Establish a IPsec VPN connection, but remote site can't ping main office

Hi, I set up connection from site to site IPsec VPN between cisco 892 (main site) router and linksys router wrv210 (remote site). My problem is that I can ping network router wrv210 lan of my main office where is cisco 892 router, but I cannot ping the main site of linksys wrv210 lan (my remote site).

My configuration on the cisco 892 router:

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-1

game group-access 103

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-3

game group-access 106

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-2

game group-access 105

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-5

game group-access 108

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-4

game group-access 107

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-7

group-access 110 match

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-6

game group-access 109

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-9

game group-access 112

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-8

game group-access 111

type of class-card inspect entire game SDM_AH

match the name of group-access SDM_AH

type of class-card inspect entire game SDM_ESP

match the name of group-access SDM_ESP

type of class-card inspect entire game SDM_VPN_TRAFFIC

match Protocol isakmp

match Protocol ipsec-msft

corresponds to the SDM_AH class-map

corresponds to the SDM_ESP class-map

type of class-card inspect the correspondence SDM_VPN_PT

game group-access 102

corresponds to the SDM_VPN_TRAFFIC class-map

type of class-card inspect entire game PAC-cls-insp-traffic

match Protocol cuseeme

dns protocol game

ftp protocol game

h323 Protocol game

https protocol game

match icmp Protocol

match the imap Protocol

pop3 Protocol game

netshow Protocol game

Protocol shell game

match Protocol realmedia

match rtsp Protocol

smtp Protocol game

sql-net Protocol game

streamworks Protocol game

tftp Protocol game

vdolive Protocol game

tcp protocol match

udp Protocol game

inspect the class-map match PAC-insp-traffic type

corresponds to the class-map PAC-cls-insp-traffic

type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-10

game group-access 113

type of class-card inspect all sdm-service-ccp-inspect-1 game

http protocol game

https protocol game

type of class-card inspect entire game PAC-cls-icmp-access

match icmp Protocol

tcp protocol match

udp Protocol game

type of class-card inspect correspondence ccp-invalid-src

game group-access 100

type of class-card inspect correspondence ccp-icmp-access

corresponds to the class-ccp-cls-icmp-access card

type of class-card inspect correspondence ccp-Protocol-http

match class-map sdm-service-ccp-inspect-1

!

!

type of policy-card inspect PCB-permits-icmpreply

class type inspect PCB-icmp-access

inspect

class class by default

Pass

type of policy-card inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect sdm-cls-VPNOutsideToInside-2

Pass

class type inspect sdm-cls-VPNOutsideToInside-3

Pass

class type inspect sdm-cls-VPNOutsideToInside-4

Pass

class type inspect sdm-cls-VPNOutsideToInside-5

Pass

class type inspect sdm-cls-VPNOutsideToInside-6

inspect

class type inspect sdm-cls-VPNOutsideToInside-7

Pass

class type inspect sdm-cls-VPNOutsideToInside-8

Pass

class type inspect sdm-cls-VPNOutsideToInside-9

inspect

class type inspect sdm-cls-VPNOutsideToInside-10

Pass

class class by default

drop

type of policy-map inspect PCB - inspect

class type inspect PCB-invalid-src

Drop newspaper

class type inspect PCB-Protocol-http

inspect

class type inspect PCB-insp-traffic

inspect

class class by default

drop

type of policy-card inspect PCB-enabled

class type inspect SDM_VPN_PT

Pass

class class by default

drop

!

security of the area outside the area

safety zone-to-zone

zone-pair security PAC-zp-self-out source destination outside zone auto

type of service-strategy inspect PCB-permits-icmpreply

zone-pair security PAC-zp-in-out source in the area of destination outside the area

type of service-strategy inspect PCB - inspect

source of PAC-zp-out-auto security area outside zone destination auto pair

type of service-strategy inspect PCB-enabled

sdm-zp-VPNOutsideToInside-1 zone-pair security source outside the area of destination in the area

type of service-strategy inspect sdm-pol-VPNOutsideToInside-1

!

!

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key address 83.xx.xx.50 xxxxxxxxxxx

!

!

Crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

!

map SDM_CMAP_1 1 ipsec-isakmp crypto

Description NY_NJ

the value of 83.xx.xx.50 peer

game of transformation-ESP-3DES

match address 101

!

!

!

!

!

interface BRI0

no ip address

no ip redirection

no ip unreachable

no ip proxy-arp

penetration of the IP stream

encapsulation hdlc

Shutdown

Multidrop ISDN endpoint

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

FastEthernet6 interface

!

!

interface FastEthernet7

!

!

interface FastEthernet8

no ip address

no ip redirection

no ip unreachable

no ip proxy-arp

penetration of the IP stream

automatic duplex

automatic speed

!

!

interface GigabitEthernet0

Description $ES_WAN$ $FW_OUTSIDE$

IP address 89.xx.xx.4 255.255.255.xx

no ip redirection

no ip unreachable

no ip proxy-arp

penetration of the IP stream

NAT outside IP

IP virtual-reassembly

outside the area of security of Member's area

automatic duplex

automatic speed

map SDM_CMAP_1 crypto

!

!

interface Vlan1

Description $ETH - SW - LAUNCH INTF-INFO-FE 1 to $$$ $ES_LAN$ $FW_INSIDE$

IP 192.168.0.253 255.255.255.0

no ip redirection

no ip unreachable

no ip proxy-arp

penetration of the IP stream

IP nat inside

IP virtual-reassembly

Security members in the box area

IP tcp adjust-mss 1452

!

!

IP forward-Protocol ND

IP http server

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

!

IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0

IP route 0.0.0.0 0.0.0.0 89.xx.xx.1

!

SDM_AH extended IP access list

Note the category CCP_ACL = 1

allow a whole ahp

SDM_ESP extended IP access list

Note the category CCP_ACL = 1

allow an esp

!

recording of debug trap

Note access-list 1 INSIDE_IF = Vlan1

Note category of access list 1 = 2 CCP_ACL

access-list 1 permit 192.168.0.0 0.0.0.255

Access-list 100 category CCP_ACL = 128 note

access-list 100 permit ip 255.255.255.255 host everything

access-list 100 permit ip 127.0.0.0 0.255.255.255 everything

access-list 100 permit ip 89.xx.xx.0 0.0.0.7 everything

Note access-list 101 category CCP_ACL = 4

Note access-list 101 IPSec rule

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

Note access-list 102 CCP_ACL category = 128

access-list 102 permit ip host 83.xx.xx.50 all

Note access-list 103 CCP_ACL category = 0

Note access-list 103 IPSec rule

access-list 103 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 104 CCP_ACL category = 2

Note access-list 104 IPSec rule

access-list 104 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104. allow ip 192.168.0.0 0.0.0.255 any

Note access-list 105 CCP_ACL category = 0

Note access-list 105 IPSec rule

access-list 105 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 106 CCP_ACL category = 0

Note access-list 106 IPSec rule

access-list 106 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 107 CCP_ACL category = 0

Note access-list 107 IPSec rule

access-list 107 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 108 CCP_ACL category = 0

Note access-list 108 IPSec rule

access-list 108 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 109 CCP_ACL category = 0

Note access-list 109 IPSec rule

access-list 109 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 110 CCP_ACL category = 0

Note access-list 110 IPSec rule

access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 111 CCP_ACL category = 0

Note access-list 111 IPSec rule

access-list 111 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 112 CCP_ACL category = 0

Note access-list 112 IPSec rule

access-list 112 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

Note access-list 113 CCP_ACL category = 0

Note access-list 113 IPSec rule

access-list 113 allow ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

not run cdp

!

