IP common in client IPSec VPN and VPN site to site

Hello

We have a scenario where the Cisco ASA 5505 will be one of the ends of a site to site VPN. The same ASA 5505 also allows the Client VPN connection. The issue is around the pooling of intellectual property.

If I assign a pool of IP addresses (192.168.1.20 - 192.168.1.30) for connections VPN Client - do I need to be sure that these same IP are not used across the site to site VPN?

There may be a PC / servers running 192.168.1.0/24 on the other side of the site to site VPN. This would lead to an address conflict?

I have attached a diagram of the scenario. I would like to know if the 'orange' PC would cause an IP conflict if they get the same IP that PC "blue color" - even if one of them is the VPN client and the other is VPN site-to-site

Thank you.

Altogether. The pool of the VPN Client must be single subnet which is not anywhere within your network.

Tags: Cisco Security

Similar Questions

IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

Network diagram:

http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

Challenge:

(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

IKE Phase II: des-esp, hmac-md5, tunnel mode

PSK: sitetositevpn

Here is my setup for review:

crypto ISAKMP policy 10

the BA

preshared authentication

Group 1

md5 hash

ISAKMP crypto key sitetositevpn address 210.x.x.66

!

Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

!

infotelmap 10 ipsec-isakmp crypto map

the value of 210.x.x.66 peer

Set transform-set ciscoset

match address 111

!

!

interface Ethernet0

3 LAN description

IP 10.20.20.1 255.255.255.0

IP nat inside

servers-exit of service-policy policy

Hold-queue 100 on

!

ATM0 interface

no ip address

ATM vc-per-vp 64

No atm ilmi-keepalive

DSL-automatic operation mode

!

point-to-point interface ATM0.1

IP address 210.x.20.x.255.255.252

no ip redirection<-- disable="">

no ip unreachable<-- disable="" icmp="" host="" unreachable="">

no ip proxy-arp<-- disables="" ip="" directed="">

NAT outside IP

PVC 8/35

aal5snap encapsulation

!

!

IP nat inside source list 102 interface ATM0.1 overload

IP classless

IP route 0.0.0.0 0.0.0.0 ATM0.1

IP route 0.0.0.0 0.x.0.x.190.60.66

no ip http secure server

!

Note access-list 102 NAT traffic

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

!

access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

Kind regards

Junhan

Hello

Three changes required in this configuration.

(1) change the NAT-list access 102 as below:

access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

(2) place the card encryption on interface point-to-point ATM.

(3) remote all of a default route.

Thank you

Mustafa

IPsec VPN site to site between router problem Cisco ASA. Help, please

Hello community,

I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)

Attachment is router configuration and ASA. I also include the router debug output.

It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.

Please help me. Any help appreciated.

Thank you

I didn't look any further, but this may be a reason:
```
 crypto map mymap 1 ipsec-isakmp dynamic dyn1 
```
The dynamic CM must always be the last sequence in a card encryption:
```
 no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
```
Try this first, then we can look further.

Microsoft l2tp IPSec VPN site to site ASA on top

I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

Hello

Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

See you soon,.

Daniel

client ipSec VPN and NAT on the router Cisco = FAIL

I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.

ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.

Suggestions?

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group myclient

key password!

DNS 1.1.1.1

Domain name

pool myVPN

ACL 111

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

market arriere-route

!

!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!

interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interface

IP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1

/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45

!

IP local pool myVPN 10.88.0.2 10.88.0.10

p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!

IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

Hello

I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

For example, to do this kind of configuration, ACL and NAT

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

overload of IP nat inside source list 100 interface GigabitEthernet0/0

EDIT: seem to actually you could have more than 10 networks behind the router

Then you could modify the ACL on this

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

Don't forget to mark the answers correct/replys and/or useful answers to rate

-Jouni

DPD on site-2-client IPSEC VPN

Hello

I configured IPSEC client-2-site time and site 2 site tunnels on my ASR routers.

