IPSec VPN (remote VPN access) - dynamic NAT

Hello dear group

I like ASA 5510 is configured for remote access VPN, ASA authenticates Clients remoter with Radius Server (accounting software) and will be assigned an address IP of VPN-pool (172.16.20.0/24). Prose all in use of authentication with radius server is successful, but there is no any Internet browsing on the client side. I've set up a dynamic NAT rule on the external interface of SAA, I write in the following:

Interface: outside

Source: VPN-users object (address pool 172.16.20.0/24)

The translation of the output interface.

the NAT rule to above does not. (I think that traffic is not clothed with VPN POOL address via external interface)

Note: this VPN users access the INTERNET only. (because of this, the pool address range is different with inside the Network Interface)

Its a favor if you help me how NAT.

Thank you

Best regards

Hello

Would really need to see your current NAT configurations to the CLI format to determine the problem.

Naturally, the problem could be as simple as missing the following command on the SAA

permit same-security-traffic intra-interface

This command is required on the SAA for traffic to come through an interface and let the same interface. In your case this interface would be "Outside" the customer VPN traffic arrives at the ASA via this interface what is leaving through this interface to the Internet.

-Jouni

Tags: Cisco Security

Similar Questions

IPSEC VPN DMZ HOST NAT

Hello world

First of all thanks for the invaluable information this community offers technicians everywhere... I'm newish to IPSEC VPN and I have a question.

I have a DMZ PATed host to a public IP address. I've set up an IPSEC tunnel (with an external body on my outside interface) to allow this host reach a host computer in this organization. The VPN is not come. I am told to implement NAT exemption for the DMZ host IPSEC traffic to the host outside. Kindly, how can I do this?

Kind regards

Mumo

OK, no problem :)

for 8.2 (5), you can try the following config:
```
object network DMZ-net 172.16.1.0 255.255.255.0object network Remote-net 10.1.1.0 255.255.255.0access-list asa_dmz_nat0_outbound extended permit ip object DMZ-net object Remote-netnat (DMZ) 0 access-list asa_dmz_nat0_outbound
```

ASA ASA Site2Site VPN with dynamic NAT in version 8.2

I did everything for NAT to 9.x and I don't have much at all with NAT in 8.2 and earlier with this configuration.

I have some local subnets:

172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24

who will need to access a remote subnet:

10.31.255.128/25

and the requirement is to NAT the following text:

A lot of requirement much NAT.
172.30.1.0/24 NAT at 192.168.104.0/24
172.30.16.0/24 NAT at 192.168.105.0/24
172.30.3.0/24 NAT at 192.168.108.0/24
172.30.12.0/24 NAT at 192.168.106.0/24
172.30.7.0/24 NAT at 192.168.107.0/24
172.30.35.0/24 NAT at 192.168.103.0/24

When you go to the 10.31.255.128/25 subnet.

Here's what I think, I need and I'm looking for confirmation and/or messages.

Config group *.

object-group, LAN using a NAT-NETWORKS
192.168.104.0 subnet 255.255.255.0
192.168.105.0 subnet 255.255.255.0
192.168.108.0 subnet 255.255.255.0
192.168.106.0 subnet 255.255.255.0
192.168.107.0 subnet 255.255.255.0
192.168.103.0 subnet 255.255.255.0

Group of objects to REMOTE-network
subnet 10.31.255.128 255.255.255.128

ACL for the crypto-card *.

REMOTE_cryptomap_72 list extended access permitted ip object-group LOCAL-using a NAT-NETWORKS-group of objects to REMOTE-NETWORK

Config NAT

NAT (inside) 10 172.30.1.0 255.255.255.0
NAT (inside) 20 172.30.16.0 255.255.255.0
NAT (inside) 30 172.30.3.0 255.255.255.0
NAT (inside) 40 172.30.12.0 255.255.255.0
NAT (inside) 50 172.30.7.0 255.255.255.0
NAT (inside) 60 172.30.35.0 255.255.255.0

Global (outside) 10 192.168.104.0 255.255.255.0
Global (outside) 20 192.168.105.0 255.255.255.0
Global (outside) 30 192.168.108.0 255.255.255.0
Global (outside) 40 192.168.106.0 255.255.255.0
Global (outside) 50 192.168.107.0 255.255.255.0
Global (outside) 60 192.168.103.0 255.255.255.0

This sets up the set of transformation which is called in the Crypto map.* *.

Crypto ipsec transform-set ikev1 REMOTE-SET esp-3des esp-sha-hmac

This sets up the Crypto map.* *.

address for correspondence card crypto outside_map 72 REMOTE_cryptomap_72
peer set card crypto outside_map 72 5.5.5.4
card crypto outside_map 72 set transform-set REMOTE-SET ikev1
outside_map card crypto 72 the value reverse-road

Implements IKE *.

IKEv1 crypto policy 72
sha hash
preshared authentication
Group 2
lifetime 28800
3des encryption

Sets up the Group of tunnel (connection profile) *.

tunnel-group 5.5.5.4 type ipsec-l2l
IPSec-attributes tunnel-group 5.5.5.4
IKEv1 pre-shared-key * TBD *.

