Default gateway when connected to the VPN

Similar Questions

• Cannot send emails from gmail or yahoo when connected to the vpn

  I use a vpn to hide my IP address. When I am connected via my VPN I can't send emails from my gmail or yahoo accounts in thunderbird
  If I disconect vpn, they go through the fine

  Thanks for the suggestion, I've changed the security of connection for STARTTLS
  and they work

• E3000 resets occasionally wired port when connecting to the VPN PPTP using Windows 7.

  I've had an E3000 for a few months now and a couple of times per week that the router loses wired Ethernet connectivity while PPTP VPN connects via Windows 7. The router does not actually resets itself... but darkens light of wired connection, the computer establishing VPN, and connectivity to the router is lost. Within 30 to 45 seconds, the port becomes active, once more, and to establish the VPN connection. I've not seen this on a wireless connection, but I do not often, which may be why. Similarly, I have not seen this on my Vista or XP wired computers using the Windows VPN client... but then again I can't use them often enough to meet the problem.

  I see this mostly on my Windows 7 (x 64) SP1, it also appeared pre - SP1, development equipped PC IP6 disabled on the PPTP VPN. And I don't see that on the establishment of a connection... once the connection has been made I can be operational for hours (5/6 or more a day) with no issue.

  While this issue causes me all real headaches like this doesn't happen on the connection... I thought someone should know.

  abandoned,

  Gave to your suggestion to try, but did nothing to eliminate the problem. The router was already on the version the most recent but re-flashed in any case. I ran 3 days on an old Windows XP machine connected to a different port on the router, I had 3 days to do work, and I've never had the drop on the VPN port. But this morning back on my Windows 7 machine... the port fell during my first attempt... I then had no problem, the rest of the day. Despite her disconnect and reconnect a PPTP VPN a few times more. Go figure.

  Let's consider this resolved... as I don't want to lose too much everyones time hassling with something that seems to be minor. Thanks for the help!

• Access to the external network when connected to the VPN

  I have a 5505 I successfully install an IPSEC connection to. It uses NT to Active Directory authentication to authenticate. After I log in, I can access everything on the remote network (internal). I can't access anything on the internet.

  Nothing behind the ASA can access internet, vpn clients that cannot come back on.

  Syslog messages show buiding vpn clients to the top and down the ICMP connections if they try to do a ping to the outside, but they are not answered.

  I know it's most likely a statement ACL or NAT that I am out of ideas?

  config attacched

  You have 2 options.

  Split tunneling, unencrypted access to internet.

  Public Internet on a stick, integrated internet traffic to ASA and back on.

  permit same-security-traffic intra-interface

  Global 1 interface (outside)

  NAT (outside) 1

• requiring a client firewall be present when connecting to the VPN

  Is there a way to set the firewall need a group, as it is present to a concentrator vpn to connect vpn through a PIX, customers or is that the game buy a hub of additional features allows you to?

  Thank you

  Bill

  go to configuration group policy for the policy that you are wanting to change and use the command below.

  client-firewall-fire [opt | req | none]

• Cannot access Internet when connected to the VPN

  I have mobile users using the Cisco VPN (4.0.5B) connection to a 837 customer. They can connect and access resources network in-house/remote ok. However, they are unable to access the Internet at the same time. I also had this problem where some users were connecting in a PIX, but managed to settle only by using the vpngroup tunnel of splitting and appropriate ACL commands. All I can find on the Cisco site is that it is possible by specifying an ACL, bit I don't know where to specify them this and that. Thank you.

  Here are examples of code,

  access-list 100 permit ip<837 inside="" net=""><837 inside="" net="" mask="">

  ISAKMP crypto client configuration group ciscovpn

  key cisco123

  pool vpnpool

  ACL 100

• Error 720 when connecting to the vpn.

