EZ - VPN Cisco cannot access internal network

Hello

I configured an EZ - VPN on my router, but after a login successful in the VPN, I can't ping my internal network or access all the resources. Also, I can't ping my router VPN Client IP address.

Can someone take a look at my Config?

Here is my config:

Current configuration: 7730 bytes

! Last configuration change at 16:24:55 UTC Tuesday, June 14, 2011 by suncci

! NVRAM config update at 20:21:30 UTC Friday, June 10, 2011 by suncci

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

router host name

boot-start-marker

boot-end-marker

no set record in buffered memory

no console logging

AAA new-model

AAA authentication login default local

local AUTH_VPN AAA authentication login

AAA authorization exec default local

local AUTHORIZE_VPN AAA authorization network

AAA - the id of the joint session

IP cef

name-server IP 208.67.222.222

name of the IP-server 205.188.146.145

Authenticated MultiLink bundle-name Panel

Crypto pki trustpoint TP-self-signed-1861908046

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1861908046

revocation checking no

rsakeypair TP-self-signed-1861908046

TP-self-signed-1861908046 crypto pki certificate chain

certificate self-signed 01

3082023E 308201A 7 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31383631 39303830 6174652D 3436301E 170 3032 30333031 30313431

30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 38363139 65642D

30383034 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100AD30 FB88278D F9010218 AD58E479 21C00A39 76974 HAS 87 DF43C948 D56E65CC

98F484A1 1F5BA429 449E416F B3C5729C 78598186 8873 HAS 168 DB9EEAAA B0521523

C8011877 14888C9A 193E43E3 C3575491 74A940A2 B2970549 FE436E4A 4DA6FB23

C 21, 20110 0CD3A8F6 32EAD292 648F9E32 7EE6C86F 181FC3C2 8F91DA66 A3886F5C

0203 010001A 3 66306430 1 130101 FF040530 030101FF 30110603 0F060355 467D

1104 A 0, 300882 06526F75 74657230 551D 1 230418 30168014 FD800727 1F060355

5FA9AD41 6EAE99B0 1EDA2735 C0DBBBCC 301D 0603 551D0E04 160414FD 8007275F

A9AD416E AE99B01E DA2735C0 DBBBCC30 0D06092A 864886F7 0D 010104 05000381

810076CE E5030E51 5BD6FE9F A8A42483 53E7D250 CDE09E87 6AD77195 09D225AF

25858304 034D146B C4970C31 F6EF496B 7F57C772 7A1F0DFE 8A06B878 919AFD58

212E475A 0346ADA6 D629BDFC AE58C42A 36D971D1 3BAB8541 EAC0AA10 919816A 1

E22F5015 52086757 2171A4C7 6832C2BC 89ADEF72 95A81A51 0B888B1C 9EE9EE58 8E65

quit smoking

username privilege 15 password 0 xxxxx xxxxxx

Similar Questions

Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

Hello Cisco community support,

I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

ISP network gateway: 10.1.10.0/24

ASA to the router network: 10.1.40.0/30

Pool DHCP VPN: 10.1.30.0/24

Network of the range: 10.1.20.0/24

Development network: 10.1.10.0/24

: Saved
:
: Serial number: FCH18477CPT
: Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA 6,0000 Version 1
!
hostname ctcndasa01
activate bcn1WtX5vuf3YzS3 encrypted password
names of
cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
address IP X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa916-1-smp - k8.bin
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.1.30.0_24 object
10.1.30.0 subnet 255.255.255.0
network obj_any object
network obj_10.1.40.0 object
10.1.40.0 subnet 255.255.255.0
network obj_10.1.30.0 object
10.1.30.0 subnet 255.255.255.0
outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended allow any4 any4-answer icmp echo
access-list standard split allow 10.1.40.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
!
Router eigrp 1
Network 10.1.10.0 255.255.255.0
Network 10.1.20.0 255.255.255.0
Network 10.1.30.0 255.255.255.0
Network 10.1.40.0 255.255.255.252
!
Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = 10.1.30.254, CN = ctcndasa01
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate c902a155
308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
d8966b50 917a88bb f4f30d82 6f8b58ba 61
quit smoking
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPN-addr-assign local reuse / 360 time
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_cnd-vpn group policy
GroupPolicy_cnd-vpn group policy attributes
WINS server no
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
by default no
xxxx GCOh1bma8K1tKZHa username encrypted password
type tunnel-group cnd - vpn remote access
tunnel-group global cnd-vpn-attributes
address-cnd-vpn-dhcp-pool
strategy-group-by default GroupPolicy_cnd-vpn
tunnel-group cnd - vpn webvpn-attributes
activation of the alias group cnd - vpn
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
service-policy icmp_policy outside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history

Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?