!

!

!

allowed SDM_RMAP_1 1 route map

corresponds to the IP 104

--------------------------------------------------------

I only give your router cisco 892 because there is nothnig much to change on linksys wrv210 router.

Hope someone can help me. See you soon

You can run a "ip inspect log drop-pkt" and see if get you any what FW-DROP session corresponding to the traffic you send Linksys to the main site. Zone based firewall could be blocking traffic initiated from outside to inside.

Tags: Cisco Security

Similar Questions

  • ASA 5505 IPSEC VPN connected but cannot access the local network

    ASA: 8.2.5

    ASDM: 6.4.5

    LAN: 10.1.0.0/22

    Pool VPN: 172.16.10.0/24

    Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

    I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

    Here is my setup, wrong set up anything?

    ASA Version 8.2 (5)

    !

    hostname asatest

    domain XXX.com

    activate 8Fw1QFqthX2n4uD3 encrypted password

    g9NiG6oUPjkYrHNt encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 10.1.1.253 255.255.252.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    address IP XXX.XXX.XXX.XXX 255.255.255.240

    !

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS server-group DefaultDNS

    domain vff.com

    vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

    access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

    pager lines 24

    Enable logging

    timestamp of the record

    logging trap warnings

    asdm of logging of information

    logging - the id of the device hostname

    host of logging inside the 10.1.1.230

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA-server protocol nt AD

    AAA-server host 10.1.1.108 AD (inside)

    NT-auth-domain controller 10.1.1.108

    Enable http server

    http 10.1.0.0 255.255.252.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 10.1.0.0 255.255.252.0 inside

    SSH timeout 20

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal group vpntest strategy

    Group vpntest policy attributes

    value of 10.1.1.108 WINS server

    Server DNS 10.1.1.108 value

    Protocol-tunnel-VPN IPSec l2tp ipsec

    disable the password-storage

    disable the IP-comp

    Re-xauth disable

    disable the PFS

    IPSec-udp disable

    IPSec-udp-port 10000

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list vpntest_splitTunnelAcl

    value by default-domain XXX.com

    disable the split-tunnel-all dns

    Dungeon-client-config backup servers

    the address value vpnpool pools

    admin WeiepwREwT66BhE9 encrypted privilege 15 password username

    username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

    the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

    tunnel-group vpntest type remote access

    tunnel-group vpntest General attributes

    address vpnpool pool

    authentication-server-group AD

    authentication-server-group (inside) AD

    Group Policy - by default-vpntest

    band-Kingdom

    vpntest group tunnel ipsec-attributes

    pre-shared-key BEKey123456

    NOCHECK Peer-id-validate

    !

    !

    privilege level 3 mode exec cmd command perfmon

    privilege level 3 mode exec cmd ping command

    mode privileged exec command cmd level 3

    logging of the privilege level 3 mode exec cmd commands

    privilege level 3 exec command failover mode cmd

    privilege level 3 mode exec command packet cmd - draw

    privilege show import at the level 5 exec mode command

    privilege level 5 see fashion exec running-config command

    order of privilege show level 3 exec mode reload

    privilege level 3 exec mode control fashion show

    privilege see the level 3 exec firewall command mode

    privilege see the level 3 exec mode command ASP.

    processor mode privileged exec command to see the level 3

    privilege command shell see the level 3 exec mode

    privilege show level 3 exec command clock mode

    privilege exec mode level 3 dns-hosts command show

    privilege see the level 3 exec command access-list mode

    logging of orders privilege see the level 3 exec mode

    privilege, level 3 see the exec command mode vlan

    privilege show level 3 exec command ip mode

    privilege, level 3 see fashion exec command ipv6

    privilege, level 3 see the exec command failover mode

    privilege, level 3 see fashion exec command asdm

    exec mode privilege see the level 3 command arp

    command routing privilege see the level 3 exec mode

    privilege, level 3 see fashion exec command ospf

    privilege, level 3 see the exec command in aaa-server mode

    AAA mode privileged exec command to see the level 3

    privilege, level 3 see fashion exec command eigrp

    privilege see the level 3 exec mode command crypto

    privilege, level 3 see fashion exec command vpn-sessiondb

    privilege level 3 exec mode command ssh show

    privilege, level 3 see fashion exec command dhcpd

    privilege, level 3 see the vpnclient command exec mode

    privilege, level 3 see fashion exec command vpn

    privilege level see the 3 blocks from exec mode command

    privilege, level 3 see fashion exec command wccp

    privilege see the level 3 exec command mode dynamic filters

    privilege, level 3 see the exec command in webvpn mode

    privilege control module see the level 3 exec mode

    privilege, level 3 see fashion exec command uauth

    privilege see the level 3 exec command compression mode

    level 3 for the show privilege mode configure the command interface

    level 3 for the show privilege mode set clock command

    level 3 for the show privilege mode configure the access-list command

    level 3 for the show privilege mode set up the registration of the order

    level 3 for the show privilege mode configure ip command

    level 3 for the show privilege mode configure command failover

    level 5 mode see the privilege set up command asdm

    level 3 for the show privilege mode configure arp command

    level 3 for the show privilege mode configure the command routing

    level 3 for the show privilege mode configure aaa-order server

    level mode 3 privilege see the command configure aaa

    level 3 for the show privilege mode configure command crypto

    level 3 for the show privilege mode configure ssh command

    level 3 for the show privilege mode configure command dhcpd

    level 5 mode see the privilege set privilege to command

    privilege level clear 3 mode exec command dns host

    logging of the privilege clear level 3 exec mode commands

    clear level 3 arp command mode privileged exec

    AAA-server of privilege clear level 3 exec mode command

    privilege clear level 3 exec mode command crypto

    privilege clear level 3 exec command mode dynamic filters

    level 3 for the privilege cmd mode configure command failover

    clear level 3 privilege mode set the logging of command

    privilege mode clear level 3 Configure arp command

    clear level 3 privilege mode configure command crypto

    clear level 3 privilege mode configure aaa-order server

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

    : end

    Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

    The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

    On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

  • Cisco ipsec Vpn connects but cannot communicate with lan

    I have a version of cisco 1921 15.2 (4) M3 I install vpn ipsec and may have customers to connect but cannot ping anything inside.  A glimpse of what could be wrong with my config would be greatly appreciated.  I posted the configuration as well as running a few outings of ipsec.  I also tried with multiple operating systems using cisco vpn client and shrewsoft.  I am able to connect to the other VPN ipsec running 1921 both of these computers by using a client.