  
  
  

• Lose the internet while connected to the VPN

  I've seen quite a few threads of not being able to connect to internet when connected to the VPN. I tried to follow but have not be able to follow. I connect to the VPN via IE (that is connected by using Check Point). How can I go about it?

  That's the problem of split tunnel. In general, the VPN tunnel can be configured on the client side (as the native client VPN PPTP in Windows for example) or side Server (like OpenVPN for example) to force all traffic through the VPN tunnel or not. If all the traffic is forced through the VPN tunnel, which is what your description, internet access is controlled by the VPN server. It is a safety precaution to isolate the network side server from your local network.

  I would check with your network/VPN to help admins simply because may fall you on a server-side config that may or may not be changed according to their network security protocols.

• When I connect to the VPN on my laptop to use WWAN, I can no longer access the Internet.

  When I connect to the VPN on my laptop to use WWAN, I can no longer access the Internet. I have a VPN connection and it works but not navigation parallel to the point where the VPN works.

  Someone suggested this fix >

  Make sure that the default route has NOT changed to the VPN server.

  Open the properties of your VPN connection.

  Go to 'network '. Double click on TCP/IP protocol. Use the button "Advanced".

  Disable the feature from default gateway.

  but when I do that so I'm not able to access our data HTML site that requires the use of VPN.

  Any help is appreciated

  This article describes what you see...

  http://TechNet.Microsoft.com/en-us/library/bb878117.aspx

  .. .and possible solutions...

  I suggest you post this question in the TechNet Windows 7 IT Pro networking forum can help...

  http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

• Get 810 error message when you try to connect to the VPN using L2TP protocol

  Original title: L2TP will not let me connect.

  I am in Workstation 9 and in each virtual machine, I have an AD - DC (2K8R2Enterprise), CA and RRAS (2K8R2Enterprise) and my last vm is a win7 (they are all tests).  All are not updated, but the PPTP, IKEv2 work without problem.  The second server that has the CAs and RRAS is a member of the AD - DC server.  The Win7 is not on the domain and I have Win7 a client certificate.  I have ensured that the CA root of trust is in the user store and computer Trusted Root CA.  I have also ensured that the Win7 client certificate is in the user store and personal computer.  I get a 810 error message when I try to connect to the VPN using the L2TP protocol.  I have exhaustively studied this problem and I can't find a solution to this problem.  I also raise the functional level of the domain to 2K8R2.

  I think this should be a simple and easy solution, but where can I find the answer?
  Please help me.
  Thank you for your time.
  Allan.

  Hi Allan,

  The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the Forum TechNet site:

  http://social.technet.Microsoft.com/forums/en/category/w7itpro

  If you need any other assistance, let know us and we would be happy to help you.

• Unable to gateway ping after the connection to the VPN

  I've implemented a ASA 5505 with virtually any configuration. I changed the interface of the 192.168.168.250 inside and set up DSL PPPoE for the external interface.

  The ASA works perfectly for all my Internet needs so I set up a VPN using Ipsec VPN Wizard. This also works perfectly, except that I noticed a thing. Once I connect to the VPN, I'm not able to ping from the inside address of the ASA at the 192.168.168.250. When I ping or manage the ASA using this IP address, while I work on the site it works fine. Why is this and is there a way that I can change?

  Thank you!

  -Pete

  peterdallas wrote:
  I've set up an ASA 5505 with hardly any configuration. I changed the Inside interface to 192.168.168.250 and configured PPPoE DSL for the outside interface.
  The ASA is working perfectly for all of my Internet needs so I set up a VPN using the Ipsec VPN wizard. That also works perfectly, except I noticed one thing. Once I connect to the VPN, I'm not able to ping the inside address of the ASA at 192.168.168.250. When I ping or manage the ASA using that IP address while I'm working on site it works fine. Why is that and is there a way I can change it?
  Thanks!
  -Pete
  

  Pete

  Add this to your config file-

  ASA (config) # management - access inside

  all the details-

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/m.html#wp1987122

  Jon

• C6380 wireless at home not seen when I connect to the VPN from the company

  I have a HP C6380 wireless printer which works fine when I'm not connected to the VPN to my company.  I have a WRT54GS of LYNKSYS router.