WebVPN cannot access internal network on 2821

Hello, I'm trying to configure WebVPN to my internal network. The client is connected to the router, but I can't ping from my internal network. Also, I've lost ping between hosts on the internal network. I can ping only gateway (192.168.162.0)

IOS Version 15.1 (4) M9

webvpn-pool IP local pool 192.168.162.212 192.168.162.218

IP nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.162.0 0.0.0.255

Gateway Gateway-WebVPN-Cisco WebVPN
address IP X.X.X.X port 1025
SSL rc4 - md5 encryption
SSL trustpoint trustpoint-my
development
!
WebVPN context Cisco WebVPN
Easy VPN title. "
SSL authentication check all
!
list of URLS "rewrite".
!
ACL "ssl - acl.
allow IP 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0
!
login message "Cisco Secure WebVPN"
!
webvpnpolicy political group
functions compatible svc
functions required svc
filter tunnel ssl - acl
SVC-pool of addresses 'webvpn-pool' netmask 255.255.255.0
generate a new key SVC new-tunnel method
SVC split include 192.168.162.0 255.255.255.0
Group Policy - by default-webvpnpolicy
AAA authentication list sslvpn
Gateway Cisco WebVPN bridge
Max-users 2
development
!

Hello

I saw the VPN configuration:

webvpnpolicy political group
functions compatible svc
functions required svc
filter tunnel ssl - acl
SVC-pool of addresses 'webvpn-pool' netmask 255.255.255.0
generate a new key SVC new-tunnel method
SVC split include 192.168.162.0 255.255.255.0
Group Policy - by default-webvpnpolicy
AAA authentication list sslvpn
Gateway Cisco WebVPN bridge
Max-users 2
development

ACL "ssl - acl.
allow IP 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0

webvpn-pool IP local pool 192.168.162.212 192.168.162.218

IP nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.162.0 0.0.0.255

I recommend the following:

1 use a local IP pool with a different range that is used in the internal network (routing wise issues)

2. removed the VPN filter, it is completely useless, since it's the same for which the (Split tunnel is):

webvpnpolicy political group

no tunnel ssl - acl filter

3 use an ACL on the NAT and create the NAT exemption for the network to the IP pool inside local outdoors:

NAT extended IP access list

deny ip 192.168.162.0 0.0.0.255 XXXX XXXXX--> network IP of the IP pool

Licensing ip 192.168.0.0 0.0.0.255 any

IOverload nat inside source list NAT interface GigabitEthernet0/0 p

What are the appropriate changes, I recommend you to apply.

Please don't forget to rate and score as correct the helpful post!

David Castro,

Help, please! Connected to the VPN, but cannot access internal servers.

Hi friends,

I'm a newbie on vpn stuff, I set up a base on a Cisco ASA 5505 vpn by using ASDM, and I was able to connect to it. However, I can't ssh or RDP to one of the servers in the House after that I connected to the vpn. Here is the configuration. Help, please!

ASA Version 8.2 (5)

!

hostname sc - asa

domain abc.com

enable the encrypted password xxxxxxxxx

xxxxxxxxx encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address dhcp setroute

!

passive FTP mode

DNS server-group DefaultDNS

domain OpenDNS.com

sc-pool_splitTunnelAcl-list of allowed access standard 192.168.1.0 255.255.255.0

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

interface ID client DHCP-client to the outside

dhcpd outside auto_config

!

dhcpd address 192.168.1.5 - 192.168.1.36 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

rental contract interface 86400 dhcpd inside

dhcpd abc.com domain inside interface

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1

WebVPN

abc group policy - sc internal

attributes of the strategy of group abc - sc

value of server DNS 208.67.222.222 192.168.1.3

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value abc-sc_splitTunnelAcl

field default value abc.com

a001 xxxxxxxxxxx encrypted password username

a002 xxxxxxxxxxx encrypted password username

username a003 encrypted password privilege 0 xxxxxxxxxxx

a003 username attributes

Strategy Group-VPN-abc-sc

a004 xxxxxxxxxxx encrypted password privilege 0 username

a004 username attributes

Strategy Group-VPN-abc-sc

a005 xxxxxxxxxxx encrypted password username

a006 xxxxxxxxxxx encrypted password username

username privilege 15 encrypted password xxxxxxxxxxx a007

remote access to tunnel-group abc - sc type

attributes global-tunnel-group-abc - sc

address sc-pool pool

Group Policy - by default-abc-sc

tunnel-group abc - sc ipsec-attributes

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:e7df4fa4b60a252d806ca5222d48883b

: end

Hello

I would suggest you start by changing the pool VPN to something else than the current LAN network and see if that helps

These should be the configuration required to achieve this goal
- First remove us pool setup VPN VPN
- Then we delete the VPN Pool and create again with an another address space
- When then attach this new Pool of VPN again to the VPN configuration
- In the last step, we add a NAT0 / exempt for this new pool VPN NAT configuration and remove the old ACL line for the former group of VPN
attributes global-tunnel-group-abc - sc

no address-sc-swimming pool

no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0

IP local pool sc-192.168.100.100 - 192.168.100.110 mask 255.255.255.0

attributes global-tunnel-group-abc - sc

address sc-pool pool

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0

No inside_nat0_outbound access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

-Jouni

The VPN Clients cannot access any internal address

Without a doubt need help from an expert on this one...