Thank you

Mike

With your existing global declarations, my suggestion should meet the requirement. Here is some additional info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

Remote IPSec VPN with L2L

Hello.

I work at Sunrise a site to site VPN, but I'm running a problem when I apply the plan of the cry to the external interface.

I already have a remote IPSec VPN access to the top with this cry map applied to the external interface. When I apply the plan that I created for the L2L, it will drop the RA VPN when applied to this interface. I was wondering how I can make this work with the two IPSec VPN.

Crypto ipsec transform-set esp-3des esp-sha-hmac IPSec ikev1

Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2lvpn

Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

IPSecVPNCM interface card crypto outside

card crypto IPSecL2L 1 corresponds to the address CSM_IPSEC_ACL_1

card crypto IPSecL2L 1 set counterpart x.x.x.x

card crypto IPSecL2L 1 set transform-set l2lvpn ikev1

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

full domain name no

name of the object CN = IPSec-SMU-5505

Configure CRL

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 2

preshared authentication

3des encryption

sha hash

Group 2

life 43200

Thank you

Hello

I guess that you may need to remove these also

Crypto dynamic-map IPSecVPNDM 1 set ikev1 IPSec transform-set

Crypto-map dynamic IPSecVPNDM 1jeu reverse-road

card crypto IPSecVPNCM 1-isakmp dynamic ipsec IPSecVPNDM

And again with the sequence number of 65535 for example instead of 1

Dynamic crypto map IPSecVPNDM 65535 define ikev1 IPSec transform-set

Crypto-map dynamic IPSecVPNDM 65535 the value reverse-road

map of crypto IPSecVPNCM 65535 - isakmp dynamic ipsec IPSecVPNDM

Then use a different number of VPN L2L sequence. For example, the sequence number indicates where order ASA tries to find a match for a VPN connection. Also, it probably gives this error message because you have dynamic configurations already with this sequence number and try to use the same with VPN L2L configurations.

Yet once if you can configure a second VPN L2L at some point then again would you use a different sequence number for this connection

-Jouni

IPSEC VPN with Dynamics to dynamic IP

Hello

I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.

Is someone can you please tell me if it is possible to do?

If so, please share with me the secret to do work.

Thank you!

Best regards

Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.

So, if you type:

config t

interface tunnel100
destination remote.dyndns.com tunnel

output

See the race int tunnel100

It shows:

interface Tunnel100
tunnel destination 75.67.43.79

That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.

I have seen that two of your routers running DDNS. They will have to do this.

Local router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.2.0 255.255.255.0 10.254.220.9

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!

--------

Remote router:

crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profile

IP route 192.168.1.0 255.255.255.0 10.254.220.10

Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".

Thank you

Bert

What is a VPN solution that is more stable than IPSEC VPN? What is the latest version of VPN client recommended for Windows 7 & 8 users?

Hello

I would like to ask a few details & concerns on our existing VPN configuration.

1. What is the Cisco VPN client recommended for users of Windows 7 and 8? Is there an official documentation for this Cisco? We currently use customer VPN Ciso 5.0.7.

2. we are running IPSEC VPN with only 1 gateway & only local authentication (No ACS) for our client. Recently, we have some concerns that they are the VPN connection is down. Whereas if I'm the one connected to the VPN, my connection is stable. Is there any point that we must consider up in the network. Is there a better configuration or solution that we could recommend to the customer as SSL VPN?

3. If you want to use SSL VPN anyconnect secure mobility & we want to implement redundancy on the FW, how will the license work?

Thank you!

An AnyConnect-based VPN is the replacement recommended for remote IPsec VPN access. (source)

AnyConnect can use SSL or IPsec (IKEv2) for transport.

For an ASA redundant firewalls (running 8.3 (1) or later) any permit required AnyConnect are shared between them. that is, you just buy licenses for a member of the HA pair. (source)

IPsec over UDP - remote VPN access

Hello world

The VPN client user PC IPSEC over UDP option is checked under transport.

When I check the details of the phase 1 of IKE ASDM of user login, it shows only UDP 500 port not port 4500.

Means that user PC VPN ASA there that no device in question makes NAT.

What happens if we checked the same option in the client IPSEC VPN - over UDP and now, if we see the port UDP 4500 under IKE phase 1 Connection Details

This means that there is now ASA a NAT device VPN Client PC, but he allows IKE connection phase 1?

Concerning

MAhesh

Hello Manu,

I suggest to use the following commands on your ASA have a look at these ports as the test of VPN connections. The command that you use depends on your level of software as minor changes in the format of the command

View details remote vpn-sessiondb

view sessiondb-vpn remote detail filter p-ipaddress

Or

View details of ra-ikev1-ipsec-vpn-sessiondb

display the filter retail ra-ikev1-ipsec-vpn-sessiondb p-ipaddress

These will provide information on the type of VPN Client connection.