  When I activate my VPN connection via laptop computer Windows XP, the printer's connection is lost.

  How can I fix?

  You can not fix it.  It is the nature of the VPN to disconnect all devices like printer LAN (and file sharing with other computers besides).

  The only recourse is to use USB directly connected between the printer and the computer when VPN.  The good news is that the printer is OK with having wireless and live USB connections at the same time.

• IPSec VPN: connected to the VPN but cannot access resources

  Hello

  I configured a VPN IPSec on two ISP with IP SLA configured, there is a redundancy on the VPN so that if address main is it connect to the VPN backup.

  QUESTIONS

  -Connect to the primary address and I can access resources

  -backup address to connect but can not access resources for example servers

  I want a way to connect to backup and access on my servers resources. Please help look in the config below

  configuration below:

  interface GigabitEthernet0/0

  LAN description

  nameif inside

  security-level 100

  IP 192.168.202.100 255.255.255.0

  !

  interface GigabitEthernet0/1

  Description CONNECTION_TO_DOPC

  nameif outside

  security-level 0

  IP address 2.2.2.2 255.255.255.248

  !

  interface GigabitEthernet0/2

  Description CONNECTION_TO_COBRANET

  nameif backup

  security-level 0

  IP 3.3.3.3 255.255.255.240

  !

  !

  interface Management0/0

  Shutdown

  No nameif

  no level of security

  no ip address

  management only

  !

  boot system Disk0: / asa831 - k8.bin

  boot system Disk0: / asa707 - k8.bin

  passive FTP mode

  clock timezone WAT 1

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Name-Server 4.2.2.2

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  network of object obj-200

  192.168.200.0 subnet 255.255.255.0

  Description LAN_200

  network of object obj-202

  192.168.202.0 subnet 255.255.255.0

  Description LAN_202

  network of the NETWORK_OBJ_192.168.30.0_25 object

  subnet 192.168.30.0 255.255.255.128

  network of the RDP_12 object

  Home 192.168.202.12

  Web server description

  service object RDP

  source eq 3389 destination eq 3389 tcp service

  network obj012 object

  Home 192.168.202.12

  the Backup-PAT object network

  192.168.202.0 subnet 255.255.255.0

  NETWORK LAN UBA description

  the DM_INLINE_NETWORK_1 object-group network

  object-network 192.168.200.0 255.255.255.0

  object-network 192.168.202.0 255.255.255.0

  the DM_INLINE_NETWORK_2 object-group network

  network-object object obj-200

  network-object object obj-202

  access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

  access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

  OUTSIDE_IN list extended access permit icmp any any idle state

  OUTSIDE_IN list extended access permit tcp any object obj012 eq inactive 3389

  gbnltunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

  standard access list gbnltunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

  BACKUP_IN list extended access permit icmp any any idle state

  access extensive list ip 196.216.144.0 encrypt_acl allow 255.255.255.192 192.168.202.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  backup of MTU 1500

  Backup2 MTU 1500

  local pool GBNLVPNPOOL 192.168.30.0 - 192.168.30.100 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any backup

  ASDM image disk0: / asdm-645 - 206.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

  NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 non-proxy-arp-search of route static destination

  !

  network of object obj-200

  NAT dynamic interface (indoor, outdoor)

  network of object obj-202

  dynamic NAT (all, outside) interface

  network obj012 object

  NAT (inside, outside) interface static service tcp 3389 3389

  the Backup-PAT object network

  dynamic NAT interface (inside, backup)

  !

