 3DE2EF88 63233AF0 7D2DD2BD 1221D59C 0731CFE3 26B31F88 13F48ACC
ED2972C5 FCCF6D43 681BF350 CE01C5E9 41E9705A CJF
quit smoking
dot11 syslog
!
dot11 WIFI ssid
open authentication
authentication wpa key management
Comments-mode
ascii secret 7 WPA - psk
!
no ip source route
IP cef
!
!
!
!
no ip bootp Server
no ip domain search
IP domain name of domain
Server dhcp IP 192.168.10.10
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
receive window 256-tunnel L2TP
!
aes encryption password
!
!
username admin privilege 15 very secret 5 secret
username privilege 15 7 n1ck passes
!
!
crypto ISAKMP policy 1
preshared authentication
!
crypto ISAKMP policy 2
preshared authentication
!
crypto ISAKMP policy 3
preshared authentication
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
life 3600
crypto ISAKMP key 6 key address c.c.c.c
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto nat keepalive 10
!
Configuration group customer isakmp crypto EasyVPN
key 6 key
DNS 192.168.10.10
domain domain
pool SDM_POOL_1
ACL 100
Save-password
include-local-lan
Max-users 2
netmask 255.255.255.0
!
Configuration group customer crypto isakmp ASA
key 6 key
pool SDM_POOL_1
Firewall are u there
include-local-lan
PFS
Max-users 2
Max-Connections 1
netmask 255.255.255.0
!
ISAKMP crypto group configuration of VPN client
key 6 key
DIAL-IN pool
ACL 103
include-local-lan
Max-users 2
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
Group of EasyVPN identity match
match of group identity ASA
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp CiscoCP_Profile2-ike-profile-1 profile
identity VPN group match
client authentication list ciscocp_vpn_xauth_ml_2
ISAKMP authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-model 5
!
!
Crypto ipsec transform-set esp - esp-sha-hmac ASA-IPSEC
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA2-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
security-association value 900 idle time
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
Profile of crypto ipsec CiscoCP_Profile2
Set the security association idle time 1200
game of transformation-ESP-3DES-SHA1
set of isakmp - profile CiscoCP_Profile2-ike-profile-1
!
!
map SDM_CMAP_1 2 ipsec-isakmp crypto
the value of c.c.c.c peer
game of transformation-ASA-IPSEC
match address 160
!
Crypto ctcp
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
class-map match-all P2P
Description speed limit P2P
match the edonkey Protocol
bittorrent Protocol game
fasttrack Protocol game
gnutella Protocol game
match Protocol kazaa2
class-map correspondence-any BLOCK
match Protocol kazaa2
bittorrent Protocol game
match the edonkey Protocol
gnutella Protocol game
fasttrack Protocol game
!
!
Policy-map BLOCK_INTERNET
class BLOCK
bandwidth 8
!
!
Bridge IRB
!
!
interface Loopback0
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
Description $ES_WAN$
no ip redirection
no ip unreachable
no ip proxy-arp
PVC 0/100
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
!
interface virtual-Template1
Description $FW_INSIDE$
BVI1 IP unnumbered
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
peer default ip address dhcp
PPP mppe auto encryption required
ms-chap-v2, ms-chap PPP authentication PAP
!
interface virtual-Template2
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
type of interface virtual-Template3 tunnel
Description $FW_INSIDE$
Unnumbered IP Dialer0
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
tunnel type of interface virtual-table 5
Description $FW_INSIDE$
BVI1 IP unnumbered
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile2 ipsec protection profile
!
interface Dot11Radio0
no ip address
penetration of the IP stream
route IP cache flow
!
algorithms for encryption tkip encryption mode
!
SSID WIFI
!
Speed basic - 1.0 basic - 2.0 basic - 5.5 Basic6.0 basic - 9.0 basic-11, 0-12, 0-basic basic-18, 0 24 basic, basic 0-36, 0 48 basic, basic 0-54, 0
root of station-role
No cdp enable
Bridge-Group 1
Bridge-group subscriber-loop-control 1
Bridge-Group 1 covering-disabled people
Bridge-Group 1 block-unknown-source
No source of bridge-Group 1-learning
unicast bridge-Group 1-floods
!
interface Vlan1
no ip address
IP nat inside
IP virtual-reassembly
Bridge-Group 1
Bridge-Group 1 covering-disabled people
!
interface Vlan2
Description $FW_INSIDE$
IP 192.168.11.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
interface Dialer0
Description $OUTSIDE$ $FW_OUTSIDE$
the negotiated IP address
IP access-group sdm_dialer0_in in
IP access-group 101 out
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
Dialer-Group 1
PPP pap sent-name of user username 7 password password
PPP ipcp dns request
failure to track PPP ipcp
map SDM_CMAP_1 crypto
out of service-policy BLOCK_INTERNET
!
interface Dialer1
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
interface BVI1
Description $FW_INSIDE$
IP address 192.168.10.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
IP nat inside
IP virtual-reassembly
route IP cache flow
!
local IP DIAL-IN 192.168.10.251 pool 192.168.10.253
local IP SDM_POOL_1 192.168.10.50 pool 192.168.10.51
no ip classless
IP forward-Protocol ND
!
IP flow-cache timeout active 1
The Dot11Radio0 flow-export source IP
IP flow-export version 9
192.168.10.200 IP flow-export destination 9996
!
IP http server
local IP http authentication
IP http secure server
The dns server IP
IP nat inside source static tcp 192.168.10.19 443 Dialer0 443 interface
IP nat inside source static tcp 192.168.10.8 Dialer0 5900 5900 interface
IP nat inside source udp static a.a.a.a 500 Dialer0 500 interface
IP nat inside source static tcp 192.168.10.130 9090 interface Dialer0 9090
overload of IP nat inside source list NAT_INTERNET interface Dialer0
IP nat inside source udp static a.a.a.a 4500 Dialer0 4500 interface
IP nat inside source static tcp 192.168.10.9 1723 1723 Dialer0 interface
IP nat inside source static udp 192.168.10.150 514 interface Dialer0 514
IP nat inside source static tcp 192.168.10.150 Dialer0 1468 1468 interface
!
NAT_INTERNET extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
NAT_INTERNET_1 extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
sdm_dialer0_in extended IP access list
Note the category CCP_ACL = 1
enable ahp c.c.c.c one host
Note allow all
allow an ip
allow a host c.c.c.c esp
permit any isakmp udp host c.c.c.c eq
all eq non500-isakmp udp host c.c.c.c permit
enable ahp c.c.c.c one host
allow a host c.c.c.c esp
IP 192.168.17.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
refuse the host ip 209.239.31.195 no matter what paper
refuse the host ip 98.108.59.171 no matter what paper
!
recording of debug trap
logging 192.168.10.150
Note access-list 1 #NAT INTERNET USERS.
access-list 1 permit 192.168.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
access-list 100 permit ip 192.168.10.0 host everything
Note access-list 101 RULES for FW to the INTERNET
access-list 101 deny ip no matter what newspaper to host 121.22.6.121
access-list 101 deny ip no matter what newspaper to host 74.120.10.51
access-list 101 deny ip no matter what newspaper to host 112.230.192.99
access-list 101 deny ip no matter what newspaper to host 61.55.167.19
access list 101 ip allow a whole
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
Note access-list 101 Cisco_VPN_10000
access-list 101 permit tcp 119.224.0.0 0.0.255.255 connect any EQ 10000
Note access-list 101 Cisco_VPN_500
access-list 101 permit udp any any eq non500-isakmp log
Note access-list 101 Cisco_VPN_4500
access-list 101 permit udp any any eq isakmp newspaper
access-list 101 permit tcp any host a.a.a.a eq 81
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 169.254.0.0 0.0.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 all
access-list 101 deny ip 224.0.0.0 0.15.255.255 all
Note access-list 101 OWA
access-list 101 permit tcp any any eq 443 newspaper
Note access-list 101 port VNC
access-list 101 permit tcp 119.224.0.0 0.0.255.255 connect any EQ 5900
Note access-list 101 service CRM 8081
access-list 101 permit tcp any any eq 8081 newspaper
Note access-list 101 Syslog to ASA1
access-list 101 permit udp host c.c.c.c eq syslog all eq syslog
Note access-list 101 Syslog for ASA2
access-list 101 permit udp any any eq syslog
access-list 102 tcp refuse any any eq 445 newspaper
Note access-list 103 CCP_ACL category = 4
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
Note access-list 115 CCP_ACL category = 16
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 refuse ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 allow ip 129.168.10.0 0.0.0.255 any
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
Server SNMP ifindex persist
not run cdp
!
!
!
sheep allowed 10 route map
corresponds to the IP 150
!
!
control plan
!