Here are a few out of different situations when connecting with the VPN Client

Dynamic PAT - no Transparent on the Client VPN tunnel
- Through the VPN connections do not work as connects via PAT without Transparent tunnel
Username: Index: 22

Public IP address 10.0.1.2 assigned IP::

Protocol: IPsec IKEv1

IKEv1:

Tunnel ID: 22.1

The UDP Src Port: 18451 UDP Dst Port: 500

IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

Encryption: AES 256 hash: SHA1

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds

Group D/H: 2

Name of the filter:

Client OS: Windows NT Client OS worm: 5.0.07.0290

IPsec:

Tunnel ID: 22.2

Local addr: 0.0.0.0/0.0.0.0/0/0

Remote addr: 10.0.1.2/255.255.255.255/0/0

Encryption: AES 256 hash: SHA1

Encapsulation: Tunnel

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds

Idle Time Out: 30 Minutes idling left: 25 Minutes

TX Bytes: 0 Rx bytes: 0

TX pkts: Rx Pkts 0: 0

Dynamic PAT - Transparent tunnel (NAT/PAT) on the VPN Client
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 28

Public IP address 10.0.1.2 assigned IP::

Protocol: IKEv1 IPsecOverNatT

IKEv1:

Tunnel ID: 28.1

The UDP Src Port: 52825 UDP Dst Port: 4500

IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

Encryption: AES 256 hash: SHA1

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds

Group D/H: 2

Name of the filter:

Client OS: Windows NT Client OS worm: 5.0.07.0290

IPsecOverNatT:

Tunnel ID: 28.2

Local addr: 0.0.0.0/0.0.0.0/0/0

Remote addr: 10.0.1.2/255.255.255.255/0/0

Encryption: AES 256 hash: SHA1

Encapsulation: Tunnel

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds

Idle Time Out: 30 Minutes idling left: 30 Minutes

TX Bytes: 360 bytes Rx: 360

TX pkts: 6 Pkts Rx: 6

Dynamics PAT, Transparent IPsec (TCP) on the Client VPN tunnel
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 24

Public IP address 10.0.1.2 assigned IP::

Protocol: IKEv1 IPsecOverTCP

IKEv1:

Tunnel ID: 24.1

The UDP Src Port: 20343 UDP Dst Port: 500

IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

Encryption: AES 256 hash: SHA1

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds

Group D/H: 2

Name of the filter:

Client OS: Windows NT Client OS worm: 5.0.07.0290

IPsecOverTCP:

Tunnel ID: 24,2

Local addr: 0.0.0.0/0.0.0.0/0/0

Remote addr: 10.0.1.2/255.255.255.255/0/0

Encryption: AES 256 hash: SHA1

Encapsulation: Tunnel TCP Src Port: 20343

The TCP Dst Port: 10000

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds

Idle Time Out: 30 Minutes idling left: 30 Minutes

TX Bytes: 180 bytes Rx: 180

TX pkts: Rx 3 Pkts: 3

Static NAT - no Transparent on the Client VPN tunnel
- VPN Client connections to the LAN work because our VPN Client has a static NAT configured for its local IP address. This allows the ESP without encapsulation through the device doing the static NAT. You must allow the ESP traffic through the NAT device of management of the device VPN or configure VPN connections inspection if there is an ASA acting as the NAT device.
Username: Index: 25

Public IP address 10.0.1.2 assigned IP::

Protocol: IPsec IKEv1

IKEv1:

Tunnel ID: 25.1

The UDP Src Port: 50136 UDP Dst Port: 500

IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

Encryption: AES 256 hash: SHA1

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds

Group D/H: 2

Name of the filter:

Client OS: Windows NT Client OS worm: 5.0.07.0290

IPsec:

Tunnel ID: 25.2

Local addr: 0.0.0.0/0.0.0.0/0/0

Remote addr: 10.0.1.2/255.255.255.255/0/0

Encryption: AES 256 hash: SHA1

Encapsulation: Tunnel

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds

Idle Time Out: 30 Minutes idling left: 30 Minutes

TX Bytes: 120 bytes Rx: 120

TX pkts: Rx 2 Pkts: 2

Static NAT - Transparent tunnel (NAT/PAT) on the VPN Client
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need UDP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 26

Public IP address 10.0.1.2 assigned IP::

Protocol: IKEv1 IPsecOverNatT

IKEv1:

Tunnel ID: 26.1

The UDP Src Port: 60159 UDP Dst Port: 4500

IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

Encryption: AES 256 hash: SHA1

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds

Group D/H: 2

Name of the filter:

Client OS: Windows NT Client OS worm: 5.0.07.0290

IPsecOverNatT:

Tunnel ID: 26.2

Local addr: 0.0.0.0/0.0.0.0/0/0

Remote addr: 10.0.1.2/255.255.255.255/0/0

Encryption: AES 256 hash: SHA1

Encapsulation: Tunnel

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds

Idle Time Out: 30 Minutes idling left: 29 Minutes

TX Bytes: 1200 bytes Rx: 1200

TX pkts: Rx 20 Pkts: 20

Static NAT - Transparent tunnel on the VPN Client (IPsec, TCP)
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need TCP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 27

Public IP address 10.0.1.2 assigned IP::

Protocol: IKEv1 IPsecOverTCP

IKEv1:

Tunnel ID: 27.1

The UDP Src Port: 61575 UDP Dst Port: 500

IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

Encryption: AES 256 hash: SHA1

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds

Group D/H: 2

Name of the filter:

Client OS: Windows NT Client OS worm: 5.0.07.0290

IPsecOverTCP:

Tunnel ID: 27.2

Local addr: 0.0.0.0/0.0.0.0/0/0

Remote addr: 10.0.1.2/255.255.255.255/0/0

Encryption: AES 256 hash: SHA1

Encapsulation: Tunnel TCP Src Port: 61575

The TCP Dst Port: 10000

Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds

Idle Time Out: 30 Minutes idling left: 30 Minutes

TX Bytes: 120 bytes Rx: 120

TX pkts: Rx 2 Pkts: 2

VPN device with a public IP address directly connected (as a customer VPN) to an ASA

Username: Index: 491

Assigned IP: 172.31.1.239 public IP address:

Protocol: IPsec IKE

IKE:

Tunnel ID: 491.1

The UDP Src Port: 500 UDP Dst Port: 500

IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

Encryption: 3DES hash: SHA1

Generate a new key Int (T): 86400 seconds given to the key Left (T): 71016 seconds

Group D/H: 2

Name of the filter:

IPsec:

Tunnel ID: 491.2

Local addr: 0.0.0.0/0.0.0.0/0/0

Remote addr: 172.31.1.239/255.255.255.255/0/0

Encryption: AES128 hash: SHA1

Encapsulation: Tunnel

Generate a new key Int (T): 28800 seconds given to the key Left (T): 12123 seconds

Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607460 K-bytes

Idle Time Out: 0 Minutes idling left: 0 Minutes

TX Bytes: bytes 3767854 Rx: 7788633

TX pkts: 56355 Pkts Rx: 102824

Above are examples for your reference. I must also say that I am absolutely not an expert when it comes to virtual private networks in general. I had to learn two firewall/vpn basically on my own, as during my studies, we had no classes related to them (which was quite strange).

While I learned how to set up VPN and troubleshoot them I think I missed on the basic theory. I had plans to get the title Associates CCNA/CCNP certifications but at the moment everything is possible. Don't have the time for it.

I guess that you already go to the VPN security CCNP Exam?

Hope this helps and I hope that I didn't get anything wrong above

-Jouni

9.0 can a dynamic nat be used via ipsec vpn?

9.0 can a dynamic nat be used via ipsec vpn?

We have a vpn and work between asa and when we run traffic through a static nat rule traffic goes over the vpn. When we use a dynamic nat traffic does not get picked up by the ACL vpn.

We disable the nat rules to switch back and just so, even when we use the same destination to source the result is the same.

Am I missing something with 9.0 versions of code? If I disable all the nats and pass traffic it goes via the vpn.

So, it seems that when you use the dynamic nat statement, it pushes traffic to the external interface without looking at the acl of vpn. Please let me know if I'm crazy, I'm a newb on 8.3 zip code.

Thank you

Have you included in the ACL crytop natted ip address or range?

You allowed natted ip address or range to the other end of the tunnel?

AnyConnect 3.0 supports IPSec VPN for remote access?

Hello world

I've read about Cisco AnyConnect 3.0 issues that it supports IPSec VPN for remote access:

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-622477_ns1049_Networking_Solutions_Q_and_A.html

I downloaded and installed the Client AnyConnect Secure Mobility Client 3.0.0629, but I'm not able to get the IPSec VPN works. Also, it has no option to use the previous of Cisco IPSec VPN client PCF files.

Can someone point me in the right direction to get IPSec VPN AnyConnect 3.0 work?

Thank you in advance!

Hello

Takes AnyConnect support IPSEC from version 3.0, but only in combination with IKEv2.

There is no option to use a CPF file with it and the config should be pushed through a profile Anyconnect.

More information on this:

http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect30/Administration/Guide/ac02asaconfig.html#wp1325361

You should also change the ASA config so that it accepts negotiations IKE v2:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_ike.html#wp1144572

Kind regards

Nicolas

Remote VPN access - add new internal IP address

Hello

I have an existing configuration of Cisco VPN client in ASA 5510 for remote access.

-------------------------------------

Name of the Group: ISETANLOT10

Group password: xxxx

IP pool: lot10ippool, 172.27.17.240 - 172.27.17.245

enycrption: 3DES

authentication: SHA

------------------------------------

the connection was successful, and I was able to ping to the internal server 172.47.1.10.

Now, there is demand for remote access VPN even can do a ping to access a new server within LAN, 172.57.1.10 & 172.57.1.20

But with the same VPN access, I was unable to ping the two new IP.

How can I add both IP in order to make a ping by using the same configuration of remote access VPN?