    Thanks for any assistance

    SH run

    !
    AAA new-model
    !
    !
    AAA authentication login radius_auth local radius group
    connection of AAA VPN_AUTHEN group local RADIUS authentication
    AAA authorization network_vpn_author LAN
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    clock timezone PST - 8 0
    clock to summer time recurring PST
    !
    no ip source route
    decline of the IP options
    IP cef
    !
    !
    !
    !
    !
    !
    no ip bootp Server
    no ip domain search
    domain IP XXX.local
    inspect the high IP 3000 max-incomplete
    inspect the low IP 2800 max-incomplete
    IP inspect a low minute 2800
    IP inspect a high minute 3000
    inspect the IP icmp SDM_LOW name
    inspect the IP name SDM_LOW esmtp
    inspect the tcp IP SDM_LOW name
    inspect the IP udp SDM_LOW name
    IP inspect name SDM_LOW ssh
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    Crypto pki trustpoint TP-self-signed-2909270577
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2909270577
    revocation checking no
    rsakeypair TP-self-signed-2909270577
    !
    !
    TP-self-signed-2909270577 crypto pki certificate chain
    certificate self-signed 01
    license udi pid CISCO1921/K9 sn FTX1715818R
    !
    !
    Archives
    The config log
    Enable logging
    size of logging 1000
    notify the contenttype in clear syslog
    the ADMIN_HOSTS object-group network
    71.X.X.X 71.X.X.X range
    !
    name of user name1 secret privilege 15 4 XXXXXXX

    !
    redundancy
    !
    !
    !
    !
    !
    property intellectual ssh time 60
    property intellectual ssh authentication-2 retries
    property intellectual ssh event logging
    property intellectual ssh version 2
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    ISAKMP crypto client configuration group roaming_vpn
    key XXXXX
    DNS 192.168.10.10 10.1.1.1
    XXX.local field
    pool VPN_POOL_1
    ACL client_vpn_traffic
    netmask 255.255.255.0
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    tunnel mode
    !
    !
    !
    crypto dynamic-map VPN_DYNMAP_1 1
    Set the security association idle time 1800
    game of transformation-ESP-3DES-SHA
    market arriere-route
    !
    !
    list of authentication of card crypto SDM_CMAP_1 client VPN_AUTHEN
    map SDM_CMAP_1 isakmp authorization list network_vpn_author crypto
    client configuration address map SDM_CMAP_1 crypto answer
    map SDM_CMAP_1 65535-isakmp dynamic VPN_DYNMAP_1 ipsec crypto
    !
    !
    !
    !
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    IP 76.W.E.R 255.255.255.248
    IP access-group ATT_Outside_In in
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    NAT outside IP
    inspect the SDM_LOW over IP
    IP virtual-reassembly in
    load-interval 30
    automatic duplex
    automatic speed
    No cdp enable
    No mop enabled
    map SDM_CMAP_1 crypto
    !
    interface GigabitEthernet0/1
    no ip address
    load-interval 30
    automatic duplex
    automatic speed
    !
    interface GigabitEthernet0/1.10
    encapsulation dot1Q 1 native
    IP 192.168.10.1 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    property intellectual accounting-access violations
    IP nat inside
    IP virtual-reassembly in
    !
    interface GigabitEthernet0/1.100
    encapsulation dot1Q 100
    10.1.1.254 IP address 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly in
    !
    interface GigabitEthernet0/1,200
    encapsulation dot1Q 200
    IP 10.1.2.254 255.255.255.0
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly in
    IP tcp adjust-mss 1452
    !
    local IP VPN_POOL_1 192.168.168.193 pool 192.168.168.254
    IP forward-Protocol ND
    !
    IP http server
    IP http authentication aaa-authentication of connection ADMIN_AUTHEN
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    IP nat inside source map route ATT_NAT_LIST interface GigabitEthernet0/0 overload
    IP nat inside source static tcp 192.168.10.10 25 expandable 25 76.W.E.R
    IP nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extensible
    IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 443 443
    IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 987 987
    IP route 0.0.0.0 0.0.0.0 76.W.E.F
    !
    ATT_Outside_In extended IP access list
    permit tcp object-group ADMIN_HOSTS any eq 22
    allow any host 76.W.E.R eq www tcp
    allow any host 76.W.E.R eq 443 tcp
    allow 987 tcp any host 76.W.E.R eq
    allow any host 76.W.E.R eq tcp smtp
    permit any any icmp echo response
    allow icmp a whole
    allow udp any any eq isakmp
    allow an esp
    allow a whole ahp
    permit any any eq non500-isakmp udp
    deny ip 10.0.0.0 0.255.255.255 everything
    deny ip 172.16.0.0 0.15.255.255 all
    deny ip 192.168.0.0 0.0.255.255 everything
    deny ip 127.0.0.0 0.255.255.255 everything
    refuse the ip 255.255.255.255 host everything
    refuse the host ip 0.0.0.0 everything
    NAT_LIST extended IP access list
    IP 10.1.0.0 allow 0.0.255.255 everything
    permit ip 192.168.10.0 0.0.0.255 any
    deny ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
    refuse the 10.1.1.0 ip 0.0.0.255 192.168.168.192 0.0.0.63
    deny ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
    client_vpn_traffic extended IP access list
    permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
    ip licensing 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
    IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
    !
    radius of the IP source-interface GigabitEthernet0/1.10
    Logging trap errors
    logging source hostname id
    logging source-interface GigabitEthernet0/1.10
    !
    ATT_NAT_LIST allowed 20 route map
    corresponds to the IP NAT_LIST
    is the interface GigabitEthernet0/0
    !
    !
    SNMP-server community [email protected] / * /! s RO
    Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start
    Server enable SNMP traps vrrp
    Server SNMP enable transceiver traps all the
    Server enable SNMP traps ds1
    Enable SNMP-Server intercepts the message-send-call failed remote server failure
    Enable SNMP-Server intercepts ATS
    Server enable SNMP traps eigrp
    Server enable SNMP traps ospf-change of State
    Enable SNMP-Server intercepts ospf errors
    SNMP Server enable ospf retransmit traps
    Server enable SNMP traps ospf lsa
    Server enable SNMP traps ospf nssa-trans-changes state cisco-change specific
    SNMP server activate interface specific cisco-ospf traps shamlink state change
    SNMP Server enable neighbor traps cisco-specific ospf to the State shamlink change
    Enable SNMP-Server intercepts specific to cisco ospf errors
    SNMP server activate specific cisco ospf retransmit traps
    Server enable SNMP traps ospf cisco specific lsa
    SNMP server activate license traps
    Server enable SNMP traps envmon
    traps to enable SNMP-Server ethernet cfm cc mep-top low-mep Dispatcher loop config
    Enable SNMP-Server intercepts ethernet cfm overlap missing mep mep-unknown service-up
    Server enable SNMP traps auth framework sec-violation
    Server enable SNMP traps c3g
    entity-sensor threshold traps SNMP-server enable
    Server enable SNMP traps adslline
    Server enable SNMP traps vdsl2line
    Server enable SNMP traps icsudsu
    Server enable SNMP traps ISDN call-information
    Server enable SNMP traps ISDN layer2
    Server enable SNMP traps ISDN chan-not-available
    Server enable SNMP traps ISDN ietf
    Server enable SNMP traps ds0-busyout
    Server enable SNMP traps ds1-loopback
    SNMP-Server enable traps energywise
    Server enable SNMP traps vstack
    SNMP traps enable mac-notification server
    Server enable SNMP traps bgp cbgp2
    Enable SNMP-Server intercepts isis
    Server enable SNMP traps ospfv3-change of State
    Enable SNMP-Server intercepts ospfv3 errors
    Server enable SNMP traps aaa_server
    Server enable SNMP traps atm subif
    Server enable SNMP traps cef resources-failure-change of State peer peer-fib-state-change inconsistency
    Server enable SNMP traps memory bufferpeak
    Server enable SNMP traps cnpd
    Server enable SNMP traps config-copy
    config SNMP-server enable traps
    Server enable SNMP traps config-ctid
    entity of traps activate SNMP Server
    Server enable SNMP traps fru-ctrl
    SNMP traps-policy resources enable server
    Server SNMP enable traps-Manager of event
    Server enable SNMP traps frames multi-links bundle-incompatibility
    SNMP traps-frame relay enable server
    Server enable SNMP traps subif frame relay
    Server enable SNMP traps hsrp
    Server enable SNMP traps ipmulticast
    Server enable SNMP traps msdp
    Server enable SNMP traps mvpn
    Server enable SNMP traps PNDH nhs
    Server enable SNMP traps PNDH nhc
    Server enable SNMP traps PNDH PSN
    Server enable SNMP traps PNDH exceeded quota
    Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change
    Server enable SNMP traps pppoe
    Enable SNMP-server holds the CPU threshold
    SNMP Server enable rsvp traps
    Server enable SNMP traps syslog
    Server enable SNMP traps l2tun session
    Server enable SNMP traps l2tun pseudowire status
    Server enable SNMP traps vtp
    Enable SNMP-Server intercepts waas
    Server enable SNMP traps ipsla
    Server enable SNMP traps bfd
    Server enable SNMP traps gdoi gm-early-registration
    Server enable SNMP traps gdoi full-save-gm
    Server enable SNMP traps gdoi gm-re-register
    Server enable SNMP traps gdoi gm - generate a new key-rcvd
    Server enable SNMP traps gdoi gm - generate a new key-fail
    Server enable SNMP traps gdoi ks - generate a new key-pushed
    Enable SNMP traps gdoi gm-incomplete-cfg Server
    Enable SNMP-Server intercepts gdoi ks-No.-rsa-keys
    Server enable SNMP traps gdoi ks-new-registration
    Server enable SNMP traps gdoi ks-reg-complete
    Enable SNMP-Server Firewall state of traps
    SNMP-Server enable traps ike policy add
    Enable SNMP-Server intercepts removal of ike policy
    Enable SNMP-Server intercepts start ike tunnel
    Enable SNMP-Server intercepts stop ike tunnel
    SNMP server activate ipsec cryptomap add traps
    SNMP server activate ipsec cryptomap remove traps
    SNMP server activate ipsec cryptomap attach traps
    SNMP server activate ipsec cryptomap detach traps
    Server SNMP traps enable ipsec tunnel beginning
    SNMP-Server enable traps stop ipsec tunnel
    Enable SNMP-server holds too many associations of ipsec security
    Enable SNMP-Server intercepts alarm ethernet cfm
    Enable SNMP-Server intercepts rf
    Server enable SNMP traps vrfmib vrf - up low-vrf vnet-trunk-up low-trunk-vnet
    Server RADIUS dead-criteria life 2
    RADIUS-server host 192.168.10.10
    Server RADIUS 2 timeout
    Server RADIUS XXXXXXX key
    !
    !
    !
    control plan
    !
    !