!

Line con 0
no activation of the modem
line to 0
line vty 0 4
password password 7
authentication of the local connection
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
end

1. use a "pool of ip" vpn client in a subnet that does not overlap with any of your internal network.

Currently two IP pools are overlapping with subnet of the interface BVI1.

2. ensure that VPN traffic is bypassed by NAT.

IOS VPN will not respond to connections Cisco VPN Client.

Hi all

I'll put my routers fire here.

I have two 2921 SRI both with licenses of security concerning leased lines separated. I configured one to accept our workers to remote Client VPN Cisco VPN connections.

I have followed the set up process I used on another site with a router 1841/s and the same customers and I have also checked against the config given in the last guide of IOS15 EasyVPN.

With debugs all assets, all I see is

038062: 14:03:04.519 Dec 8: ISAKMP (0): received x.y.z.z dport-60225 Global (N) SA NEW 500 sport package
038063: 14:03:04.519 Dec 8: ISAKMP: created a struct peer x.y.z.z, peer port 60225
038064: 14:03:04.519 Dec 8: ISAKMP: new position created post = 0x3972090C peer_handle = 0x8001D881
038065: 14:03:04.523 Dec 8: ISAKMP: lock struct 0x3972090C, refcount 1 to peer crypto_isakmp_process_block
038066: 14:03:04.523 Dec 8: ISAKMP: (0): client setting Configuration parameters 3E156D70
038067: 14:03:10.027 Dec 8: ISAKMP (0): packet received x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATE

Here is the abbreviated config.

System image file is "flash0:c2900 - universalk9-mz.» Spa. 154 - 1.T1.bin.

AAA new-model
!
!
AAA authentication login default local
local VPNAUTH AAA authentication login
AAA authorization exec default local
local authorization AAA VPN network
!
!
!
!
!
AAA - the id of the joint session

crypto ISAKMP policy 10
BA aes
preshared authentication
Group 14

ISAKMP crypto group configuration of VPN client
key ****-****-****-****
DNS 192.168.177.207 192.168.177.3
xxx.local field
pool VPNADDRESSES
ACL REVERSEROUTE

Crypto ipsec transform-set aes - esp esp-sha-hmac HASH
tunnel mode

Profile of crypto ipsec IPSECPROFILE
the HASH transform-set value

dynamic-map crypto VPN 1
the HASH transform-set value
market arriere-route
!
!
list of authentication of card crypto client VPN VPNAUTH
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 65535-isakmp dynamic VPN ipsec VPN
!
!
local IP VPNADDRESSES 172.16.198.16 pool 172.16.198.31

REVERSEROUTE extended IP access list
IP 192.168.0.0 allow 0.0.255.255 everything
Licensing ip 10.0.0.0 0.0.0.255 any

scope of IP-FIREWALL access list
2 allow any host a.b.c.d eq non500-isakmp udp
3 allow any host a.b.c.d eq isakmp udp
4 ahp permits any host a.b.c.d
5 esp of the permit any host a.b.c.d

If anyone can see anything wrong, I would be very happy and it would save the destruction of a seemingly innocent router.

Thank you

Paul

> I would be so happy and it would save the destruction of a seemingly innocent router.

No, which won't work! But instead of destroying the router, I can do it for you. Just send it to me... ;-)

OK, now more serious...
1. The default Cisco IPSec client uses only DH group 2, while you set up the 14. Try to use Group 2 in your isakmp policy.
2. You have your virtual model in place? She is not in the config.