I have attached below existing config (edited version)

===

: Saved
:
ASA Version 8.0 (4)
!
hostname asalot10
names of
name 172.17.100.22 NAVNew
name 172.27.17.215 NECUser
172.47.1.10 NarayaServer description Naraya server name
name 62.80.122.172 NarayaTelco1
name 62.80.122.178 NarayaTelco2
name 172.57.1.10 IPVSSvr IPVSSvr description
name 122.152.181.147 Japan01
name 122.152.181.0 Japan02
name 175.139.156.174 Outside_Int
name 178.248.228.121 NarayaTelco3
name 172.67.1.0 VCGroup
name 172.57.1.20 IPVSSvr2
!
object-group service NECareService
Description NECareService remote
the eq https tcp service object
EQ-ssh tcp service object
response to echo icmp service object
inside_access_in deny ip extended access list all Japan02 255.255.255.0
inside_access_in ip VCGroup 255.255.255.0 allowed extended access list all
inside_access_in list extended access deny tcp object-group PermitInternet any object-group torrent1
inside_access_in list extended access allowed object-group ip PermitInternet any newspaper disable
inside_access_in list any newspaper disable extended access allowed host ip NarayaServer
inside_access_in list extended access permit ip host IPVSSvr all
inside_access_in list any newspaper disable extended access allowed host ip NAVNew
inside_access_in list extended access permit ip host 172.17.100.30 all
outside_access_in list extended access allow object-group objects NECare a NECareService-group
outside_access_in list extended access allowed host ip DM_INLINE_NETWORK_1 NarayaServer object-group
outsidein list extended access permit tcp any host Outside_Int eq https
outsidein list extended access allowed object-group rdp any host Outside_Int debug log
outsidein list extended access allowed host tcp object-group DM_INLINE_NETWORK_2 eq Outside_Int 8080
outsidein list extended access allowed host ip DM_INLINE_NETWORK_3 IPVSSvr object-group
inside_mpc list extended access allowed object-group TCPUDP any any eq www
inside_mpc list extended access permit tcp any any eq www
inside_nat0_outbound list of allowed ip extended access all 172.27.17.240 255.255.255.248
inside_nat0_outbound list extended access permit ip host NarayaServer Nry_Png object-group
inside_nat0_outbound list extended access allowed host ip IPVSSvr2 172.27.17.240 255.255.255.248
outside_cryptomap list extended access permitted ip object-group Naraya_Png-group of objects Nry_Png

Global interface 10 (external)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 0.0.0.0 0.0.0.0
static (inside, outside) interface tcp 8080 8080 NarayaServer netmask 255.255.255.255
static (inside, outside) tcp 3389 3389 NAVNew netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface ssh IPVSSvr2 ssh netmask 255.255.255.255
Access-group outsidein in external interface
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 175.139.156.173 1
Route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
Route inside NAVNew 255.255.255.255 172.27.17.100 1
Route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
Route inside NarayaServer 255.255.255.255 172.27.17.100 1
Route inside 172.47.1.11 255.255.255.255 172.27.17.100 1

Route inside VCGroup 255.255.255.0 172.27.17.100 1

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set 218.x.x.105 counterpart
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

internal ISETANLOT10 group policy
ISETANLOT10 group policy attributes
value of server DNS 172.27.17.100
Protocol-tunnel-VPN IPSec l2tp ipsec
username, password nectier3 dPFBFnrViJi/LGbT encrypted privilege 0
username nectier3 attributes
VPN-group-policy ISETANLOT10
username password necare encrypted BkPn6VQ0VwTy7MY7 privilege 0
necare attributes username
VPN-group-policy ISETANLOT10
naraya pcGKDau9jtKgFWSc encrypted password username
naraya attribute username
VPN-group-policy ISETANLOT10
type of nas-prompt service
type tunnel-group ISETANLOT10 remote access
attributes global-tunnel-group ISETANLOT10
address lot10ippool pool
Group Policy - by default-ISETANLOT10
IPSec-attributes tunnel-group ISETANLOT10
pre-shared-key *.
tunnel-group 218.x.x.105 type ipsec-l2l
218.x.x.105 group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group ivmstunnel remote access
tunnel-group ivmstunnel General-attributes
address lot10ippool pool
ivmstunnel group of tunnel ipsec-attributes
pre-shared-key *.
!

=====

Remote VPN access must allow the connection, but I'm guessing that your ASA does not know how to get to the two new destinations.

You have a name and a static route to the job to 172.47.1.10 Server:

name 172.47.1.10 NarayaServer description Naraya Server

route inside NarayaServer 255.255.255.255 172.27.17.100 1

.. but no equivalent for the two new hosts. As a result, all traffic of ASA destiny for them will attempt to use the default route (via the external interface).

If you add:

route inside 172.57.1.10 255.255.255.255 172.27.17.100

route inside 172.57.1.20 255.255.255.255 172.27.17.100

(assuming this is your correct entry), it should work.

IPSec VPN: connected to the VPN but cannot access resources

Hello

I configured a VPN IPSec on two ISP with IP SLA configured, there is a redundancy on the VPN so that if address main is it connect to the VPN backup.

QUESTIONS

-Connect to the primary address and I can access resources

-backup address to connect but can not access resources for example servers

I want a way to connect to backup and access on my servers resources. Please help look in the config below

configuration below:

interface GigabitEthernet0/0

LAN description

nameif inside

security-level 100

IP 192.168.202.100 255.255.255.0

!

interface GigabitEthernet0/1

Description CONNECTION_TO_DOPC

nameif outside

security-level 0

IP address 2.2.2.2 255.255.255.248

!

interface GigabitEthernet0/2

Description CONNECTION_TO_COBRANET

nameif backup

security-level 0

IP 3.3.3.3 255.255.255.240

!