  NAT source auto after (indoor, outdoor) dynamic one interface

  Access-group interface inside INSIDE_OUT

  Access-group OUTSIDE_IN in interface outside

  Access-group BACKUP_IN in the backup of the interface

  Route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 followed by 100

  Backup route 0.0.0.0 0.0.0.0 3.3.3.3 254

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  value of the URL-list GBNL-SERVERS

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  AAA authentication enable LOCAL console

  http server enable 441

  http 192.168.200.0 255.255.255.0 inside

  http 192.168.202.0 255.255.255.0 inside

  http 192.168.2.0 255.255.255.0 inside

  http 192.168.30.0 255.255.255.0 inside

  http 0.0.0.0 0.0.0.0 outdoors

  http 0.0.0.0 0.0.0.0 backup

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  ALS 10 monitor

  type echo protocol ipIcmpEcho 31.13.72.1 interface outside

  NUM-package of 5

  Timeout 3000

  frequency 5

  Annex monitor SLA 10 life never start-time now

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto IPSec_map 10 corresponds to the address encrypt_acl

  card crypto IPSec_map 10 set peer 196.216.144.1

  card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside crypto map inside_map interface

  ipsec_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  ipsec_map interface card crypto outside

  gbnltunnel card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  backup of crypto gbnltunnel interface card

  Crypto ca trustpoint ASDM_TrustPoint0

  Terminal registration

  name of the object CN = GBNLVPN.greatbrandsng.com, O = GBNL, C = ng

  Configure CRL

  Crypto ikev1 allow inside

  Crypto ikev1 allow outside

  Crypto ikev1 enable backup

  IKEv1 crypto policy 10

  authentication crack

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 20

  authentication rsa - sig

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 40

  authentication crack

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 50

  authentication rsa - sig

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 60

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 70

  authentication crack

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 80

  authentication rsa - sig

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 100

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 110

  authentication rsa - sig

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 120

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 130

  authentication crack

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 140

  authentication rsa - sig

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 150

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  enable client-implementation to date

  !

  track 10 rtr 100 accessibility

  !

  Track 100 rtr 10 accessibility

  Telnet 192.168.200.0 255.255.255.0 inside

  Telnet 192.168.202.0 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.202.0 255.255.255.0 inside

  SSH 192.168.200.0 255.255.255.0 inside

  SSH 0.0.0.0 0.0.0.0 inside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 0.0.0.0 0.0.0.0 backup

  SSH timeout 30

  SSH group dh-Group1-sha1 key exchange

  Console timeout 0

  management-access inside

  a basic threat threat detection

  threat detection statistics

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  WebVPN

  allow outside

  enable backup

  activate backup2

  internal gbnltunnel group policy

  attributes of the strategy of group gbnltunnel

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  greatbrandsng.com value by default-field

  Group Policy 'Group 2' internal

  type of remote access service

  type tunnel-group gbnltunnel remote access

  tunnel-group gbnltunnel General-attributes

  address GBNLVPNPOOL pool

  Group Policy - by default-gbnltunnel

  gbnltunnel group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  type tunnel-group GBNLSSL remote access

  type tunnel-group GBNL_WEBVPN remote access

  attributes global-tunnel-group GBNL_WEBVPN

  Group Policy - by default-gbnltunnel

  tunnel-group 196.216.144.1 type ipsec-l2l

  IPSec-attributes tunnel-group 196.216.144.1

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  HPM topN enable

  Cryptochecksum:6004bf457c9c0bc1babbdbf1cd8aeba5

  : end

  When you say that "the external interface is downwards using failover techniques" you mean this failover occurred because the ASA is no longer able to reach the 31.13.72.1?  Not that the actual interface is broken?

  If this is the case, then the NATing is your problem.  Since you're using the same VPN pool for VPN connections the ASA cannot distinguish between the two streams of traffic if the external interface is still in place.  The SLA tracking only removes a route in the routing table, but does not affect what happens in the NAT process.

  try to change the NAT statement follows him and the test (don't forget to remove the other statements to exempt of NAT for this traffic during the test):

  NAT (inside,any) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

  If this does not work, I would either turn off the external interface when a failover occurs, or create a second connection profile that contains a separate mass of IP for the VPN connection and ask users to connect using this profile when a failover takes place.  Don't forget to create Nat exempt instructions for this traffic also.