Attempting to define a client access on an ASA 5520 VPN that was used only as a

Firewall so far. The ASA has been recently updated to Version 7.2 (4).

Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot

ping any address on internal networks, or even the inside interface of the ASA.

(I hope) Relevant details:

(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and

are able to connect.

(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it

appears that the packets are décapsulés and decrypted, but NOT encapsulated or

encrypted (see the output of "sh crypto ipsec his ' home).

(3) by the other related posts, we've added commands associated with inversion of NAT (crypto

ISAKMP nat-traversal 20

crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our

Configuration.

(4) we tried encapsulation TCP and UDP encapsulation with experimental client

profiles: same result in both cases.

(5) if I (attempt) ping to an internal IP address of the connected customer, the

real-time log entries ASA show the installation and dismantling of the ICMP requests to the

the inner target customer.

(6) the capture of packets to the internal address (one that we try to do a ping of the)

VPN client) shows that the ICMP request has been received and answered. (See attachment

shooting).

(7) our goal is to create about 10 VPN client of different profiles, each with

different combinations of access to the internal VLAN or DMZ VLAN. We do not have

preferences for the type of encryption or method, as long as it is safe and it works: that

said, do not hesitate to recommend a different approach altogether.

We have tried everything we can think of, so any help or advice would be greatly

Sanitized the ASA configuration is also attached.

appreciated!

Thank you!

It should be the last step :)

on 6509

IP route 172.16.100.0 255.255.255.0 172.16.20.2

and ASA

no road inside 172.16.40.0 255.255.255.0 172.16.20.2

Cannot access the network ERR_NETWORK_ACCESS_DENIED

I have Windows 7. Nothing works, I tried chrome (which will not even load) and Firefox (it has been a constant problem with gmail for well over a year).

Cannot access the network

ERR_NETWORK_ACCESS_DENIED

Google Chrome has access to the network.

Maybe it's because your firewall or antivirus software wrongly think that Google Chrome is an intruder on your computer and it blocks to connect to Internet.

Chrome allow access to the network in your firewall or anti-virus settings.

If it is already listed as a program allowed to access the network, try to remove from the list and Add again.

I tried the above, but can't seem to solve the problem. Thank you.

Hello Paul,

Thanks for posting your question on the Microsoft Community.

I would like to know some information about the problem so that we can help you better.

The same problem occurs when you use Internet explorer?

Thank you for details on the question and your efforts to resolve.

If the problem also occurs when you use Internet explorer, I suggest you use the steps in this article and check if it helps.
Reference:
Can't access some Web sites in Internet Explorer
https://support.Microsoft.com/en-us/KB/967897

Note: The feature reset the Internet Explorer settings can reset security settings or privacy settings that you have added to the list of Trusted Sites. Reset the Internet Explorer settings can also reset parental control settings. We recommend that you note these sites before you use the reset Internet Explorer settings. Reset Internet Explorer is not reversible, and all the previous settings are lost after reset.

Also see this article:
Understanding Windows Firewall settings
http://Windows.Microsoft.com/en-us/Windows/understanding-firewall-settings#1TC=Windows-7

Note: Firewall and Antivirus software can help protect your computer against viruses and other security threats. In most cases, you should not turn off your antivirus software and firewalls. If you need to disable temporarily to install other software, you should reactivate as soon as you are finished. If you are connected to the Internet or a network, while your antivirus software and firewall are disabled, your computer is vulnerable to attacks.

To get help on Google chrome, I suggest you post your question on Google chrome forums.
http://productforums.Google.com/d/Forum/chrome

I hope this information helps.

Please let us know if you need more help.

Thank you

Cisco ASA 5505 VPN L2TP cannot access the internal network

Hello

I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

Can you jhelp me to find the problem?

I have Cisco ASA:

within the network - 192.168.1.0

VPN - 192.168.168.0 network

I have the router to 192.168.1.2 and I cannot ping or access this router.