Site to Site and Site to the VPN Client

Hi all

I have installed VPN Site to Site that works very well. then set up the Site to the VPN Client, which also worked well, but the VPN Site to Site offline. If I take off after 3 lines on the Site to the Client VPN Site to Site VPN start working.

card crypto client vpn authentication list vpnuser

card crypto vpn isakmp authorization list groupauthor

card crypto vpn client configuration address respond

Here is my Config complete. Please suggest.

crypto ISAKMP policy 9

BA 3des

preshared authentication

Group 2

ISAKMP crypto key Cisco address 203.13.x.x

!

ISAKMP crypto client configuration group vpnclient

key cisco123

DNS 192.168.10.15

domain ic.com

pool ippool

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-3des esp-sha-hmac CISCOSET

!

Crypto-map dynamic dynmap 10

game of transformation-CISCOSET

!

!

!

card crypto client vpn authentication list vpnuser

card crypto vpn isakmp authorization list groupauthor

card crypto vpn client configuration address respond

card crypto ipsec vpn 1 isakmp

the value of 203.13.x.x peer

game of transformation-CISCOSET

match the address acl_ncsvpn

Map 10-isakmp ipsec vpn crypto dynamic dynmap

local pool IP 10.10.10.1 ippool 10.10.10.10

acl_internet extended IP access list

deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

IP 192.168.0.0 allow 0.0.255.255 everything

acl_natisp1 extended IP access list

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

IP 192.168.0.0 allow 0.0.255.255 everything

acl_natisp2 extended IP access list

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

IP 192.168.0.0 allow 0.0.255.255 everything

acl_ncsvpn extended IP access list

IP 192.168.0.0 allow 0.0.255.255 192.168.4.0 0.0.0.255

acl_vpn extended IP access list

IP 192.168.0.0 allow 0.0.255.255 192.168.0.0 0.0.255.255

IP 192.168.0.0 allow 0.0.255.255 10.10.10.0 0.0.0.255

Please try the following command

ISAKMP crypto key Cisco address 203.13.x.x No.-xauth

and then give it a try

Need help with the configuration of the Site with crossed on Cisco ASA5510 8.2 IPSec VPN Client (1)

Need urgent help in the configuration of the Client VPN IPSec Site with crossed on Cisco ASA5510 - 8.2 (1).

Here is the presentation:

There are two leased lines for Internet access - a route 1.1.1.1 and 2.2.2.2, the latter being the default Standard, old East for backup.

I was able to configure the Client VPN IPSec Site

(1) with access to the outside so that the internal network (172.16.0.0/24) behind the asa

(2) with Split tunnel with simultaneous assess internal LAN and Internet on the outside.

But I was not able to make the tradiotional model Hairpinng to work in this scenario.

I followed every possible suggestions made on this subject in many topics of Discussion but still no luck. Can someone help me here please?

Here is the race-Conf with Normal Client to Site IPSec VPN configured with no access boarding:

LIMITATION: Cannot boot into any other image ios for unavoidable reasons, must use 8.2 (1)

race-conf - Site VPN Customer normal work without internet access/split tunnel
: ASA Version 8.2 (1) ! ciscoasa hostname domain cisco.campus.com enable the encrypted password xxxxxxxxxxxxxx XXXXXXXXXXXXXX encrypted passwd names of ! interface GigabitEthernet0/0 nameif outside internet1 security-level 0 IP 1.1.1.1 255.255.255.240 ! interface GigabitEthernet0/1 nameif outside internet2 security-level 0 IP address 2.2.2.2 255.255.255.224 ! interface GigabitEthernet0/2 nameif dmz interface security-level 0 IP 10.0.1.1 255.255.255.0 ! interface GigabitEthernet0/3 nameif campus-lan security-level 0 IP 172.16.0.1 255.255.0.0 ! interface Management0/0 nameif CSC-MGMT security-level 100 the IP 10.0.0.4 address 255.255.255.0 ! boot system Disk0: / asa821 - k8.bin boot system Disk0: / asa843 - k8.bin passive FTP mode DNS server-group DefaultDNS domain cisco.campus.com permit same-security-traffic inter-interface permit same-security-traffic intra-interface object-group network cmps-lan the object-group CSC - ip network object-group network www-Interior object-group network www-outside object-group service tcp-80 object-group service udp-53 object-group service https object-group service pop3 object-group service smtp object-group service tcp80 object-group service http-s object-group service pop3-110 object-group service smtp25 object-group service udp53 object-group service ssh object-group service tcp-port port udp-object-group service object-group service ftp object-group service ftp - data object-group network csc1-ip object-group service all-tcp-udp access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3 access-list extended SCC-OUT permit ip host 10.0.0.5 everything list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3 access CAMPUS-wide LAN ip allowed list a whole access-list CSC - acl note scan web and mail traffic access-list CSC - acl extended permit tcp any any eq smtp access-list CSC - acl extended permit tcp any any eq pop3 access-list CSC - acl note scan web and mail traffic access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4 access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

race-conf - Site VPN Customer normal work without internet access/split tunnel

ASA Version 8.2 (1)

ciscoasa hostname

domain cisco.campus.com

enable the encrypted password xxxxxxxxxxxxxx

XXXXXXXXXXXXXX encrypted passwd

names of

interface GigabitEthernet0/0

nameif outside internet1

security-level 0

IP 1.1.1.1 255.255.255.240

interface GigabitEthernet0/1

nameif outside internet2

security-level 0

IP address 2.2.2.2 255.255.255.224

interface GigabitEthernet0/2

nameif dmz interface

security-level 0

IP 10.0.1.1 255.255.255.0

interface GigabitEthernet0/3

nameif campus-lan

security-level 0

IP 172.16.0.1 255.255.0.0

interface Management0/0

nameif CSC-MGMT

security-level 100

the IP 10.0.0.4 address 255.255.255.0

boot system Disk0: / asa821 - k8.bin

boot system Disk0: / asa843 - k8.bin

passive FTP mode

DNS server-group DefaultDNS

domain cisco.campus.com

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group network cmps-lan

the object-group CSC - ip network

object-group network www-Interior

object-group network www-outside

object-group service tcp-80

object-group service udp-53

object-group service https

object-group service pop3

object-group service smtp

object-group service tcp80

object-group service http-s

object-group service pop3-110

object-group service smtp25

object-group service udp53

object-group service ssh

object-group service tcp-port

port udp-object-group service

object-group service ftp

object-group service ftp - data

object-group network csc1-ip

object-group service all-tcp-udp

access list INTERNET1-IN extended permit ip host 1.2.2.2 2.2.2.3

access-list extended SCC-OUT permit ip host 10.0.0.5 everything

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq www

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any https eq

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq ssh

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 no matter what eq ftp

list of access CAMPUS-LAN extended permitted udp 172.16.0.0 255.255.0.0 no matter what eq field