    Line con 0
    privilege level 15
    connection of authentication radius_auth
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport of entry all
    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    privilege level 15
    connection of authentication radius_auth
    entry ssh transport
    line vty 5 15
    privilege level 15
    connection of authentication radius_auth
    entry ssh transport
    !
    Scheduler allocate 20000 1000
    NTP-Calendar Update
    Server NTP 192.168.10.10
    NTP 64.250.229.100 Server
    !
    end

    Router ipsec crypto #sh her

    Interface: GigabitEthernet0/0
    Tag crypto map: SDM_CMAP_1, local addr 76.W.E.R

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.168.213/255.255.255.255/0/0)
    current_peer 75.X.X.X port 2642
    LICENCE, flags is {}
    #pkts program: 1953, #pkts encrypt: 1953, #pkts digest: 1953
    #pkts decaps: 1963, #pkts decrypt: 1963, #pkts check: 1963
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 76.W.E.R, remote Start crypto. : 75.X.X.X
    Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
    current outbound SPI: 0x5D423270 (1564619376)
    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:
    SPI: 0x2A5177DD (709982173)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel UDP-program}
    Conn ID: 2115, flow_id: VPN:115 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4301748/2809)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE (ACTIVE)

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x5D423270 (1564619376)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel UDP-program}
    Conn ID: 2116, flow_id: VPN:116 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
    calendar of his: service life remaining (k/s) key: (4301637/2809)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE (ACTIVE)

    outgoing ah sas:

    outgoing CFP sas:

    Routing crypto isakmp #sh its
    IPv4 Crypto ISAKMP Security Association
    DST CBC conn-State id
    76.W.E.R 75.X.X.X QM_IDLE 1055 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    In your acl, nat, you will need to refuse your VPN traffic before you allow the subnet at all. Just put all the declarations of refusal before the declarations of licence.

    Sent by Cisco Support technique iPhone App

  • Ipad Cisco ipsec VPN connects but not access to the local network

    Hi guys,.

    I am trying to connect our ipads to vpn to access network resources. IPSec cisco ipad connects but not lan access and cannot ping anything not even not the interfaces of the router.

    If I configure the vpn from cisco on a laptop, it works perfectly, I can ping all and can access resources on the local network if my guess is that the traffic is not going in the tunnel vpn between ipad and desktop.

    Cisco 877.

    My config is attached.

    Any ideas?

    Thank you

    Build-in iPad-client is not useful to your configuration.

    You have three options:

    (1) remove the ACL of your vpn group. Without split tunneling client will work.

    2) migrate legacy config crypto-map style. Here, you can use split tunneling

    3) migrate AnyConnect.

    The root of the problem is that the iPad Gets the split tunneling-information. But instead of control with routing traffic should pass through the window / the tunnel and which traffic is allowed without the VPN of the iPad tries to build a set of SAs for each line in your split-tunnel-ACL. But with the model-virtual, SA only is allowed.

  • I am trying to create a VPN connection, but it does not work

    I am trying to create a VPN connection, but it does not work
    The wizard cannot establish a connection. And if I try to record simply does not connect
    It does not work. If I try to click on find the problem, there simply
    do nothing.
    I tried it on another pc, where it worked. So the problem is not the
    router or data network. And the curious thing is that I installed it before, but only from one day to the other, the VPN connection was missing.