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

management only

!

boot system Disk0: / asa831 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone WAT 1

DNS domain-lookup outside

DNS server-group DefaultDNS

Name-Server 4.2.2.2

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network of object obj-200

192.168.200.0 subnet 255.255.255.0

Description LAN_200

network of object obj-202

192.168.202.0 subnet 255.255.255.0

Description LAN_202

network of the NETWORK_OBJ_192.168.30.0_25 object

subnet 192.168.30.0 255.255.255.128

network of the RDP_12 object

Home 192.168.202.12

Web server description

service object RDP

source eq 3389 destination eq 3389 tcp service

network obj012 object

Home 192.168.202.12

the Backup-PAT object network

192.168.202.0 subnet 255.255.255.0

NETWORK LAN UBA description

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

network-object object obj-200

network-object object obj-202

access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

OUTSIDE_IN list extended access permit icmp any any idle state

OUTSIDE_IN list extended access permit tcp any object obj012 eq inactive 3389

gbnltunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnltunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

BACKUP_IN list extended access permit icmp any any idle state

access extensive list ip 196.216.144.0 encrypt_acl allow 255.255.255.192 192.168.202.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

backup of MTU 1500

Backup2 MTU 1500

local pool GBNLVPNPOOL 192.168.30.0 - 192.168.30.100 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any backup

ASDM image disk0: / asdm-645 - 206.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 non-proxy-arp-search of route static destination

!

network of object obj-200

NAT dynamic interface (indoor, outdoor)

network of object obj-202

dynamic NAT (all, outside) interface

network obj012 object

NAT (inside, outside) interface static service tcp 3389 3389

the Backup-PAT object network

dynamic NAT interface (inside, backup)

!

NAT source auto after (indoor, outdoor) dynamic one interface

Access-group interface inside INSIDE_OUT

Access-group OUTSIDE_IN in interface outside

Access-group BACKUP_IN in the backup of the interface

Route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 followed by 100

Backup route 0.0.0.0 0.0.0.0 3.3.3.3 254

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

value of the URL-list GBNL-SERVERS

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

AAA authentication enable LOCAL console

http server enable 441

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

http 192.168.30.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outdoors

http 0.0.0.0 0.0.0.0 backup

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

ALS 10 monitor

type echo protocol ipIcmpEcho 31.13.72.1 interface outside

NUM-package of 5

Timeout 3000

frequency 5

Annex monitor SLA 10 life never start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto IPSec_map 10 corresponds to the address encrypt_acl

card crypto IPSec_map 10 set peer 196.216.144.1

card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside crypto map inside_map interface

ipsec_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

ipsec_map interface card crypto outside

gbnltunnel card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

backup of crypto gbnltunnel interface card

Crypto ca trustpoint ASDM_TrustPoint0

Terminal registration

name of the object CN = GBNLVPN.greatbrandsng.com, O = GBNL, C = ng

Configure CRL

Crypto ikev1 allow inside

Crypto ikev1 allow outside

Crypto ikev1 enable backup

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

enable client-implementation to date

!

track 10 rtr 100 accessibility

!

Track 100 rtr 10 accessibility

Telnet 192.168.200.0 255.255.255.0 inside

Telnet 192.168.202.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.202.0 255.255.255.0 inside

SSH 192.168.200.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 backup

SSH timeout 30

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

a basic threat threat detection

threat detection statistics

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

WebVPN

allow outside

enable backup

activate backup2

internal gbnltunnel group policy

attributes of the strategy of group gbnltunnel

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

greatbrandsng.com value by default-field

Group Policy 'Group 2' internal

type of remote access service

type tunnel-group gbnltunnel remote access

tunnel-group gbnltunnel General-attributes

address GBNLVPNPOOL pool

Group Policy - by default-gbnltunnel

gbnltunnel group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group GBNLSSL remote access

type tunnel-group GBNL_WEBVPN remote access

attributes global-tunnel-group GBNL_WEBVPN

Group Policy - by default-gbnltunnel

tunnel-group 196.216.144.1 type ipsec-l2l

IPSec-attributes tunnel-group 196.216.144.1

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

HPM topN enable

Cryptochecksum:6004bf457c9c0bc1babbdbf1cd8aeba5

: end

When you say that "the external interface is downwards using failover techniques" you mean this failover occurred because the ASA is no longer able to reach the 31.13.72.1? Not that the actual interface is broken?

If this is the case, then the NATing is your problem. Since you're using the same VPN pool for VPN connections the ASA cannot distinguish between the two streams of traffic if the external interface is still in place. The SLA tracking only removes a route in the routing table, but does not affect what happens in the NAT process.

try to change the NAT statement follows him and the test (don't forget to remove the other statements to exempt of NAT for this traffic during the test):

NAT (inside,any) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

If this does not work, I would either turn off the external interface when a failover occurs, or create a second connection profile that contains a separate mass of IP for the VPN connection and ask users to connect using this profile when a failover takes place. Don't forget to create Nat exempt instructions for this traffic also.