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq smtp

list of access CAMPUS-LAN extended permitted tcp 172.16.0.0 255.255.0.0 any eq pop3

access CAMPUS-wide LAN ip allowed list a whole

access-list CSC - acl note scan web and mail traffic

access-list CSC - acl extended permit tcp any any eq smtp

access-list CSC - acl extended permit tcp any any eq pop3

access-list CSC - acl note scan web and mail traffic

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 993

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq imap4

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq 465

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq www

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq https

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq smtp

access-list extended INTERNET2-IN permit tcp any host 1.1.1.2 eq pop3

access-list extended INTERNET2-IN permit ip any host 1.1.1.2

access-list sheep extended ip 172.16.0.0 allow 255.255.0.0 172.16.0.0 255.255.0.0

access list DNS-inspect extended permit tcp any any eq field

access list DNS-inspect extended permit udp any any eq field

access-list extended capin permit ip host 172.16.1.234 all

access-list extended capin permit ip host 172.16.1.52 all

access-list extended capin permit ip any host 172.16.1.52

Capin list extended access permit ip host 172.16.0.82 172.16.0.61

Capin list extended access permit ip host 172.16.0.61 172.16.0.82

access-list extended capout permit ip host 2.2.2.2 everything

access-list extended capout permit ip any host 2.2.2.2

Access campus-lan_nat0_outbound extended ip 172.16.0.0 list allow 255.255.0.0 192.168.150.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

asdm of logging of information

Internet1-outside of MTU 1500

Internet2-outside of MTU 1500

interface-dmz MTU 1500

Campus-lan of MTU 1500

MTU 1500 CSC-MGMT

IP local pool 192.168.150.2 - 192.168.150.250 mask 255.255.255.0 vpnpool1

IP check path reverse interface internet2-outside

IP check path reverse interface interface-dmz

IP check path opposite campus-lan interface

IP check path reverse interface CSC-MGMT

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

interface of global (internet1-outside) 1

interface of global (internet2-outside) 1

NAT (campus-lan) 0-campus-lan_nat0_outbound access list

NAT (campus-lan) 1 0.0.0.0 0.0.0.0

NAT (CSC-MGMT) 1 10.0.0.5 255.255.255.255

static (CSC-MGMT, internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255

Access-group INTERNET2-IN interface internet1-outside

group-access INTERNET1-IN interface internet2-outside

group-access CAMPUS-LAN in campus-lan interface

CSC-OUT access-group in SCC-MGMT interface

Internet2-outside route 0.0.0.0 0.0.0.0 2.2.2.5 1

Route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

AAA authentication enable LOCAL console

Enable http server

http 10.0.0.2 255.255.255.255 CSC-MGMT

http 10.0.0.8 255.255.255.255 CSC-MGMT

HTTP 1.2.2.2 255.255.255.255 internet2-outside

HTTP 1.2.2.2 255.255.255.255 internet1-outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs set group5

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

Crypto map internet2-outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

crypto internet2-outside_map outside internet2 network interface card

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy

a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as

a67a897as a67a897as a67a897as a67a897as a67a897as

quit smoking

ISAKMP crypto enable internet2-outside

crypto ISAKMP policy 10

preshared authentication

aes encryption

md5 hash

Group 2

life 86400

Telnet 10.0.0.2 255.255.255.255 CSC-MGMT

Telnet 10.0.0.8 255.255.255.255 CSC-MGMT

Telnet timeout 5

SSH 1.2.3.3 255.255.255.240 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet1-outside

SSH 1.2.2.2 255.255.255.255 internet2-outside

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal VPN_TG_1 group policy

VPN_TG_1 group policy attributes

Protocol-tunnel-VPN IPSec

username ssochelpdesk encrypted password privilege 15 xxxxxxxxxxxxxx

privilege of encrypted password username administrator 15 xxxxxxxxxxxxxx

username vpnuser1 encrypted password privilege 0 xxxxxxxxxxxxxx

username vpnuser1 attributes

VPN-group-policy VPN_TG_1

type tunnel-group VPN_TG_1 remote access

attributes global-tunnel-group VPN_TG_1

address vpnpool1 pool

Group Policy - by default-VPN_TG_1

IPSec-attributes tunnel-group VPN_TG_1

pre-shared-key *.

class-map cmap-DNS

matches the access list DNS-inspect

CCS-class class-map

corresponds to the CSC - acl access list

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

CCS category

CSC help

cmap-DNS class

inspect the preset_dns_map dns

global service-policy global_policy

context of prompt hostname

Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y

: end

Adding dynamic NAT for 192.168.150.0/24 on the external interface works, or works the sysopt connection permit VPN

Please tell what to do here, to pin all of the traffic Internet from VPN Clients.

That is, that I need clients connected via VPN tunnel, when connected to the internet, should have their addresses IP NAT'ted against the address of outside internet2 network 2.2.2.2 interface, as it happens for the customers of Campus (172.16.0.0/16)

I am well aware of all involved in here, so please be elaborative in your answers. Please let me know if you need more information about this configuration to respond to my request.

Thank you & best regards

MAXS

Hello

If possible, I'd like to see that a TCP connection attempt (e.g. http://www.google.com) in the ASDM logging of the VPN Client when you set up the dynamic NAT for the VPN Pool also.