    It does not create even a the connection icon
    Thank you

    Try a system restore to a Date before the problem began:

    Restore point:

    http://www.howtogeek.com/HOWTO/Windows-Vista/using-Windows-Vista-system-restore/

    Do Safe Mode system restore, if it is impossible to do in Normal Mode.

    Try typing F8 at startup and in the list of Boot selections, select Mode safe using ARROW top to go there > and then press ENTER.

    Try a restore of the system once, to choose a Restore Point prior to your problem...

    Click Start > programs > Accessories > system tools > system restore > choose another time > next > etc.

    http://www.windowsvistauserguide.com/system_restore.htm

    Read the above for a very good graph shows how backward more than 5 days in the System Restore Points by checking the correct box.

    See you soon.

    Mick Murphy - Microsoft partner

  • I am trying to create a VPN connection, but when I get to the step that allows me to create the VPN, the radial buttons are greyed out.

    I am trying to create a VPN connection, but when I get to the step that allows me to create the VPN, the radial buttons are grayed out, it is a Windows component is missing and does not allow me to create VPN. I am running Windows XP Home addition. I recently got a Malware attack and had the quarantine and fix trojen attempts. After the restoration, I found that my previous VPN connection was broken. When I tried to add a new connection, I'm stuck on the screen connection virtual network in the the radial button private network connection wizard is grayed out, he could not check.

    Hello

    Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Windows XP TechNet forum. You can follow the link to your question:

    http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

  • I created a vpn connection, but can I create a shortcut to connect every time?

    I created a vpn connection, but can I create a shortcut to connect every time?

    I created a vpn connection, but can I create a shortcut to connect every time?

    Open network and sharing Center, go to the Edit card settings window and drag the VPN icon on your desktop.

  • creates a VPN connection so that I can take a connection away from my house

    Hi team,

    I work in an organization. Every night I lock my computer with background tasks as syncing files or downloads to occur. The next day morning I come and see that the download could be interrupted (Failed) because of the loss of the internet. Which means that the internet is not active. Synchronization of files even will be pasted in the half of the progress. Don't know what is the problem and why didn't the network disconnects.
    I few of my colleagues who do the same thing, but they are not facing this problem. During the day, when I work - I don't really see any problem. There is no disconnect and no problem at all.
    I wanted to check what is happening and created a VPN connection so that I can take a connection away from my home.  But I wouldn't be able to connect to my computer because of the loss of network or whatever.
    Help, please.
    I connect using WIFI on my laptop
    I have Lenovo ThinkPad Edge.
    Windows 7

    Hello

    The question you posted would be better suited to the TechNet community. Please visit the link below to find a community that will provide the support you want.

    http://social.technet.Microsoft.com/forums/en/category/w7itpro, w8itpro, windowsvistaitpro, windowsxpitpro, windowsintune

  • am getting only a few wifi I do not receive my freewifi company, I was gettig 2 days before now I can't connect, but my roommate can connect

    am getting only a few wifi I do not receive my freewifi company, I was gettig 2 days before now I can't connect, but my roommate can connect

    Hi Vijay,

    1. have you made changes on the computer before this problem?

    2. you receive an error message or error code?

    This problem can occur because network settings, refer to the steps in the following Microsoft article and check.

    How to troubleshoot wireless network connections in Windows XP Service Pack 2: http://support.microsoft.com/kb/870702

    Manage your network connections: http://windows.microsoft.com/en-in/windows-xp/help/networking/manage-network-connections

    To set up automatic wireless network configuration: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/wlan_client_configure.mspx?mfr=true

    Hope that the information provided is useful.

  • I published my site to Business Catalyst and purchased and installation by area, but the site can be seen only with the help of a search engine. The site is visible when I type the url address, but can't find a search engine

    I published my site to Business Catalyst and purchased and installation by area, but the site can be seen only with the help of a search engine. The site is seen when I type the url address, but can not find with search engines.

    Hello

    I suggest you sign upward to Google Webmaster tools (free) and check your site (directions are in the webmaster tools) and

    also consider joining Google analytic (also free).  Analytical will allow you to 'see' who is visiting your site and how they experience through research, order the seizure of the URL, or through the links, etc.  Also from where they come, how much per day, etc.  Lots of good information.

    In addition, through this document by google

    Check the performance of your site - webmaster help search

    Let me know if you have any question.

  • IPSec VPN: connected to the VPN but cannot access resources

    Hello

    I configured a VPN IPSec on two ISP with IP SLA configured, there is a redundancy on the VPN so that if address main is it connect to the VPN backup.

    QUESTIONS

    -Connect to the primary address and I can access resources

    -backup address to connect but can not access resources for example servers

    I want a way to connect to backup and access on my servers resources. Please help look in the config below

    configuration below:

    interface GigabitEthernet0/0

    LAN description

    nameif inside

    security-level 100

    IP 192.168.202.100 255.255.255.0

    !

    interface GigabitEthernet0/1

    Description CONNECTION_TO_DOPC

    nameif outside

    security-level 0

    IP address 2.2.2.2 255.255.255.248

    !

    interface GigabitEthernet0/2

    Description CONNECTION_TO_COBRANET

    nameif backup

    security-level 0

    IP 3.3.3.3 255.255.255.240

    !

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    management only

    !

    boot system Disk0: / asa831 - k8.bin

    boot system Disk0: / asa707 - k8.bin

    passive FTP mode

    clock timezone WAT 1

    DNS domain-lookup outside

    DNS server-group DefaultDNS

    Name-Server 4.2.2.2

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    network of object obj-200

    192.168.200.0 subnet 255.255.255.0

    Description LAN_200

    network of object obj-202

    192.168.202.0 subnet 255.255.255.0

    Description LAN_202

    network of the NETWORK_OBJ_192.168.30.0_25 object

    subnet 192.168.30.0 255.255.255.128

    network of the RDP_12 object

    Home 192.168.202.12

    Web server description

    service object RDP

    source eq 3389 destination eq 3389 tcp service

    network obj012 object

    Home 192.168.202.12

    the Backup-PAT object network

    192.168.202.0 subnet 255.255.255.0

    NETWORK LAN UBA description

    the DM_INLINE_NETWORK_1 object-group network

    object-network 192.168.200.0 255.255.255.0

    object-network 192.168.202.0 255.255.255.0

    the DM_INLINE_NETWORK_2 object-group network

    network-object object obj-200

    network-object object obj-202

    access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

    access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

    OUTSIDE_IN list extended access permit icmp any any idle state

    OUTSIDE_IN list extended access permit tcp any object obj012 eq inactive 3389

    gbnltunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

    standard access list gbnltunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

    BACKUP_IN list extended access permit icmp any any idle state

    access extensive list ip 196.216.144.0 encrypt_acl allow 255.255.255.192 192.168.202.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    backup of MTU 1500

    Backup2 MTU 1500

    local pool GBNLVPNPOOL 192.168.30.0 - 192.168.30.100 255.255.255.0 IP mask

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any backup

    ASDM image disk0: / asdm-645 - 206.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, outside) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

    NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 non-proxy-arp-search of route static destination

    !

    network of object obj-200

    NAT dynamic interface (indoor, outdoor)

    network of object obj-202

    dynamic NAT (all, outside) interface

    network obj012 object

    NAT (inside, outside) interface static service tcp 3389 3389

    the Backup-PAT object network

    dynamic NAT interface (inside, backup)

    !