--

Please note all useful posts

VPN connects but no remote LAN access

Hello

I'll put up on a PIX 501 VPN remote access.

When I try to connect via VPN software, I am able to connect but I am unable to access LAN resources.

I have pasted below part of which seems relevant to my setup. I'm stuck on this issue, could someone help me? Thanks in advance.

ethernet0 nameif outside security0
nameif ethernet1 inside the security100
test.local domain name
name 10.0.2.0 inside
name 10.0.2.13 MSExchange-en
2.2.2.2 the MSExchange-out name

outside_access_in tcp allowed access list all gt 1023 host 2.2.2.2 eq smtp
outside_access_in list access permit tcp any host 2.2.2.2 eq https
outside_access_in list access permit tcp any host 2.2.2.2 eq www
inside_outbound_nat0_acl 10.0.2.0 ip access list allow 255.255.255.0 192.168.235.0 255.255.255.192
access-list 101 permit icmp any one

3.3.3.3 exterior IP address 255.255.255.0
IP address inside 10.0.2.254 255.255.255.0
IP local pool vpn_pool 192.168.235.1 - 192.168.235.15
IP local pool vpn_pool_2 192.168.235.16 - 192.168.235.40

1 3.3.3.4 (outside) global
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) 2.2.2.2 10.0.2.13 netmask 255.255.255.255 1000 1000
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 3.3.3.1 1

RADIUS Protocol RADIUS AAA server
AAA-server RADIUS (inside) host 10.0.2.3 * timeout 10
AAA-server local LOCAL Protocol

Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-MD5
map outside_map 90-isakmp ipsec crypto dynamic dynmap
card crypto outside_map the LOCAL RADIUS client authentication
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup signal address vpn_pool pool
vpngroup dns-server 10.0.2.3 signal
vpngroup default-field test.local signal
vpngroup idle time 1800 signal
vpngroup max-time 14400 signal
signal vpngroup password *.
vpngroup TF vpn_pool_2 address pool
vpngroup dns-server 10.0.2.3 TF
TF vpngroup default-domain test.local
vpngroup TF 1800 idle time
vpngroup max-time 14400 TF
TF vpngroup password *.

Kind regards

Joana

Very similar to the question of the configuration of the switch. You should check if there is no specific roads on the switch outside the default gateway. The switch should route the subnet pool ip to the firewall (10.0.2.254).

ASA 5505 IPSEC VPN connected but cannot access the local network

ASA: 8.2.5

ASDM: 6.4.5

LAN: 10.1.0.0/22

Pool VPN: 172.16.10.0/24

Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

Here is my setup, wrong set up anything?

ASA Version 8.2 (5)

!

hostname asatest

domain XXX.com

activate 8Fw1QFqthX2n4uD3 encrypted password

g9NiG6oUPjkYrHNt encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 10.1.1.253 255.255.252.0

!

interface Vlan2

nameif outside

security-level 0

address IP XXX.XXX.XXX.XXX 255.255.255.240

!

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS server-group DefaultDNS

domain vff.com

vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

pager lines 24

Enable logging

timestamp of the record

logging trap warnings

asdm of logging of information

logging - the id of the device hostname

host of logging inside the 10.1.1.230

Within 1500 MTU

Outside 1500 MTU

IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA-server protocol nt AD

AAA-server host 10.1.1.108 AD (inside)

NT-auth-domain controller 10.1.1.108

Enable http server

http 10.1.0.0 255.255.252.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 10.1.0.0 255.255.252.0 inside

SSH timeout 20

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntest strategy

Group vpntest policy attributes

value of 10.1.1.108 WINS server

Server DNS 10.1.1.108 value

Protocol-tunnel-VPN IPSec l2tp ipsec

disable the password-storage

disable the IP-comp

Re-xauth disable

disable the PFS

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntest_splitTunnelAcl

value by default-domain XXX.com

disable the split-tunnel-all dns

Dungeon-client-config backup servers

the address value vpnpool pools

admin WeiepwREwT66BhE9 encrypted privilege 15 password username

username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

tunnel-group vpntest type remote access

tunnel-group vpntest General attributes

address vpnpool pool

authentication-server-group AD

authentication-server-group (inside) AD

Group Policy - by default-vpntest

band-Kingdom

vpntest group tunnel ipsec-attributes

pre-shared-key BEKey123456

NOCHECK Peer-id-validate

!