I'll try also the command "packet - trace" on the SAA, while the VPN Client is connected to the ASA.

The command format is

packet-tracer intput tcp

That should tell what the SAA for this kind of package entering its "input" interface

Still can not see something wrong with the configuration (other than the statement of "nat" missing Dynamics PAT)

-Jouni

Another problem with the configuration of Cisco VPN Client access VPN Site2site

We have a Cisco ASA 5505 at our CORP. branch I configured the VPN Site2Site to our COLO with a Juniper SRX220h, to another site works well, but when users access the home Cisco VPN client, they cannot ping or SSH through the Site2Site. JTACS contacted and they said it is not on their end, so I tried to contact Cisco TAC, no support. So here I am today, after for the 3 days (including Friday of last week) of searching the Internet for more than 6 hours per day and try different examples of other users. NO LUCK. The VPN client shows the route secure 10.1.0.0

Sorry to post this, but I'm frustrated and boss breathing down my neck to complete it.

CORP netowrk 192.168.1.0

IP VPN 192.168.12.0 pool

Colo 10.1.0.0 internal ip address

Also, here's an example of my config ASA

: Saved

:

ASA Version 8.2 (1)

!

hostname lwchsasa

names of

name 10.1.0.1 colo

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

backup interface Vlan12

nameif outside_pri

security-level 0

IP 64.20.30.170 255.255.255.248

!

interface Vlan12

nameif backup

security-level 0

IP 173.165.159.241 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group network NY

object-network 192.168.100.0 255.255.255.0

BSRO-3387 tcp service object-group

port-object eq 3387

BSRO-3388 tcp service object-group

port-object eq 3388

BSRO-3389 tcp service object-group

EQ port 3389 object

object-group service tcp OpenAtrium

port-object eq 8100

object-group service Proxy tcp

port-object eq 982

VOIP10K - 20K udp service object-group

10000 20000 object-port Beach

the clientvpn object-group network

object-network 192.168.12.0 255.255.255.0

APEX-SSL tcp service object-group

Description of Apex Dashboard Service

port-object eq 8586

object-group network CHS-Colo

object-network 10.1.0.0 255.255.255.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.1.0 255.255.255.0

host of the object-Network 64.20.30.170

object-group service DM_INLINE_SERVICE_1

the purpose of the ip service

ICMP service object

service-object icmp traceroute

the purpose of the service tcp - udp eq www

the tcp eq ftp service object

the purpose of the tcp eq ftp service - data

the eq sqlnet tcp service object

EQ-ssh tcp service object

the purpose of the service udp eq www

the eq tftp udp service object

object-group service DM_INLINE_SERVICE_2

the purpose of the ip service

ICMP service object

EQ-ssh tcp service object

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 clientvpn object-group

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo

inside_nat0_outbound list of allowed ip extended access any 192.168.12.0 255.255.255.0

outside_pri_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY

outside_pri_access_in list extended access permit tcp any interface outside_pri eq www

outside_pri_access_in list extended access permit tcp any outside_pri eq https interface

outside_pri_access_in list extended access permit tcp any interface outside_pri eq 8100

outside_pri_access_in list extended access permit tcp any outside_pri eq idle ssh interface

outside_pri_access_in list extended access permit icmp any any echo response

outside_pri_access_in list extended access permit icmp any any source-quench

outside_pri_access_in list extended access allow all unreachable icmp

outside_pri_access_in list extended access permit icmp any one time exceed

outside_pri_access_in list extended access permit tcp any 64.20.30.168 255.255.255.248 eq 8586

levelwingVPN_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

levelwingVPN_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.255.0

outside_pri_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo

backup_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 192.168.12.0 ip 255.255.255.0

outside_pri_cryptomap_1 list extended access allow DM_INLINE_SERVICE_2 of object-group 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

outside_19_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0

inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo

VPN-Corp-Colo extended access list permits object-group DM_INLINE_SERVICE_1 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

Note to OUTSIDE-NAT0 NAT0 customer VPN remote site access-list

OUTSIDE-NAT0 192.168.12.0 ip extended access list allow 255.255.255.0 10.1.0.0 255.255.255.0

L2LVPN to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

exploitation forest asdm warnings

record of the rate-limit unlimited level 4

destination of exports flow inside 192.168.1.1 2055

timeout-rate flow-export model 1

Within 1500 MTU

outside_pri MTU 1500

backup of MTU 1500

local pool LVCHSVPN 192.168.12.100 - 192.168.12.254 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 100 burst-size 5

ICMP allow any inside

ICMP allow any outside_pri

don't allow no asdm history

ARP timeout 14400

NAT-control

interface of global (outside_pri) 1

Global 1 interface (backup)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside_pri) 0-list of access OUTSIDE-NAT0

backup_nat0_outbound (backup) NAT 0 access list

static TCP (inside outside_pri) interface https 192.168.1.45 https netmask 255.255.255.255 dns

static TCP (inside outside_pri) interface 192.168.1.45 www www netmask 255.255.255.255 dns

static TCP (inside outside_pri) interface 8586 192.168.1.45 8586 netmask 255.255.255.255 dns

static (inside, inside) tcp interface 8100 192.168.1.45 8100 netmask 255.255.255.255 dns

Access-group outside_pri_access_in in the outside_pri interface

Route 0.0.0.0 outside_pri 0.0.0.0 64.20.30.169 1 track 1

Backup route 0.0.0.0 0.0.0.0 173.165.159.246 254

Timeout xlate 03:00

Conn Timeout 0:00:00 half-closed 0:30:00 udp icmp from 01:00 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 01:00 uauth uauth absolute inactivity from 01:00

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

AAA authentication http LOCAL console

the ssh LOCAL console AAA authentication

http server enable 981

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside_pri

http 0.0.0.0 0.0.0.0 backup

SNMP server group Authentication_Only v3 auth

SNMP-server host inside 192.168.1.47 survey community lwmedia version 2 c

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt connection tcpmss 1200

monitor SLA 123

type echo protocol ipIcmpEcho 216.59.44.220 interface outside_pri

Annex ALS life monitor 123 to always start-time now

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto ipsec df - bit clear-df outside_pri