    NAT source auto after (indoor, outdoor) dynamic one interface

    Access-group interface inside INSIDE_OUT

    Access-group OUTSIDE_IN in interface outside

    Access-group BACKUP_IN in the backup of the interface

    Route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 followed by 100

    Backup route 0.0.0.0 0.0.0.0 3.3.3.3 254

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    WebVPN

    value of the URL-list GBNL-SERVERS

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    AAA authentication http LOCAL console

    AAA authentication enable LOCAL console

    http server enable 441

    http 192.168.200.0 255.255.255.0 inside

    http 192.168.202.0 255.255.255.0 inside

    http 192.168.2.0 255.255.255.0 inside

    http 192.168.30.0 255.255.255.0 inside

    http 0.0.0.0 0.0.0.0 outdoors

    http 0.0.0.0 0.0.0.0 backup

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    ALS 10 monitor

    type echo protocol ipIcmpEcho 31.13.72.1 interface outside

    NUM-package of 5

    Timeout 3000

    frequency 5

    Annex monitor SLA 10 life never start-time now

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto IPSec_map 10 corresponds to the address encrypt_acl

    card crypto IPSec_map 10 set peer 196.216.144.1

    card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    inside crypto map inside_map interface

    ipsec_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    ipsec_map interface card crypto outside

    gbnltunnel card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    backup of crypto gbnltunnel interface card

    Crypto ca trustpoint ASDM_TrustPoint0

    Terminal registration

    name of the object CN = GBNLVPN.greatbrandsng.com, O = GBNL, C = ng

    Configure CRL

    Crypto ikev1 allow inside

    Crypto ikev1 allow outside

    Crypto ikev1 enable backup

    IKEv1 crypto policy 10

    authentication crack

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 20

    authentication rsa - sig

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 30

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 40

    authentication crack

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 50

    authentication rsa - sig

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 60

    preshared authentication

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 70

    authentication crack

    aes encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 80

    authentication rsa - sig

    aes encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 90

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 100

    authentication crack

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 110

    authentication rsa - sig

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 120

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 130

    authentication crack

    the Encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 140

    authentication rsa - sig

    the Encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 150

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 86400

    enable client-implementation to date

    !

    track 10 rtr 100 accessibility

    !

    Track 100 rtr 10 accessibility

    Telnet 192.168.200.0 255.255.255.0 inside

    Telnet 192.168.202.0 255.255.255.0 inside

    Telnet timeout 5

    SSH 192.168.202.0 255.255.255.0 inside

    SSH 192.168.200.0 255.255.255.0 inside

    SSH 0.0.0.0 0.0.0.0 inside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 0.0.0.0 0.0.0.0 backup

    SSH timeout 30

    SSH group dh-Group1-sha1 key exchange

    Console timeout 0

    management-access inside

    a basic threat threat detection

    threat detection statistics

    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

    WebVPN

    allow outside

    enable backup

    activate backup2

    internal gbnltunnel group policy

    attributes of the strategy of group gbnltunnel

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    greatbrandsng.com value by default-field

    Group Policy 'Group 2' internal

    type of remote access service

    type tunnel-group gbnltunnel remote access

    tunnel-group gbnltunnel General-attributes

    address GBNLVPNPOOL pool

    Group Policy - by default-gbnltunnel

    gbnltunnel group of tunnel ipsec-attributes

    IKEv1 pre-shared-key *.

    type tunnel-group GBNLSSL remote access

    type tunnel-group GBNL_WEBVPN remote access

    attributes global-tunnel-group GBNL_WEBVPN

    Group Policy - by default-gbnltunnel

    tunnel-group 196.216.144.1 type ipsec-l2l

    IPSec-attributes tunnel-group 196.216.144.1

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    inspect the icmp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    HPM topN enable

    Cryptochecksum:6004bf457c9c0bc1babbdbf1cd8aeba5

    : end

    When you say that "the external interface is downwards using failover techniques" you mean this failover occurred because the ASA is no longer able to reach the 31.13.72.1?  Not that the actual interface is broken?

    If this is the case, then the NATing is your problem.  Since you're using the same VPN pool for VPN connections the ASA cannot distinguish between the two streams of traffic if the external interface is still in place.  The SLA tracking only removes a route in the routing table, but does not affect what happens in the NAT process.

    try to change the NAT statement follows him and the test (don't forget to remove the other statements to exempt of NAT for this traffic during the test):

    NAT (inside,any) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

    If this does not work, I would either turn off the external interface when a failover occurs, or create a second connection profile that contains a separate mass of IP for the VPN connection and ask users to connect using this profile when a failover takes place.  Don't forget to create Nat exempt instructions for this traffic also.

    --

    Please note all useful posts

  • VPN connects but no remote LAN access

    Hello

    I'll put up on a PIX 501 VPN remote access.

    When I try to connect via VPN software, I am able to connect but I am unable to access LAN resources.

    I have pasted below part of which seems relevant to my setup. I'm stuck on this issue, could someone help me? Thanks in advance.

    ethernet0 nameif outside security0
    nameif ethernet1 inside the security100
    test.local domain name
    name 10.0.2.0 inside
    name 10.0.2.13 MSExchange-en
    2.2.2.2 the MSExchange-out name

    outside_access_in tcp allowed access list all gt 1023 host 2.2.2.2 eq smtp
    outside_access_in list access permit tcp any host 2.2.2.2 eq https
    outside_access_in list access permit tcp any host 2.2.2.2 eq www
    inside_outbound_nat0_acl 10.0.2.0 ip access list allow 255.255.255.0 192.168.235.0 255.255.255.192
    access-list 101 permit icmp any one

    3.3.3.3 exterior IP address 255.255.255.0
    IP address inside 10.0.2.254 255.255.255.0
    IP local pool vpn_pool 192.168.235.1 - 192.168.235.15
    IP local pool vpn_pool_2 192.168.235.16 - 192.168.235.40

    1 3.3.3.4 (outside) global
    NAT (inside) 0-list of access inside_outbound_nat0_acl
    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside, outside) 2.2.2.2 10.0.2.13 netmask 255.255.255.255 1000 1000
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 3.3.3.1 1

    RADIUS Protocol RADIUS AAA server
    AAA-server RADIUS (inside) host 10.0.2.3 * timeout 10
    AAA-server local LOCAL Protocol

    Permitted connection ipsec sysopt
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-MD5
    map outside_map 90-isakmp ipsec crypto dynamic dynmap
    card crypto outside_map the LOCAL RADIUS client authentication
    outside_map interface card crypto outside
    ISAKMP allows outside
    part of pre authentication ISAKMP policy 20
    ISAKMP policy 20 3des encryption
    ISAKMP policy 20 md5 hash
    20 2 ISAKMP policy group
    ISAKMP duration strategy of life 20 86400
    vpngroup signal address vpn_pool pool
    vpngroup dns-server 10.0.2.3 signal
    vpngroup default-field test.local signal
    vpngroup idle time 1800 signal
    vpngroup max-time 14400 signal
    signal vpngroup password *.
    vpngroup TF vpn_pool_2 address pool
    vpngroup dns-server 10.0.2.3 TF
    TF vpngroup default-domain test.local
    vpngroup TF 1800 idle time
    vpngroup max-time 14400 TF
    TF vpngroup password *.