Although I keepalive is enabled on the router, site-customer-2 tunnels are not disconnected in the event of failure of router connectivity client.

At the same time site 2 site tunnels are being disconnected from the PDB.

The DPD is configured as follows

"crypto isakmp keepalive 60 10 periodicals.

Is someone can help me with this problem?

Thanks in advance

Concerning

Lukasz

There Lukasz,

We had recently two common culprits:

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto16377

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty52047

This COULD explain what you see. Check them out, if you use something more recent - we might as well have a case open TAC so that we can draw debugs and see.

M.

Client IPSec VPN in ASA9.02

Hi all

I have a problem of Client VPN configuration in my ASA 5512, ASA 9.02 running. I tried several configuration but still does not not even using the VPN WIZARD in ASDM.

Please let know us if I missed something.

There is no response when I try to connect using VPN CLient 5.0.07.0410.

VERSION OF THE ASA

Cisco Adaptive Security Appliance Software Version 9.0 (2)

Version 7.1 Device Manager (2) 102

###############################################################################################################

Config 1

access-list standard SPLIT allow 192.168.100.0 255.255.255.0

!

local pool VPN_POOL 192.168.200.1 - 192.168.200.254 255.255.255.0 IP mask

!

Crypto ipsec transform-set esp-3des esp-md5-hmac VPNU ikev1

Crypto dynamic-map DYN_MAP 1 set transform-set VPNU ikev1

!

card crypto IPSec_map 1-isakmp dynamic ipsec DYN_MAP

IPSec_map interface card crypto outside

Crypto ikev1 allow outside

!

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

IKEv1 crypto policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

internal GETUVPN_POLICY group policy

GETUVPN_POLICY group policy attributes

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value SPLIT

!

type tunnel-group GETUVPN remote access

attributes global-tunnel-group GETUVPN

address VPN_POOL pool

LOCAL authority-server-group

Group Policy - by default-GETUVPN_POLICY

IPSec-attributes tunnel-group GETUVPN

IKEv1 pre-shared-key cisco123

!

###############################################################################################################

Config 2

IP local pool vpnpool 192.168.200.1 - 192.168.200.254

!

Note of sheep-access list ACL for avoidance of Nat

10.10.100.0 IP Access-list extended sheep 255.255.255.192 allow 192.168.200.0 255.255.255.0

!

Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel

standard access list vpn_SplitTunnel allow 10.10.100.0 255.255.255.192

!

!

NAT (inside) 0 access-list sheep

!

!

internal IPSec_map group strategy

attributes of Group Policy IPSec_map

VPN-idle-timeout 120

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpn_SplitTunnel

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set high - esp-3des esp-md5-hmac

Crypto-card high dynmap 30 transform-set Dynamics - a

card crypto ipsec IPSec_map 65535-isakmp dynamic dynmap

IPSec_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 11

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Crypto isakmp nat-traversal 20

tunnel-group GETUVPN type ipsec-ra

attributes global-tunnel-group GETUVPN

address vpnpool pool

Group Policy - by default-IPSec_map

!

!

IPSec-attributes tunnel-group GETUVPN

pre-shared-key Cisco123

!

###############################################################################################################

Config 3

IKEv1 crypto policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

address identity ikev1 crypto

Crypto ikev1 allow outside

IKEv1 crypto policy 11

!

IP local pool vpnpool 192.168.200.1 - 192.168.200.254

!

Crypto ipsec transform-set esp-3des esp-md5-hmac CLIENTVPN ikev1

type tunnel-group GETUVPN remote access

attributes global-tunnel-group GETUVPN

address pool VPN-pool

!

IPSec-attributes tunnel-group GETUVPN

IKEv1 pre-shared-key Cisco123

Crypto-map dynamic dyn1 ikev1 transform-set VPNU 1 set

Crypto-map dynamic dyn1 1jeu reverse-road

map IPSec_map 1-isakmp ipsec crypto dynamic dyn1

IPSec_map interface card crypto outside

!