Here is my config:

ASA Version 8.4 (3)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 198.X.X.A 255.255.255.248

!

passive FTP mode

permit same-security-traffic intra-interface

the net-all purpose network

subnet 0.0.0.0 0.0.0.0

network vpn_local object

192.168.168.0 subnet 255.255.255.0

network inside_nw object

subnet 192.168.1.0 255.255.255.0

outside_access_in list extended access permit icmp any any echo response

outside_access_in list extended access deny ip any any newspaper

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT dynamic interface of net-all source (indoor, outdoor)

NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

!

network vpn_local object

dynamic NAT interface (outdoors, outdoor)

network inside_nw object

NAT dynamic interface (indoor, outdoor)

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

card crypto 20-isakmp ipsec vpn Dynamics dyno

vpn outside crypto map interface

Crypto isakmp nat-traversal 3600

Crypto ikev1 allow outside

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH timeout 30

Console timeout 0

management-access inside

dhcpd address 192.168.1.5 - 192.168.1.132 inside

dhcpd dns 75.75.75.75 76.76.76.76 interface inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal sales_policy group policy

attributes of the strategy of group sales_policy

Server DNS 75.75.75.75 value 76.76.76.76

Protocol-tunnel-VPN l2tp ipsec

user name-

user name-

attributes global-tunnel-group DefaultRAGroup

address sales_addresses pool

Group Policy - by default-sales_policy

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

: end

Thanks for your help.

You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

Policy-map global_policy

class inspection_default

inspect the icmp

--

Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Why my VPN clients cannot access network drives and resources?

I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!

: Saved

:

ASA Version 8.2 (5)

!

ciscoasa hostname

Cisco domain name

activate the password xxxxxxxxxxxxx

passwd xxxxxxxxxxxxxxxxx

names of

name 68.191.xxx.xxx outdoors

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.201.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address outside 255.255.255.0

!

passive FTP mode

DNS domain-lookup outside

DNS lookup field inside

DNS server-group DefaultDNS

192.168.201.1 server name

Cisco domain name

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group network obj - 192.168.201.0

FREE access-list extended ip 192.168.201.0 NAT allow 255.255.255.0 192.168.201.0 255.255.255.0

NAT-FREE 192.168.202.0 permits all ip extended access list 255.255.255.0

FREE access-list extended ip 192.168.202.0 NAT allow 255.255.255.0 any

Extended access list-NAT-FREE enabled a whole icmp

allow any scope to an entire ip access list

allow any scope to the object-group TCPUDP an entire access list

allow any scope to an entire icmp access list

inside_access_in of access allowed any ip an extended list

inside_access_in list extended access allow TCPUDP of object-group a

inside_access_in list extended access permit icmp any one

outside_access_in of access allowed any ip an extended list

outside_access_in list extended access allow TCPUDP of object-group a

outside_access_in list extended access permit icmp any one

Standard access list DefaultRAGroup_splitTunnelAcl allow 192.168.201.0 255.255.255.0

access extensive list ip 192.168.202.0 inside_nat0_outbound allow 255.255.255.0 192.168.201.0 255.255.255.0

inside_nat0_outbound list extended access permit icmp any one

inside_nat0_outbound_1 of access allowed any ip an extended list

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

mask 192.168.202.1 - 192.168.202.50 255.255.255.0 IP local pool KunduVPN

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT-control

Global 1 interface (outside)

NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

NAT (inside) 1 192.168.201.0 255.255.255.0

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route inside 0.0.0.0 0.0.0.0 192.168.201.1 1

Route inside 0.0.0.0 255.255.255.255 outdoor 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.201.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outdoors

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

name of the object CN = ciscoasa

Keypairs xxx

Proxy-loc-transmitter

Configure CRL

XXXXXXXXXXXXXXXXXXXXXXXX

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP allow inside

crypto ISAKMP policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

SSL-trust outside ASDM_TrustPoint0 point

WebVPN

allow outside

allow inside

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

enable SVC

tunnel-group-list activate

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of 192.168.201.1 DNS server

VPN-tunnel-Protocol svc webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl

Cisco by default field value

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

WebVPN

SVC request enable

internal KunduVPN group strategy

attributes of Group Policy KunduVPN

WINS server no

value of 192.168.201.1 DNS server

VPN-tunnel-Protocol svc webvpn

Cisco by default field value

username xxxx

username xxxxx

VPN-group-policy DfltGrpPolicy

attributes global-tunnel-group DefaultRAGroup

address VPNIP pool

Group Policy - by default-DefaultRAGroup

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

type tunnel-group KunduVPN remote access

attributes global-tunnel-group KunduVPN

address (inside) VPNIP pool

address pool KunduVPN

authentication-server-group (inside) LOCAL

Group Policy - by default-KunduVPN

tunnel-group KunduVPN webvpn-attributes

enable KunduVPN group-alias

allow group-url https://68.191.xxx.xxx/KunduVPN

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc

: end

don't allow no asdm history

Hello

What is the IP address of the hosts/servers LAN Gateway?

If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.

For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.
- Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
- Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
- Host/server LAN sees the connection from a network other than the LAN (192.168.202.0/24) and therefore to forward traffic to the default gateway that would likely be the wireless router.
- Wireless router has no route to the network 192.168.202.0/24 (VPN Pool) and therefore uses its default route to the external network to forward traffic.
- Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP
So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network 192.168.202.0/24 to the 192.168.201.200 gateway IP address (which is the SAA)

I would like to know if the installation is as described above.

-Jouni

ASA 5505 VPN established, cannot access inside the network

Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.

After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.