    Kind regards

    Joana

    Very similar to the question of the configuration of the switch. You should check if there is no specific roads on the switch outside the default gateway. The switch should route the subnet pool ip to the firewall (10.0.2.254).

  • established - VPN connection, but cannot connect to the server?

    vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4

    Thank you

    ASA Version 8.2 (1)

    !

    hostname ciscoasa5505

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.0.3 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 208.0.0.162 255.255.255.248

    !

    interface Vlan5

    Shutdown

    prior to interface Vlan1

    nameif dmz

    security-level 50

    IP address dhcp setroute

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS lookup field inside

    DNS server-group DefaultDNS

    192.168.0.4 server name

    Server name 208.0.0.11

    permit same-security-traffic intra-interface

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service TS-780-tcp - udp

    port-object eq 780

    object-group service Graphon tcp - udp

    port-object eq 491

    Allworx-2088 udp service object-group

    port-object eq 2088

    object-group service allworx-15000 udp

    15000 15511 object-port Beach

    object-group service udp allworx-2088

    port-object eq 2088

    object-group service allworx-5060 udp

    port-object eq sip

    object-group service allworx-8081 tcp

    EQ port 8081 object

    object-group service web-allworx tcp

    EQ object of port 8080

    allworx udp service object-group

    16001 16010 object-port Beach

    object-group service allworx-udp

    object-port range 16384-16393

    object-group service remote tcp - udp

    port-object eq 779

    object-group service billing1 tcp - udp

    EQ object of port 8080

    object-group service billing-1521 tcp - udp

    port-object eq 1521

    object-group service billing-6233 tcp - udp

    6233 6234 object-port Beach

    object-group service billing2-3389 tcp - udp

    EQ port 3389 object

    object-group service olivia-3389 tcp - udp

    EQ port 3389 object

    object-group service olivia-777-tcp - udp

    port-object eq 777

    netgroup group of objects

    network-object host 192.168.0.15

    network-object host 192.168.0.4

    object-group service allworx1 tcp - udp

    8080 description

    EQ object of port 8080

    allworx_15000 udp service object-group

    15000 15511 object-port Beach

    allworx_16384 udp service object-group

    object-port range 16384-16393

    DM_INLINE_UDP_1 udp service object-group

    purpose of group allworx_16384

    object-port range 16384 16403

    object-group service allworx-5061 udp

    range of object-port 5061 5062

    object-group service ananit tcp - udp

    port-object eq 880

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389

    outside_access_in list extended access permit tcp any host 208.0.0.164 eq https

    outside_access_in list extended access permit tcp any host 208.0.0.164 eq www

    outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field

    outside_access_in list extended access permit tcp any host 208.0.0.162 eq www

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group

    outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777

    outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object

    outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060

    outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive

    outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081

    outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000

    outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group

    outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061

    outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group

    outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

    permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0

    Ping list extended access permit icmp any any echo response

    inside_access_in of access allowed any ip an extended list

    permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0

    access-list 1 standard allow 192.168.0.0 255.255.255.0

    pager lines 24

    Enable logging

    logging buffered stored notifications

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    MTU 1500 dmz

    IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool

    192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    NAT (outside) 1 192.168.0.0 255.255.255.0

    alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255

    public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area

    public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255

    public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255

    public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area

    public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255

    static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255

    inside_access_in access to the interface inside group

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1

    Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.0.0 255.255.255.0 inside

    http 192.168.0.3 255.255.255.255 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Sysopt noproxyarp inside

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_cryptomap

    card crypto outside_map 1 set pfs

    peer set card crypto outside_map 1 108.0.0.97

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    card crypto outside_map 20 match address outside_20_cryptomap

    card crypto outside_map 20 set pfs

    peer set card crypto outside_map 20 69.0.0.54

    outside_map crypto 20 card value transform-set ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life no

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    sha hash

    Group 1

    life no

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    identifying client DHCP-client interface dmz

    dhcpd outside auto_config

    !

    dhcpd address 192.168.0.20 - 192.168.0.50 inside

    dhcpd dns 192.168.0.4 208.0.0.11 interface inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

    enable SVC

    tunnel-group-list activate

    attributes of Group Policy DfltGrpPolicy

    internal group anyconnect strategy

    attributes of the strategy group anyconnect

    VPN-tunnel-Protocol svc webvpn

    WebVPN

    list of URLS no

    SVC request enable

    encrypted olivia Zta1M8bCsJst9NAs password username

    username of graciela CdnZ0hm9o72q6Ddj encrypted password

    tunnel-group 69.0.0.54 type ipsec-l2l

    IPSec-attributes tunnel-group 69.0.0.54

    pre-shared-key *.

    tunnel-group 108.0.0.97 type ipsec-l2l

    IPSec-attributes tunnel-group 108.0.0.97

    pre-shared-key *.

    tunnel-group anyconnect type remote access

    tunnel-group anyconnect General attributes

    remote address pool

    strategy-group-by default anyconnect

    tunnel-group anyconnect webvpn-attributes

    Group-alias anyconnect enable

    !

    Global class-card class

    match default-inspection-traffic

    !

    !

    World-Policy policy-map

    Global category

    inspect the icmp

    !

    service-policy-international policy global

    : end

    ASDM location 208.0.0.164 255.255.255.255 inside

    ASDM location 192.168.0.15 255.255.255.255 inside

    ASDM location 192.168.50.0 255.255.255.0 inside

    ASDM location 192.168.1.0 255.255.255.0 inside

    don't allow no asdm history

    Right now your nat 0 (NAT exemption) follows the access list:

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

    Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.

    Then try to add an entry to the list of access as:

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0

    It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.

  • Remote VPN connected but do not go anywhere.

    within the network - ASA5505 = internet = remote VPN client.

    The ASA has a public IP address on the external interface and using PAT to the internet. He has only two interfaces, both inside and outside using the vlan. I created an IPSec VPN through CLI. My goal is for the remote client through the tunnel to through the Internet.

    Q1: Is it possible?

    Q2: the remote side is connected and has the IP address of the pool, with fact part of the network. But he can do nothing, including the gateway, which is inside the ping interface. I debug him, it shows the ASA receives the ping packets, but it is not send anything to the client. All recommend would be appreciated.

    Thank you

    Han

    Hello

    Can you please paste the result of ipconfig/all here?