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_pri_map 1 match address outside_pri_1_cryptomap

card crypto outside_pri_map 1 set pfs

peer set card crypto outside_pri_map 1 50.75.217.246

card crypto outside_pri_map 1 set of transformation-ESP-AES-256-MD5

card crypto outside_pri_map 2 match address outside_pri_cryptomap

peer set card crypto outside_pri_map 2 216.59.44.220

card crypto outside_pri_map 2 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

86400 seconds, duration of life card crypto outside_pri_map 2 set security-association

card crypto outside_pri_map 3 match address outside_pri_cryptomap_1

peer set card crypto outside_pri_map 3 216.59.44.220

outside_pri_map crypto map 3 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_pri_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

card crypto outside_pri_map interface outside_pri

crypto isakmp identity address

ISAKMP crypto enable outside_pri

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

aes-256 encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 50

preshared authentication

aes encryption

md5 hash

Group 2

life 86400

!

track 1 rtr 123 accessibility

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

management-access inside

dhcpd auto_config outside_pri

!

dhcpd address 192.168.1.51 - 192.168.1.245 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

rental contract interface 86400 dhcpd inside

dhcpd field LM inside interface

dhcpd allow inside

!

a basic threat threat detection

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

a statistical threat detection host number rate 2

no statistical threat detection tcp-interception

WebVPN

port 980

allow inside

Select outside_pri

enable SVC

attributes of Group Policy DfltGrpPolicy

VPN-idle-timeout no

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

internal GroupPolicy2 group strategy

attributes of Group Policy GroupPolicy2

Protocol-tunnel-VPN IPSec svc

internal levelwingVPN group policy

attributes of the strategy of group levelwingVPN

Protocol-tunnel-VPN IPSec svc webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list levelwingVPN_splitTunnelAcl

username password encrypted Z74.JN3DGMNlP0H2 privilege 0 aard

aard attribute username

VPN-group-policy levelwingVPN

type of remote access service

rcossentino 4UpCXRA6T2ysRRdE encrypted password username

username rcossentino attributes

VPN-group-policy levelwingVPN

type of remote access service

bcherok evwBWqKKwrlABAUp encrypted password username

username bcherok attributes

VPN-group-policy levelwingVPN

type of remote access service

rscott nIOnWcZCACUWjgaP encrypted password privilege 0 username

rscott username attributes

VPN-group-policy levelwingVPN

sryan 47u/nJvfm6kprQDs password encrypted username

sryan username attributes

VPN-group-policy levelwingVPN

type of nas-prompt service

username, password cbruch a8R5NwL5Cz/LFzRm encrypted privilege 0

username cbruch attributes

VPN-group-policy levelwingVPN

type of remote access service

apellegrino yy2aM21dV/11h7fR password encrypted username

username apellegrino attributes

VPN-group-policy levelwingVPN

type of remote access service

username rtuttle encrypted password privilege 0 79ROD7fRw5C4.l5

username rtuttle attributes

VPN-group-policy levelwingVPN

username privilege 15 encrypted password vJFHerTwBy8dRiyW levelwingadmin

username password nbrothers Amjc/rm5PYhoysB5 encrypted privilege 0

username nbrothers attributes

VPN-group-policy levelwingVPN

clong z.yb0Oc09oP3/mXV encrypted password username

clong attributes username

VPN-group-policy levelwingVPN

type of remote access service

username, password finance 9TxE6jWN/Di4eZ8w encrypted privilege 0

username attributes finance

VPN-group-policy levelwingVPN

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

type of remote access service

IPSec-attributes tunnel-group DefaultL2LGroup

Disable ISAKMP keepalive

tunnel-group 50.75.217.246 type ipsec-l2l

IPSec-attributes tunnel-group 50.75.217.246

pre-shared-key *.

Disable ISAKMP keepalive

type tunnel-group levelwingVPN remote access

tunnel-group levelwingVPN General-attributes

address LVCHSVPN pool

Group Policy - by default-levelwingVPN

levelwingVPN group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group 216.59.44.221 type ipsec-l2l

IPSec-attributes tunnel-group 216.59.44.221

pre-shared-key *.

tunnel-group 216.59.44.220 type ipsec-l2l

IPSec-attributes tunnel-group 216.59.44.220

pre-shared-key *.

Disable ISAKMP keepalive

!

!

!

Policy-map global_policy

!

context of prompt hostname

Cryptochecksum:ed7f4451c98151b759d24a7d4387935b

: end

Hello

It seems to me that you've covered most of the things.

You however not "said" Configuring VPN L2L that traffic between the pool of VPN and network camp should be in tunnel

outside_pri_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 object-group CHS-Colo

Although naturally the remote end must also the corresponding configurations for users of VPN clients be able to pass traffic to the site of the camp.

-Jouni

Need help configuration IOS IPsec to enable communication between the VPN client

Hi, I need help with the configuration of IPsec VPN router 2811. I want to allow communication between VPN clients, is that possible? I know that ASA, you can do this by using the command "permit same-security-traffic intra-interface".

The fact is that each Client IP communicator installed, but when they tried to call each other, he failed. I guess that's because the connectivity between them is not permitted because of the VPN connection.

Thanks in advance...

Hello

Try this: -.

local pool IP 192.168.1.1 ippool 192.168.1.5

access-list 1 permit host 192.168.1.2< vpn="" ip="" addr="" of="" client="">

access-list 1 permit host 192.168.1.3< vpn="" ip="" addr="" of="" client="">

access-list 1 permit 10.10.10.0 0.0.0.255

< lan="" behind="" the="">

ISAKMP crypto client configuration group vpnclient

key cisco123

ACL 1< binding="" the="" acl="">

!

--------Done-------------

If you do NAT on the router then you might want to exempt your VPN traffic to be NAt had

Assuming that the NAT of your router is

overload of IP nat inside source list 111 interface FastEthernet1/0

!

! - The access list is used to specify which traffic

! - must be translated to the outside Internet.