Here is my config:

ASA Version 8.2 (5)
!
hostname asa01
domain kevinasa01.net
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan5
No nameif
security-level 50
IP 172.16.1.1 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
domain kevinasa01.net
permit same-security-traffic intra-interface
Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.254.0 255.255.255.0
NAT (inside) 0 access-list sheep - in
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Remote_Kevin group strategy
attributes of Group Policy Remote_Kevin
value of server DNS 192.168.1.12 192.168.1.13
VPN - connections 3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
kevinasa01.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy Remote_Kevin
type tunnel-group Remote_Kevin remote access
attributes global-tunnel-group Remote_Kevin
address-pool
Group Policy - by default-Remote_Kevin
IPSec-attributes tunnel-group Remote_Kevin
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
: end

Thank you

Hello

I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.

I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.

The acl must be:

sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

For nat (inside), you have 2 lines:

NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
NAT (inside) 1 0.0.0.0 0.0.0.0

Why are you doing this nat (outside)?

NAT (outside) 1 192.168.254.0 255.255.255.0

Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)

Thank you.

PS: Please do not forget to rate and score as good response if this solves your problem.

Remote VPN users cannot access tunnel from site to site

Cisco ASA5505.

I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC. I'm not a network engineer and have spent way too much time just to get to this point.

It works very well since within the office, but users remote VPN can not access the tunnel from site to site. All other remote access looks very good.

The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

Any help or advice would be greatly appreciated. It is probably super simple for someone who knows what they're doing to see the question.

Hi Paul.

Looking at your configuration:

Remote access:

internal RA_GROUP group policy
RA_GROUP group policy attributes
value of server DNS 8.8.8.8 8.8.4.4
Protocol-tunnel-VPN IPSec
value of Split-tunnel-network-list Split_Tunnel_List

permit same-security-traffic intra-interface

type tunnel-group RA_GROUP remote access
attributes global-tunnel-group RA_GROUP
address RA_VPN_POOL pool
Group Policy - by default-RA_GROUP
IPSec-attributes tunnel-group RA_GROUP
pre-shared key *.

local pool RA_VPN_POOL 10.0.0.10 - 255.255.255.0 IP 10.0.0.50 mask

Site to site:
```
  
```
card crypto outside_map 1 match address acl-amzn

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP

card crypto outside_map 1 set of transformation transformation-amzn

I recommend you to use a local IP address pool with a different IP address that deals with the inside interface uses, now you are missing NAT are removed from the IP local pool to the destination of the site to site:

NAT_EXEMPT list of ip 10.0.0.0 access allow 255.255.255.0 172.17.0.0 255.255.0.0

NAT (outside) 0-list of access NAT_EXEMPT

Now, there's a dynamically a NAT exempt allowing traffic to go out and are not translated.

I would like to know how it works!

Please don't forget to rate and score as correct the helpful post!

Kind regards

David Castro,

AnyConnect VPN users cannot access remote subnets?

I googled this until blue in the face without result. I don't understand why Cisco this so difficult? When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices. What should I do to allow my anyconnect vpn clients access to my remote sites?

Cisco 5510 8.4

Hello

What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

In addition to routing, you must have configured for each remote site and the VPN pool NAT0

Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

object-group network to REMOTE SITES

object-network 10.10.10.0 255.255.255.0

object-network 10.10.20.0 255.255.255.0

object-network 10.10.30.0 255.255.255.0

object-network 10.10.40.0 255.255.255.0

network of the VPN-POOL object

10.10.224.0 subnet 255.255.255.0

NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

-Jouni

VPN ssl cannot access the internet

Hello guys!

I need help to allow access to the internet for my vpn users. I can connect with Anyconnect but do not have access to the internet. Subnet for VPN is 192.168.100.0. I welcomed this subnet on my cisco router.

ISP-> router-> 192.168.0.0-> ASA-> 192.168.1.0 (887VA)

Here is my config:

ASA Version 9.1 (3)

mask of local pool AnyConnect 192.168.100.1 - 192.168.100.254 IP 255.255.255.0

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search to itinerary

Trust SSL VPN outside

Trust SSL VPN inside

WebVPN

allow inside

allow outside

AnyConnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

L2TP ipsec ikev2 VPN-tunnel-Protocol

internal GroupPolicy_VPN group strategy

attributes of Group Policy GroupPolicy_VPN

WINS server no

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelall

username alex Awards

VPN-group-policy GroupPolicy_VPN

VPN Tunnel-group type remote access

General-attributes of VPN Tunnel-group

address pool AnyConnect

Group Policy - by default-GroupPolicy_VPN

VPN Tunnel-group webvpn-attributes

enable VPN group-alias

Thank you very much!

Hello

Make sure you have this configuration

permit same-security-traffic intra-interface

You can check with

See the race same-security-traffic

If you don't have it then add it and test again.

If this does not work after this then check if your router is to see all this traffic. For example you see any translation NAT on the router to your VPN users?