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • AnyConnect VPN connected but not in LAN access

    Hello

    I just connfigured an ASA to remote VPN. I think everything works but I do not have access

    for customers in the Local LAN behind the ASA.

    PC <==internet==>outside of the SAA inside<=LAN=> PC

    After AnyConnect has established the connection I can ping inside the Interface of the ASA

    but I can't Ping the PC behind the inside Interface.

    Here is the config of the ASA5505:

    : Saved

    :

    ASA Version 8.2 (1)

    !

    asa5505 hostname

    activate 8Ry2YjIyt7RRXU24 encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 192.168.178.254 255.255.255.0

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    Shutdown

    !

    interface Ethernet0/3

    Shutdown

    !

    interface Ethernet0/4

    Shutdown

    !

    interface Ethernet0/5

    Shutdown

    !

    interface Ethernet0/6

    Shutdown

    !

    interface Ethernet0/7

    Shutdown

    !

    passive FTP mode

    Inside_ICMP list extended access permit icmp any any echo response

    Inside_ICMP list extended access permit icmp any any source-quench

    Inside_ICMP list extended access allow all unreachable icmp

    Inside_ICMP list extended access permit icmp any one time exceed

    access-list outside_cryptomap_2 note ACL traffic von ASA5505 zur ASA5510

    outside_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

    no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

    no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.178.0 255.255.255.0

    tunnel of splitting allowed access list standard 192.168.1.0 255.255.255.0

    pager lines 24

    Within 1500 MTU

    Outside 1500 MTU

    mask 192.168.1.10 - 192.168.1.15 255.255.255.0 IP local pool SSLClientPool

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access no_NAT

    NAT (inside) 1 192.168.1.0 255.255.255.0

    Access-group Inside_ICMP in interface outside

    Route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

    Route outside 192.168.10.0 255.255.255.0 192.168.178.230 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication http LOCAL console

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set-3DESSHA FRA esp-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 2 match address outside_cryptomap_2

    peer set card crypto outside_map 2 192.168.178.230

    card crypto outside_map 2 game of transformation-FRA-3DESSHA

    outside_map interface card crypto outside

    Crypto ca trustpoint localtrust

    registration auto

    domain name full cisco - asa5505.fritz.box

    name of the object CN = cisco - asa5505.fritz.box

    sslvpnkeypair key pair

    Configure CRL

    Crypto ca certificate chain localtrust

    certificate fa647850

    3082020b a0030201 30820174 020204fa 0d06092a 64785030 864886f7 0d 010104

    0500304 06035504 03131763 6973636f 617361 35353035 2e667269 2d 3120301e a

    747a2e62 6f783126 30240609 2a 864886 f70d0109 02161763 6973636f 2d 617361

    2e667269 35353035 747a2e62 6f78301e 170d 3132 31303132 31383434 31305a 17

    323231 30313031 38343431 06035504 03131763 6973636f 3120301e 305a304a 0d

    617361 35353035 2e667269 747a2e62 6f783126 2a 864886 30240609 f70d0109 2D

    6973636f 02161763 2d 617361 35353035 2e667269 747a2e62 6f783081 9f300d06

    d6279e1c 8181009f 092a 8648 86f70d01 01010500 03818d 30818902 00 38454fc 9

    705e1e58 762edc35 e64262fb ee55f47b 8d62dda2 102c8a22 c97e395f 2a9c0ebb

    f2881528 beb6e9c3 89d91dda f7fe77a4 2a1fda55 f8d930b8 3310a05f 622dfc8f

    d48ea749 7bbc4520 68 has 06392 d65d3b87 0270e41b 512a4e89 94e60167 e2fa854a

    87ec04fa e95df04f 3ff3336e c7437e30 ffbd90b5 47308502 03010001 300 d 0609

    2a 864886 04050003 81810065 cc9e6414 3c322d1d b191983c 97b474a8 f70d0101

    2e5c7774 9d54d3ec fc4ee92d c72eef27 a79ce95a da83424f b05721c0 9119e7ea

    c5431998 e6cd8272 de17b5ff 5b1839b5 795fb2a0 2d10b479 056478fa 041555dd

    bfe3960a 4fe596ec de54d58b a5fa187e 5967789a a26872ef a33b73ec 7d7673b9

    c8af6eb0 46425cd 2 765f667d 4022c 6

    quit smoking

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    management-access inside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    localtrust point of trust SSL outdoors

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image

    SVC disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 image

    enable SVC

    tunnel-group-list activate

    internal SSLClientPolicy group strategy

    attributes of Group Policy SSLClientPolicy

    VPN-tunnel-Protocol svc

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split tunnel

    the address value SSLClientPool pools

    WebVPN

    SVC Dungeon-Installer installed

    time to generate a new key of SVC 30

    SVC generate a new method ssl key

    SVC request no svc default

    username password asdm privilege Yvx83jxa2WCRAZ/m number 15

    hajo 2w8CnP1hHKVozsC1 encrypted password username

    hajo attributes username

    type of remote access service

    tunnel-group 192.168.178.230 type ipsec-l2l

    IPSec-attributes tunnel-group 192.168.178.230

    pre-shared-key *.

    type tunnel-group SSLClientProfile remote access

    attributes global-tunnel-group SSLClientProfile

    Group Policy - by default-SSLClientPolicy

    tunnel-group SSLClientProfile webvpn-attributes

    enable SSLVPNClient group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:0008564b545500650840cf27eb06b957

    : end

    What wrong with my setup.

    Concerning

    Hans-Jürgen Guenter

    Hello Hans,.

    You should change your VPN pool to be a different subnet within the network, for example: 192.168.5.0/24

    Then configure NAT exemption for traffic between the Interior and the pool of vpn.

    Based on your current configuration, the following changes:

    mask 192.168.5.10 - 192.168.5.15 255.255.255.0 IP local pool SSLClientPool

    no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0

    And then also to enable icmp inspection:

    Policy-map global_policy

    class inspection_default

    inspect the icmp

Maybe you are looking for

  • Satellite L300 - FN keys do not work on Windows XP

    Do not show you where to find the procedure for installing drivers downloaded from the official site (do not touch work FN)? Place the common Module, the overload of the laptop, then put the controls, but the controls reported an error: "your compute

  • Hilfedatei wird nicht found

    Hallo, DIAdem lasst sich die Hilfefunktion nicht use, da er die Datei in dem Verzeichnis nicht will. Ist alle Daten der Hilfebibliothek sind available. Heissen soll ich die Hilfe Manuell categories, aber nicht via Diadem is zugreifen kann. There're e

  • Impossible to install an update

    I get an error message 80070663

  • APPCRASH

    I just downloaded army Americas 3 and every time I try to play a problem occurs. the description of the problem, it's APPCRASH.normally I blame the game for it but the same thing happens when I open the sansa media converter

  • Phones smart blackBerry torch 9800 - poor performance

    Hi all am new to this forum and I am a new user of bb. the smartphone has become very slow, in any procedure. Frankly, I don't know how to resume the previous much better performance (i.e. watch open applications, manually force their release, etc.).