Hello

Try the first config with a minor change (marked in red)

access-list standard SPLIT allow 192.168.100.0 255.255.255.0

!

local pool VPN_POOL 192.168.200.1 - 192.168.200.254 255.255.255.0 IP mask

!

Crypto ipsec transform-set esp-3des esp-md5-hmac VPNU ikev1

Dynamic crypto map DYN_MAP 65535 set transform-set VPNU ikev1

!

card crypto IPSec_map 65535-isakmp dynamic ipsec DYN_MAP

IPSec_map interface card crypto outside

Crypto ikev1 allow outside

!

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

IKEv1 crypto policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

!

internal GETUVPN_POLICY group policy

GETUVPN_POLICY group policy attributes

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value SPLIT

!

type tunnel-group GETUVPN remote access

attributes global-tunnel-group GETUVPN

address VPN_POOL pool

LOCAL authority-server-group

Group Policy - by default-GETUVPN_POLICY

IPSec-attributes tunnel-group GETUVPN

IKEv1 pre-shared-key cisco123

Also add a NAT0 configuration in the new format NAT

the object of the LAN network

255.255.255.192 subnet 10.10.100.0

network of the VPN-POOL object

192.168.200.0 subnet 255.255.255.0

NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

Hope this helps

-Jouni

Cisco AnyConnect client mobility & VPN Site to Site

Hello friends,

I have question about on an ASA VPN services.

Can an ASA alone to accommodate both VPN - Remote Access & Site to Site IPSec (L2L) AnyConnect?

Except the license, there are all the points to be considered while hosting them both on the same device.

Thanks in advance.

Krishna

Hello

You can deploy the L2L VPN and remote access VPN (Anyconnect) on the same ASA.
There is no any precondition nonspecific to deploy them together too long you have the configuration and the correct licenses.

In fact, most deployments have these 2 types of VPN at the same time used these days.

Concerning
Dinesh Moudgil

PS Please rate helpful messages.

Loopback Interface client endpoint VPN Site

My project consists of 871 router connected to the router soho 3845 network head on the MPLS network unencrypted for data communication. For the Client PC behind router 871 on remote site, they need activate the Cisco VPN client and connect to headend 3845 so that they can access information behind the main switch 6506.

To reduce to a minimum the installation, I would like to prepare a unique VPN profile for all remote controls. So, I plan on using lo0 int for the VPN endpoint. However, I have found that when the VPN connection is in place on the int lo0, the remote client computer can 'ping' lo0 only, but can not 'ping' all other IP addresses. However, when I set up the connection to the IP address on router 3845, the connection is ok.

I have attached my config for the VPN and the diagram. Can anyone help?

Hello

You need to change your ACL split tunnel:

FEHD_VPN extended IP access list

Note * outbound VPN client traffic *.

IP 10.0.0.0 allow 0.255.255.255 10.65.215.0 0.0.0.255

Note: Do not know what is the purpose of "allowed host ip host 0.0.0.0 0.0.0.0.

IPSEC VPN site to site on Transparent mode

Hello

The new version of the OS of the SAA does support IPSEC site-to-site VPN for partners on more Transparent?

Thank you very much

Kind regards

J

The transparent firewall supports for connections to management only site-to-site VPN tunnels. It doesn't end of VPN connections for traffic through the ASA. You can pass through the ASA VPN traffic using a more extended access list, but it fails to complete connections not frames. Clientless SSL VPN is also not supported.

Force start negotiating IPsec VPN Sit-to-site

Hello

I have attached two TXT files with the configurations of the two cisco 837 routers.

The problem is that the ROUTER2 has dynamic IP, and to establish the tunnel must do a ping from the ethernet interface 0 ROUTER1.

You can select the connection?

Try it without source ethernet loop back 0 instead.