What NAT configuration did you use for testing? I suggest 2 options above.

First of all, one was to change the current VPN Client NAT0 configuration and dynamic addition PAT for VPN users to the Internet.

Second, it was just to change the configuration of NAT0

-Jouni

Help cannot access internal resources

Hello I am trying to configure an ASA 5505 at home and connecting through the Cisco Secure mobility Client

Internal network: 10.37.1.0/24

Guest network: 10.37.2.0/24

DHCP VPN: 10.37.3.0/24

I am only able to connect with the local account of ASA, not LDAP as I want. After I connect I get my 10.37.1.0/24 (my internal network) secure route but I can't ping, RDP, SSH, etc. anything inside. I get the message below...

October 30, 2013

12:08:36

10.37.3.130

Refuse icmp outside CBC: 10.37.3.130 dst host: SPIDERMAN (type 8, code 0) by access-group "outside_access_in" [0x0, 0x0]

Any help would be greatly appreciated! Thank you.

Registered

: Written by enable_15 to the 09:09:04.925 EDT Wednesday, October 30, 2013

ASA Version 8.2 (5)

hostname aquaman

domain batcave.local

activate the encrypted password of O8X.8O1jZvTr6Rh3

zHg4tACBjpuqj6q5 encrypted passwd

names of

name 10.37.1.99 GREEN-ARROW

name OpenDNS1 description resolver1.opendns.com 208.67.222.222

name OpenDNS2 description resolver2.opendns.com 208.67.220.220

name 208.67.222.220 OpenDNS3 resolver3.opendns.com description

name 208.67.220.222 OpenDNS4 resolver4.opendns.com description

name 10.37.1.15 DU-HULK

name 178.33.199.65 ComodoMX1 mxsrv1.spamgateway.comodo.com description

name 178.33.199.66 ComodoMX2 mxsrv2.spamgateway.comodo.com description

name 10.37.1.101 SPIDERMAN

name 10.37.1.10 DAREDEVIL

name 65.73.180.177 WorkIP

name 10.37.1.254 OpenVPNAS

name 10.37.3.0 VPN_DHCP

name 10.37.2.10 GuestWirelessAP

name 10.37.1.20 DU-FLASH

name 10.37.1.200 BR_1

name 10.37.1.201 BR_2

name 10.37.1.30 IRONMAN

name 10.37.1.25 WIKI

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif House

security-level 100

IP 10.37.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

IP address dhcp setroute

interface Vlan5

nameif comments

security-level 50

IP 10.37.2.254 255.255.255.0

interval M-F_9-16

periodical Monday to Friday 09:00 to 16:00

Banner motd

boot system Disk0: / asa825 - k8.bin

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name OpenDNS1

Server name OpenDNS2

Server name OpenDNS3

Server name OpenDNS4

domain batcave.local

permit same-security-traffic inter-interface

object-group service RDP - tcp

Remote Desktop Protocol Description

EQ port 3389 object

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

the ComodoSpamFilter object-group network

host of the object-Network ComodoMX1

host of the object-Network ComodoMX2

the OpenDNSServers object-group network

host of the object-Network OpenDNS2

host of the object-Network OpenDNS4

host of the object-Network OpenDNS3

host of the object-Network OpenDNS1

VNC tcp service object-group

EQ port 5900 object

smartmail tcp service object-group

object-port 9998 eq

http2 tcp service object-group

EQ object of port 8080

RDP2 tcp service object-group

port-object eq 3789

DM_INLINE_TCP_1 tcp service object-group

EQ port ssh object

port-object eq telnet

object-group network Netflix

host of the object-Network BR_1

the object-BR_2 Network host

object-group service tcp MOP3

port-object eq 3999

outside_access_in list extended access permit tcp any interface outside of the object-group RDP log disable

outside_access_in list extended access permit tcp any interface outside eq ftp log disable

outside_access_in list extended access permit tcp any interface outside eq www disable journal

outside_access_in list extended access permitted tcp object-group ComodoSpamFilter interface outside eq smtp log disable

outside_access_in list extended access permit tcp any interface outside of the object-group smartmail disable journal

access-list extended outside_access_in permit tcp host WorkIP log disable interface outside object-group VNC

outside_access_in list extended access permit tcp any interface outside of the object-group http2 disable journal

outside_access_in list extended access permit tcp any interface outside of the object-group RDP2 journal disable

outside_access_in list extended access permit icmp any interface outside disable newspaper echo-reply

home_access_in list extended access allowed object-group TCPUDP 10.37.1.0 255.255.255.0 OpenDNSServers eq field journal disable object-group

home_access_in list extended access allowed host TCPUDP object-group SPIDERMAN turn off no matter what field eq journal

home_access_in list extended access denied object-group TCPUDP 10.37.1.0 255.255.255.0 disable any log domain eq

home_access_in allowed extended access list ip all all disable Journal

guest_access_in list extended access allowed object-group TCPUDP 10.37.2.0 255.255.255.0 OpenDNSServers eq field journal disable object-group

guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper ftp EQ

guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper of DM_INLINE_TCP_1-group of objects

guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper RDP-group of objects

guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper VNC object-group

guest_access_in list extended access denied object-group TCPUDP 10.37.2.0 255.255.255.0 disable any log domain eq

guest_access_in to access extended list ip any any newspaper disable time-range allow M-F_9-16