  --

  Please note all useful posts

• Help, please! Connected to the VPN, but cannot access internal servers.

  Hi friends,

  I'm a newbie on vpn stuff, I set up a base on a Cisco ASA 5505 vpn by using ASDM, and I was able to connect to it.  However, I can't ssh or RDP to one of the servers in the House after that I connected to the vpn.  Here is the configuration.  Help, please!

  ASA Version 8.2 (5)

  !

  hostname sc - asa

  domain abc.com

  enable the encrypted password xxxxxxxxx

  xxxxxxxxx encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain OpenDNS.com

  sc-pool_splitTunnelAcl-list of allowed access standard 192.168.1.0 255.255.255.0

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  interface ID client DHCP-client to the outside

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd dns 208.67.222.222 208.67.220.220 interface inside

  rental contract interface 86400 dhcpd inside

  dhcpd abc.com domain inside interface

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1

  WebVPN

  abc group policy - sc internal

  attributes of the strategy of group abc - sc

  value of server DNS 208.67.222.222 192.168.1.3

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value abc-sc_splitTunnelAcl

  field default value abc.com

  a001 xxxxxxxxxxx encrypted password username

  a002 xxxxxxxxxxx encrypted password username

  username a003 encrypted password privilege 0 xxxxxxxxxxx

  a003 username attributes

  Strategy Group-VPN-abc-sc

  a004 xxxxxxxxxxx encrypted password privilege 0 username

  a004 username attributes

  Strategy Group-VPN-abc-sc

  a005 xxxxxxxxxxx encrypted password username

  a006 xxxxxxxxxxx encrypted password username

  username privilege 15 encrypted password xxxxxxxxxxx a007

  remote access to tunnel-group abc - sc type

  attributes global-tunnel-group-abc - sc

  address sc-pool pool

  Group Policy - by default-abc-sc

  tunnel-group abc - sc ipsec-attributes

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:e7df4fa4b60a252d806ca5222d48883b

  : end

  Hello

  I would suggest you start by changing the pool VPN to something else than the current LAN network and see if that helps

  These should be the configuration required to achieve this goal

  • First remove us pool setup VPN VPN
  • Then we delete the VPN Pool and create again with an another address space
  • When then attach this new Pool of VPN again to the VPN configuration
  • In the last step, we add a NAT0 / exempt for this new pool VPN NAT configuration and remove the old ACL line for the former group of VPN

  attributes global-tunnel-group-abc - sc

  no address-sc-swimming pool

  no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0

  IP local pool sc-192.168.100.100 - 192.168.100.110 mask 255.255.255.0

  attributes global-tunnel-group-abc - sc

  address sc-pool pool

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0

  No inside_nat0_outbound access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

  -Jouni

• Drives and airport Extreme Base Station to disconnect after connection to the VPN

  At home when I'm on WIFI, everything works fine. At the moment where I connect to the VPN to do office work, the base station will disconnect and accessible either.

  Any help?

  The problem you are experiencing is perhaps due to the type of VPN tunnel that you use to connect to your workplace. There are basically two types: 1) full or partial) 2. Note: The different VPN clients can use other words, but these are usually options when you set up a tunnel.

  When you use a complete tunnel, all traffic between your computer and the VPN of your working server, through the tunnel. No traffic is allowed on your local network, and therefore, all local resources are not available. With a partial tunnel, your computer data traffic, may as well go through the tunnel and also to your local network. One reason to use a partial tunnel, for example, is that you have a local printer, you need to perform printing. You can be connected to this type of tunnel for access to the documents and then, be able to print on this printer... otherwise, with a tunnel of full, you would print to a printer at your place of work.