L2l IPSec VPN blocks SQL (ASA v8.4)

Good evening everyone,

I have an ASA 5510 8.4 (2) which has an IPSec VPN site to a 3rd party who run a form any checkpoint running. VPN establishes and allows to access a server in our demilitarized zone on all the ports that we tested (so far HTTP, FTP, SSL, RDP), with the exception of SQL that does not even reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a conversation of TCP of their server on any of the ports on the server I see all desired packages come with the correct IPs ETC (without NAT takes place through the VPN), but when an ODBC client attempts to query the SQL Server on our DMZ zone packets do not reach the level of the server. What I see is the number of bytes of RX on the VPN increases whenever the query is run, but certainly not arriving on the SQL Server.

Also if I come back to the ASA to the old PIX, it replaced with the same VPN configuration but on version 7.x, then it works fine.

While I find some time to clean up the config this weekend, I have ideas.

Thank you very much

Simon.

Hi Simon,.

If you look at the options sys in the ASDM he advises that you still need ACL for traffic. As I understand it, in the old days, when you were in as you pointed out. If you set the ports in this group then Yes, it's a whole and potentially your only protection is the NAT or his absence.

I would like to add an another ACE to the external interface, which allows the source to you DMZ host (see below)

Object-group service GROUP SQL-tcp PORTS

EQ port 1433 object

EQ object Port 1434

Port-object eq 1521

outside_access extended access list permit tcp host 192.168.100.30 DMZ_158-group of objects SQL-PORTS object

Concerning

ASA 9.2 IPSEC VPN

I have ASA version 9.2 (2) 4 - model 5515

I need to configure IPSEC VPN site-to-site.

Can anyone share with me the example of ASA 9.2 CLI for IPSEC VPN configuration?

Congratulations to find a solution to your problem. Thank you for posting on the Board to indicate that the issue is resolved and to share the solution. This can help other readers in the forum.

HTH

Rick

Make the remote web server accessible via VPN Site to website

We have two test sites that are connected by a tunnel IPSEC VPN site-to-site (hosted on a SAA each site) over the Internet. We are trying to set up an environment to test two web applications running side by side. Two web servers are running on the Site of Test 1. We don't have the same public IP available at each site.

To address the public site 1 unique IP address restriction, we try to install ACL and NAT rules to have 2 Site accept traffic from the internet and send it on the site to the other tunnel. So 1 Web server would accept the ASA 1 internet traffic and Web Server 2 accept traffic from ASA 2 to the other site. Here's a network diagram:

We have difficulties to get this configuration works correctly. Please note that the network 192.168.3.0/24 clients are able to access the servers Web1 and Web2. This question seems to be due to our NAT configuration. This is the type of error, we see on the two firewalls:

Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:4.4.4.4/443 dst outside:192.168.1.10/443 refused due to path failure reverse that of NAT

Our situation seems similar to this post: https://supportforums.cisco.com/thread/2242230

Any help would be appreciated.

Hello

What Karsten said above is true. While it is possible and works, it also means that the configuration is a little more complex to manage. I have done no such features in a real-life network environment and have always used additional public IP addresses on the local site when a server is hosted.

If you want to continue to move forward with this so here's a few points to consider and the configurations that you need.

First off it seems to me that the other server will be organized by the local Site 1 so a simple static PAT (Port Forward) must manage the Site 1.

network of the WEB-HTTP object

host 192.168.1.10

NAT (inside, outside) interface static tcp 443 443 service

And if you need TCP/80 also then you will need

network of the HTTPS WEB object

host 192.168.1.10

NAT (inside, outside) interface static service tcp 80 80

Now, 2 Site will naturally a little different that the server is hosted on the Site 1 and Site 2 is the public IP address used to publish the server on the external network.

Essentially, you will need to configure NAT that both makes dynamic PAT for the addresses of the source of the connection to your server Web 2, but also makes the static PAT (Port Forward) for the IP address of the Web Server 2. Additionally, you have to set the area of encryption on the Site 1 and Site 2 to match this new addition to the L2L VPN connection.

Unless of course you use an existing IP address on the field of encryption in the dynamic translation of PAT for the source address. In this case, it would take no change VPN L2L. I'll use that in the example below.