Standard access list Split_Tunnel_List allow 10.37.1.0 255.255.255.0

pager lines 24

Enable logging

timestamp of the record

logging trap notifications

asdm of logging of information

logging - the id of the device hostname

logging host home-FLASH

Home of MTU 1500

Outside 1500 MTU

Comments of MTU 1500

local pool VPN_DHCP 10.37.3.130 - 10.37.3.139 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any home

ICMP permitted outside the host WorkIP

ICMP deny everything outside

ICMP deny any guest

ASDM image disk0: / asdm - 714.bin

Location THE-HULK 255.255.255.255 ASDM home

Location WIKI 255.255.255.255 ASDM home

Location GREEN-ARROW 255.255.255.255 ASDM home

Location OpenDNS2 255.255.255.255 ASDM home

Location OpenDNS4 255.255.255.255 ASDM home

Location OpenDNS3 255.255.255.255 ASDM home

Location OpenDNS1 255.255.255.255 ASDM home

Location ComodoMX1 255.255.255.255 ASDM home

Location ComodoMX2 255.255.255.255 ASDM home

Location SPIDERMAN 255.255.255.255 ASDM home

Location DAREDEVIL 255.255.255.255 ASDM home

Location WorkIP 255.255.255.255 ASDM home

Location OpenVPNAS 255.255.255.255 ASDM home

Location VPN_DHCP 255.255.255.0 ASDM home

Location GuestWirelessAP 255.255.255.255 ASDM home

Location LA-FLASH 255.255.255.255 ASDM home

Location IRONMAN 255.255.255.255 ASDM home

don't allow no asdm history

ARP timeout 14400

NAT-control

Overall 101 (external) interface

NAT (House) 101 0.0.0.0 0.0.0.0

NAT (guest) 101 0.0.0.0 0.0.0.0

3389 GREEN ARROW 3389 netmask 255.255.255.255 interface static tcp (home, outdoor)

public static tcp (home, outside) THE-HULK netmask 255.255.255.255 ftp ftp interface

public static tcp (home, outside) interface www THE-HULK www netmask 255.255.255.255

public static tcp (home, outside) interface smtp smtp netmask 255.255.255.255 IRONMAN

9998 IRONMAN 9998 netmask 255.255.255.255 interface static tcp (home, outdoor)

5900 5900 SPIDERMAN netmask 255.255.255.255 interface static tcp (home, outdoor)

public static (home, outside) udp interface tftp THE tftp netmask 255.255.255.255 FLASH

3789 THE FLASH 3789 netmask 255.255.255.255 interface static tcp (home, outdoor)

8080 8080 WIKI netmask 255.255.255.255 interface static tcp (home, outdoor)

Access-group home_access_in in interface House

Access-group outside_access_in in interface outside

Access-group guest_access_in in the comments of the interface

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA-server protocol ldap BATCAVE

AAA-server BATCAVE (home) host DAREDEVIL

LDAP-base-dn = Users, OR =, DC = batcave, DC = local

LDAP-group-base-dn memberOf = CN = Cisco VPN Users, OR = Groups, OU = staff, DC = batcave, DC = local

LDAP-naming-attribute sAMAccountName

LDAP-login-password npYDApHrdVjOTcj8kJha

LDAP-connection-dn CN = Cisco account LDAP, OU = Service accounts, DC = batcave, DC = local

microsoft server type

the ssh LOCAL console AAA authentication

LOCAL AAA authentication serial console

LOCAL AAA authorization exec

http server enable 3737

http WorkIP 255.255.255.255 outside

http 10.37.1.0 255.255.255.0 House

redirect http outside 80

http redirection 80 home

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

No vpn sysopt connection permit

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

No vpn-addr-assign aaa

VPN-addr-assign local reuse / time 5

Telnet timeout 5

SSH GREEN-ARROW 255.255.255.255 House

SSH SPIDERMAN 255.255.255.255 House

SSH daredevil 255.255.255.255 House

SSH WorkIP 255.255.255.255 outside

SSH timeout 10

SSH version 2

Console timeout 30

dhcpd outside auto_config

dhcprelay Server DAREDEVIL home

dhcprelay enable comments

dhcprelay setroute comments

time-out of 60 dhcprelay

Host priority queue

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP Server 64.90.182.55 prefer external source