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Above two statements are exempt from nat traffic.

access-list 111 allow ip 10.10.10.0 0.0.0.255 any<, permits="">

I would like to know if it worked for you.

Concerning

M

Configuration of Cisco for Cisco VPN Client ASA 5505

Our firm has finally made the move from Sonicwall Cisco for our SMB customers. Got our first customer with a VPN site-to site solid and you have configured the main router for connections via the Cisco VPN Client VPN Wizard.

When I install the VPN Client on desktop computers that does not capture all the necessary options (unless you have a SSL VPN). I guess that there is a process that I am missing to export a connection profile that Cisco VPN Client users can import for their connection.

There step by step guides to create the connection profile file to distribute to customers?

Hello

The ASDM wizard is for the configuration on the SAA. This wizard will help you complete the VPN configuration on the end of the ASA.

You will need to set the same in the client, so that they can negotiate and connect.

Input connection in the client field, that's what you want to be seen that on the VPN client - it can be any name

Host will be the external ip address of the ASA.

Group options:

name - same tunnel as defined on the ASA group
Password - pre-shared as on ASA.

Confirm password - same pre-shared key.

Once this is over, you will see the customer having an entry same as a login entry. You must click on connect there. He will be a guest user and the password. Please enter the login crendentials. VPN connects.

You can distribute the .pcf file that is formed at the place mentioned in the post above. Once the other client receive the .pcf, they need to import it by clicking this tab on the VPN client.

Kind regards

Anisha

How to match tunnel-group with auth ASA 8.2 and IPSec VPN Client using digital certificates with Microsoft CA

Hello

I set up a lab for RA VPN with a version of the ASA5510 8.2 and VPN Client 5 software using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco's Web site:

http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080930f21.shtml

Now, the vpn works fine, but now I need to configure a tunnel-different groups so I can provide different services to different users. The problem I have now is that I don't know how to set it up for the certificate is the name of tunnel-group. If I do an ASA debug crypto isakmp I get this error message:

% ASA-713906 7: IP = 165.98.139.12, trying to find the group through OR...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IKE ID...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IP ADDR...
% ASA-713906 7: IP = 165.98.139.12, trying to find the group using default group...
% ASA-713906 7: IP = 165.98.139.12, connection landed on tunnel_group DefaultRAGroup

So, basically, when using certificates I connect always VPN RA only with the group default DefaultRAGroup. Do I have to use a model of different web registration for application for a certificate instead of the user model? How can I determine the OU on the user certificate so that match tunnel-group?

Please help me!

Kind regards

Fernando Aguirre

You can use the group certificate mapping feature to map to a specific group.

This is the configuration for your reference guide:

http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/IKE.html#wp1053978

And here is the command for "map of crypto ca certificate": reference

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2186685

Hope that helps.

Configure the Cisco VPN client to pass through the VPN site-to-site (GUI)

Hello

I say hat the chain and responses I've seen to achieve this goal have been great...

https://supportforums.Cisco.com/discussion/12234631/Cisco-ASA-5505-VPN-p...

and

https://supportforums.Cisco.com/document/12191196/AnyConnect-client-site...

My question is "we will get this configuration by using the graphical user interface for someone who is not notified about the command line?"

Thank you

Of course, all this can be configured via ASDM.

Looking at the second example you posted above, they point you first change:

ACL split of the tunnel for the AnyConnect customer

This Configuration > remote access VPN > network (Client) access > AnyConnect connection profile > (chose the profile and select Edit) > (choose "Manage" next to group policy) > Edit > advanced > Split Tunneling > ensure that the policy does not "Inherit" but rather "Tunnel network list below" > Unselect "Inherit" next to the network list, then 'manage '. Enter your networks you want in the GUI in this dialog box. Click OK all the way back to the main window ASDM and click on apply.

You then change:

Crypto ACL for the tunnel from Site to Site

To do this, go to Configuration > VPN Site-to_site > connection profiles > (choose your profile and select edit) > add the VPN client address pool to the list of local network between protect networks. Yet once, click OK all the way back to the main window ASDM and click on apply.

Then, allow the

ASA to redirect back on the same interface traffic it receives

.. is defined under Configuration > Device Setup > Interfaces. (check the box at the bottom of this screen). Click on apply

Finally, there is the NAT exemption. For which go to Configuration > firewall > rules NAT. Add a NAT device rule before rules network object with Interface Source out, Source address your address pool VPN, the Destination address to include remote subnets and Action is Static Source NAT type source address and destination address remaining as original (i.e. without NAT). Once on OK all the way back to the main window ASDM and click on apply. Save and test.

Good luck. Don't forget to note the brand and posts useful when your question is answered.

configuration problem pix515 to access remote vpn using the vpn client

Hello

My chart is simple:

a client pc with customer vpn cisco 3.X

try to connect to a remote site via a pix 515E.

What happened:

the pc can connect, the pix give it an ip address, but no traffic not encrypted so no access to the remote network.

My config is:

---------------------------------------

START THE CONFIG

--------------------------------------

access-list 102 permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

IP local pool clientpool 10.10.10.5 - 10.10.10.50

NAT (inside) - 0 102 access list

Permitted connection ipsec sysopt

Crypto ipsec transform-set robust esp - esp-md5-hmac

Crypto-map dynmap 10 transform-set robust Dynamics

map mymap 10-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup address clientpool pool vpn30002

vpngroup password 123daniel456789 vpn30002

vpngroup split tunnel 102 vpn30002

-------------------------------------

END CONFIG

-------------------------------------

Please help me!

Concerning

Can you upgrade to a new vpn client or try to disable the firewall in XP sp 2? I think the problem is that this old clients are not supported on xp sp2 or will have problems with the firewall in SP2. Try to run a higher customer or 4.0 x.

Authentication failure - 5505 8.3 configuration to windows server RAIDUS vpn client

Hello

I'm trying to put up a 5505 (8.3 running) so that I can use vpn client through the RADIUS authentication

I set up a new local RAIDUS windows box and used the ASDM Assistant and a few other installation guides the 5505.