The NAT configuration might look like this

service object WWW

destination eq 80 tcp service

service object HTTPS

destination eq 443 tcp service

the object SOURCE-PAT-IP network

host 192.168.3.254

network of the WEB-SERVER-2-SITE1 object

host 192.168.1.11

NAT (outside, outside) 1 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service WWW WWW

NAT (outdoors, outdoor), 2 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service HTTPS HTTPS

So, essentially, NAT configurations above should ake 'all' traffic coming from behind 'outside' interface intended to "outside" "interface" IP address and translate the source to ' SOURCE-PAT-IP ' address and untranslate destination to "WEB-SERVER-2-SITE1".

Make sure that the IP address chosen (in this case 192.168.3.254) is not used on any device. If she is then replace it with something that is not currently used in the network. Otherwise, configure an IP address of some other subnet and include in the L2L VPN configurations on both sites.

Unless you already have it, you also have this configuration command to activate the traffic to make a U-turn/pin on the ' outside ' of the Site 2 ASA interface

permit same-security-traffic intra-interface

Hope this helps

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary.

-Jouni

Cisco VPN Client and Windows XP VPN Client IPSec to ASA

I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

Config is:

!

interface GigabitEthernet0/2.30

Description remote access

VLAN 30

nameif remote access

security-level 0

IP 85.*. *. 1 255.255.255.0

!

access-list 110 scope ip allow a whole

NAT list extended access permit tcp any host 10.254.17.10 eq ssh

NAT list extended access permit tcp any host 10.254.17.26 eq ssh

access-list extended ip allowed any one sheep

access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

flow-export destination inside-Bct 192.168.1.27 9996

IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

ARP timeout 14400

global (outside-Baku) 1 interface

global (outside-Ganja) interface 2

NAT (inside-Bct) 0 access-list sheep-vpn

NAT (inside-Bct) 1 access list nat

NAT (inside-Bct) 2-nat-ganja access list

Access-group rdp on interface outside-Ganja

!

Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

dynamic-access-policy-registration DfltAccessPolicy

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

Crypto ipsec transform-set newset aes - esp esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

Crypto ipsec transform-set vpnclienttrans transport mode

Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

life crypto ipsec security association seconds 214748364

Crypto ipsec kilobytes of life security-association 214748364

raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

card crypto interface for remote access vpnclientmap

crypto isakmp identity address

ISAKMP crypto enable vpntest

ISAKMP crypto enable outside-Baku

ISAKMP crypto enable outside-Ganja

crypto ISAKMP enable remote access

ISAKMP crypto enable Interior-Bct

crypto ISAKMP policy 30

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

No encryption isakmp nat-traversal

No vpn-addr-assign aaa

Telnet timeout 5

SSH 192.168.1.0 255.255.255.192 outside Baku

SSH 10.254.17.26 255.255.255.255 outside Baku

SSH 10.254.17.18 255.255.255.255 outside Baku

SSH 10.254.17.10 255.255.255.255 outside Baku

SSH 10.254.17.26 255.255.255.255 outside-Ganja

SSH 10.254.17.18 255.255.255.255 outside-Ganja

SSH 10.254.17.10 255.255.255.255 outside-Ganja

SSH 192.168.1.0 255.255.255.192 Interior-Bct

internal vpn group policy

attributes of vpn group policy

value of DNS-server 192.168.1.3

Protocol-tunnel-VPN IPSec l2tp ipsec

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split tunnel

BCT.AZ value by default-field

attributes global-tunnel-group DefaultRAGroup

raccess address pool

Group-RADIUS authentication server

Group Policy - by default-vpn

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key *.

Hello

For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

Please see configuration below:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

or

http://tinyurl.com/5t67hd

Please see the section of tunnel-group config of the SAA.

There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

"crypto isakmp nat-traversal.

Thirdly, change the transformation of the value

raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

Let me know the result.

Thank you

Gilbert

IP common in client IPSec VPN and VPN site to site

Similar Questions

Maybe you are looking for