Server TFTP FLASH-home of THEftp://10.37.1.20/ t

WebVPN

Enable home

allow outside

SVC disk0:/anyconnect-win-3.1.04066-k9_3.pkg 1 image

enable SVC

attributes of Group Policy DfltGrpPolicy

value of server DNS 10.37.1.10

VPN - connections 1

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list Split_Tunnel_List

Batcave.local value by default-field

WebVPN

SVC request to enable default webvpn

aquaman encrypted KKOPGG99Bk0xyhXS privilege 15 password username

jared YlQ4V6UbWiR/Dfov password user name encrypted privilege 15

attributes global-tunnel-group DefaultWEBVPNGroup

address VPN_DHCP pool

type tunnel-group HomeVPN remote access

attributes global-tunnel-group HomeVPN

address VPN_DHCP pool

authentication-server-group BATCAVE

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

10.37.1.30 SMTP server

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:65c8e856cde7d73200dd38f670613c2b

: end

Hi Jared,

Because your configuration has the statement without sysopt connection VPN-enabled -'re missing you an exempt nat rule. This is why you must configure an access list to allow traffic between your network VPN of RA and your inside the subnet - apply rule to your house where the 10.37.1.0/24 of the interface.

Example:

access extensive list ip 10.37.1.0 nonat_rule allow 255.255.255.0 10.37.3.0 255.255.255.0
NAT (House) access 0-list nonat_rule

Give that a try

Concerning

N600 ea2700 cannot access internal Web sites

I have a new router, n600 ea2700, replace a wrt54g2 for this.

I have an internal Web server configuration, with port 80 redirection http to my iis7 Web with a server static ip address

I can access my areas outside my internal network (IE my cell phone), but when I type in www.mydomain(s).com (one of them) in my browser on a wired computer or internal wireless I get "cannot display this page".

I can ping the www.my... and get an answer to my router static ip (internet provider)

I can type in my static ip of the Web server and get my splash screen for iis7

I of the wrong with linksys phone and they could not understand, basically saying take the router at staples and get a different model.

I think I'll ask here before I do it. I would add that if I put the old wrt back I can't access no problem.

Any ideas?

Thank you!

Sorry I misunderstood your OP.

This is called "NAT Loopback" and is not available on the Smart Wifi routers.

Honestly the firmware of the Wifi chip is not designed for custom networks from servers or DNS requirements.

AnyConnect users can access internal network

Hello!

Just sat up a new Anyconnect VPN solution for a customer. It works almost perfect.

Anyconnect users can reach the internal network storage. The anyconnect users can access the internet, but nothing on the network internal.

(Deleted all the passwords and public IP addresses)

ASA 4,0000 Version 1

!

ciscoasa hostname

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address

!

passive FTP mode

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name 213.80.98.2

Server name 213.80.101.3

network obj_any object

subnet 0.0.0.0 0.0.0.0

access-list SHEEP extended ip 192.168.9.0 allow 255.255.255.0 192.168.9.0 255.255.255.0

AnyConnect_Client_Local_Print deny ip extended access list a whole

AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

pager lines 24

Enable logging

logging of debug asdm

Within 1500 MTU

Outside 1500 MTU

mask 192.168.9.50 - 192.168.9.80 255.255.255.0 IP local pool SSLClientPool

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) source Dynamics one interface

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

Route outside 0.0.0.0 0.0.0.0 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

AAA authentication enable LOCAL console

AAA authentication http LOCAL console

LOCAL AAA authentication serial console

the ssh LOCAL console AAA authentication

AAA authentication LOCAL telnet console

Enable http server

http 192.168.9.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outdoors

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Telnet timeout 5

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

dhcpd outside auto_config

!

dhcpd address 192.168.9.2 - 192.168.9.33 inside

dhcpd ip interface 192.168.9.1 option 3 inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

AnyConnect image disk0:/anyconnect-win-2.5.3046-k9.pkg 1

AnyConnect enable

tunnel-group-list activate

internal SSLClitentPolicy group strategy

internal SSLClientPolicy group strategy

attributes of Group Policy SSLClientPolicy

value of server DNS 192.168.9.5

client ssl-VPN-tunnel-Protocol

the address value SSLClientPool pools

attributes of Group Policy DfltGrpPolicy

VPN-tunnel-Protocol ikev1, ikev2 ssl clientless ssl ipsec l2tp client

VPN Tunnel-group type remote access

type tunnel-group SSLClientProfile remote access

attributes global-tunnel-group SSLClientProfile

Group Policy - by default-SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

enable SSLVPNClient group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:6a58e90dc61dfbf7ba15e059e5931609

: end

Looks like you got the permit vpn sysopt disable to enable:

Sysopt connection permit VPN

Also remove the dynamic NAT depending on whether you have already configured under the NAT object:

No source (indoor, outdoor) nat Dynamics one interface

Then 'clear xlate' once again and let us know if it works now.

EZ - VPN Cisco cannot access internal network

Similar Questions

Maybe you are looking for