I get the following error:

INFO: Attempt to <10.0.0.92>IP address authentication test (timeout: 12 seconds)

ERROR: Authentication rejected: failure of the AAA

any help would be greatly appreciated

Here is my config sanitized:

lit5505-02 # sh run

: Saved

:

ASA Version 8.3 (1)

!

hostname lit5505-02

no names

!

interface Vlan1

nameif inside

security-level 100

10.0.0.100 IP address 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner motd ****************************************

Banner motd No. unauthorized access is allowed

banner motd ****************************************

passive FTP mode

DNS server-group DefaultDNS

domain name

network obj_any object

subnet 0.0.0.0 0.0.0.0

object network lotus_notes

host 10.0.0.3

network sonicwall_ssl_2000 object

Home 10.0.0.12

network of the NETWORK_OBJ_10.0.0.0_24 object

10.0.0.0 subnet 255.255.255.0

network of the ABD_LAN object

10.7.0.0 subnet 255.255.0.0

network of the LIT_LAN object

10.0.0.0 subnet 255.255.0.0

network of the LIT_LAN_vlan101 object

subnet 10.0.1.0 255.255.255.0

network of the LIT_LAN_vlan102 object

10.0.2.0 subnet 255.255.255.0

network of the LIT_LAN_vlan103 object

subnet 10.0.3.0 255.255.255.0

network of the LIT_LAN_vlan104 object

10.0.4.0 subnet 255.255.255.0

network of the LIT_LAN_vlan105 object

10.0.5.0 subnet 255.255.255.0

network of the LIT_LAN_vlan106 object

10.0.6.0 subnet 255.255.255.0

network of the LIT_LAN_vlan109 object

10.0.9.0 subnet 255.255.255.0

network of the LIT_LAN_vlan112 object

10.0.112.0 subnet 255.255.255.0

network of the LIT_LAN_vlan114 object

10.0.114.0 subnet 255.255.255.0

network of the LIT_LAN_vlan120 object

10.0.20.0 subnet 255.255.255.0

network of the LIT_LAN_vlan121 object

10.0.21.0 subnet 255.255.255.0

network of the LIT_LAN_vlan100 object

10.0.0.0 subnet 255.255.255.0

network of the LIT_LAN_vlan107 object

10.0.7.0 subnet 255.255.255.0

network of the LIT_LAN_vlan108 object

10.0.8.0 subnet 255.255.255.0

network of the BER_vlan1 object

subnet 10.8.0.0 255.255.255.0

the LIT_VLANS object-group network

network-object, object LIT_LAN_vlan100

network-object, object LIT_LAN_vlan101

network-object, object LIT_LAN_vlan102

network-object, object LIT_LAN_vlan103

network-object, object LIT_LAN_vlan104

network-object, object LIT_LAN_vlan105

network-object, object LIT_LAN_vlan106

network-object, object LIT_LAN_vlan107

network-object, object LIT_LAN_vlan108

network-object, object LIT_LAN_vlan109

network-object, object LIT_LAN_vlan112

network-object, object LIT_LAN_vlan114

network-object, object LIT_LAN_vlan120

network-object, object LIT_LAN_vlan121

the BER_VLANS object-group network

network-object, object BER_vlan1

access list off - in extended permit icmp any one

out-in access-list extended permit tcp any object sonicwall_ssl_2000 eq https

access-list out-in extended permit tcp any eq smtp lotus_notes object

access list-based ip allowed any one

outside_1_cryptomap list extended access permitted ip LIT_VLANS object ABD_LAN object-group

outside_2_cryptomap list extended access permitted ip object-group LIT_VLANS-group of objects BER_VLANS

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT static LIT_VLANS LIT_VLANS destination (indoor, outdoor) static source ABD_LAN ABD_LAN

NAT static LIT_VLANS LIT_VLANS destination (indoor, outdoor) static source BER_VLANS BER_VLANS

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

object network lotus_notes

Static NAT (indoor, outdoor)

network sonicwall_ssl_2000 object

Static NAT (indoor, outdoor)

Access-group all-out in the interface inside

out-in access-group in external interface

Route outside 0.0.0.0 0.0.0.0

Route inside 10.0.1.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.2.0 255.255.255.0 10.0.0.254 1

Route inside between 10.0.3.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.4.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.5.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.6.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.7.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.8.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.9.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.20.0 255.255.255.0 10.0.0.254 1

Route inside 10.0.21.0 255.255.255.0 10.0.0.254 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

RADIUS protocol AAA-server litvms03

litvms03 AAA-server (inside) host 10.0.0.92

key *.

RADIUS-common-pw *.

the ssh LOCAL console AAA authentication

Enable http server

http 10.0.0.0 255.255.0.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

map 1 set outside_map crypto peer

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 2 match address outside_2_cryptomap

card crypto outside_map 2 pfs Group1 set

card crypto outside_map 2 defined peer

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

No encryption isakmp nat-traversal

Telnet timeout 5

SSH 10.0.0.0 255.255.0.0 inside

SSH 10.7.0.0 255.255.0.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 216.14.98.234 prefer external source

NTP server 204.15.208.61 prefer external source

WebVPN

internal jdr_littleport_employee_vpn group policy

attributes of the strategy of group jdr_littleport_employee_vpn

banner value

value of 10.0.0.8 WINS server 10.100.1.141

value of 10.0.0.8 DNS server 10.100.1.141

Split-tunnel-policy tunnelall

jdrcables.com value by default-field

Split-dns value jdrcables.com

IPv6 address pools no

type of tunnel-group ipsec-l2l

Tunnel ipsec-attributes group

pre-shared key *.

type of tunnel-group ipsec-l2l

Tunnel ipsec-attributes group

pre-shared key *.

!

!

context of prompt hostname

Cryptochecksum:6d1868630c83f17fe0c7de41006a1526

: end

Rich

I have checked the road conditions but missed the VIRTUAL LAN address. Sorry about that.

I'm glad to see that you solved the problem and am not surprised that the question seems to have been some incompatible in the serttings server. I think you should be able to close the thread based on your response. Give it a try.

HTH

Rick

Customer VPN - client configuration isakmp crypto group missing

Similar Questions

Maybe you are looking for