!

privilege level 3 mode exec cmd command perfmon

privilege level 3 mode exec cmd ping command

mode privileged exec command cmd level 3

logging of the privilege level 3 mode exec cmd commands

privilege level 3 exec command failover mode cmd

privilege level 3 mode exec command packet cmd - draw

privilege show import at the level 5 exec mode command

privilege level 5 see fashion exec running-config command

order of privilege show level 3 exec mode reload

privilege level 3 exec mode control fashion show

privilege see the level 3 exec firewall command mode

privilege see the level 3 exec mode command ASP.

processor mode privileged exec command to see the level 3

privilege command shell see the level 3 exec mode

privilege show level 3 exec command clock mode

privilege exec mode level 3 dns-hosts command show

privilege see the level 3 exec command access-list mode

logging of orders privilege see the level 3 exec mode

privilege, level 3 see the exec command mode vlan

privilege show level 3 exec command ip mode

privilege, level 3 see fashion exec command ipv6

privilege, level 3 see the exec command failover mode

privilege, level 3 see fashion exec command asdm

exec mode privilege see the level 3 command arp

command routing privilege see the level 3 exec mode

privilege, level 3 see fashion exec command ospf

privilege, level 3 see the exec command in aaa-server mode

AAA mode privileged exec command to see the level 3

privilege, level 3 see fashion exec command eigrp

privilege see the level 3 exec mode command crypto

privilege, level 3 see fashion exec command vpn-sessiondb

privilege level 3 exec mode command ssh show

privilege, level 3 see fashion exec command dhcpd

privilege, level 3 see the vpnclient command exec mode

privilege, level 3 see fashion exec command vpn

privilege level see the 3 blocks from exec mode command

privilege, level 3 see fashion exec command wccp

privilege see the level 3 exec command mode dynamic filters

privilege, level 3 see the exec command in webvpn mode

privilege control module see the level 3 exec mode

privilege, level 3 see fashion exec command uauth

privilege see the level 3 exec command compression mode

level 3 for the show privilege mode configure the command interface

level 3 for the show privilege mode set clock command

level 3 for the show privilege mode configure the access-list command

level 3 for the show privilege mode set up the registration of the order

level 3 for the show privilege mode configure ip command

level 3 for the show privilege mode configure command failover

level 5 mode see the privilege set up command asdm

level 3 for the show privilege mode configure arp command

level 3 for the show privilege mode configure the command routing

level 3 for the show privilege mode configure aaa-order server

level mode 3 privilege see the command configure aaa

level 3 for the show privilege mode configure command crypto

level 3 for the show privilege mode configure ssh command

level 3 for the show privilege mode configure command dhcpd

level 5 mode see the privilege set privilege to command

privilege level clear 3 mode exec command dns host

logging of the privilege clear level 3 exec mode commands

clear level 3 arp command mode privileged exec

AAA-server of privilege clear level 3 exec mode command

privilege clear level 3 exec mode command crypto

privilege clear level 3 exec command mode dynamic filters

level 3 for the privilege cmd mode configure command failover

clear level 3 privilege mode set the logging of command

privilege mode clear level 3 Configure arp command

clear level 3 privilege mode configure command crypto

clear level 3 privilege mode configure aaa-order server

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

: end

Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

Customer remote cannot access the server LAN via VPN

Hi friends,

I'm a new palyer in ASA.

My business is small. We need to the LAN via VPN remote client access server.

I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.

Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.

Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.

Who can help me?

Thank you very much.

The following configuration:

ASA Version 7.0(7)
!
hostname VPNhost
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 221.122.96.51 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.42.199 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns domain-lookup inside
access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
access-list allow_PING extended permit icmp any any inactive
access-list Internet extended permit ip host 221.122.96.51 any inactive
access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.43.10-192.168.43.20

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 access-list PAT_acl
route outside 0.0.0.0 0.0.0.0 221.122.96.49 10

username testuser password 123
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3

no sysopt connection permit-ipsec
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 3600
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet timeout 5

ssh timeout 10
console timeout 0

: end

Topology as follows:

Hello

Configure the split for the VPN tunneling.

Create the access list that defines the network behind the ASA.

ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

Mode of configuration of group policy for the policy you want to change.

ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#

Specify the policy to split tunnel. In this case, the policy is tunnelspecified.
```
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified 
```

Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.

ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

Type this command:

ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes

Associate the group with the tunnel group policy

ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn

Leave the two configuration modes.

ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#

Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.

Kind regards
Abhishek Purohit
CCIE-S-35269

ASA 5505 VPN remote cannot access with my local network

Hello guys, I have a problem with my asa 5505 remote VPN access to the local network, the VPn connection works well and connected, but the problem is that I can't reach my inside connection network of 192.168.30.x, here's my setup, please can you help me

ASA Version 8.2 (1)

!

!

interface Vlan1

nameif inside

security-level 100

192.168.30.1 IP address 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 155.155.155.10 255.255.255.0

!

interface Vlan5

No nameif

no level of security

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.240

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool vpn-pool 192.168.100.1 - 192.168.100.10 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

Mull strategy of Group internal

attributes of the Group mull strategy

Protocol-tunnel-VPN IPSec

username privilege 0 encrypted password eKJj9owsQwAIk6Cw xxx

VPN-group-policy Mull

type mull tunnel-group remote access

tunnel-group mull General attributes

address vpn-pool pool

Group Policy - by default-mull

Mull group tunnel ipsec-attributes

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Yes, you will need to either configure split tunnel so that internet traffic goes out through your local Internet service provider, GOLD / directed by configuration current you are tunneling all traffic (internet traffic Inc.) to the ASA, then you will need to create NAT for internet traffic.

To set up a tunnel from split:

split-acl access-list allowed 192.168.30.0 255.255.255.0

attributes of the Group mull strategy

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split-acl

I hope this helps.

IPSec VPN (remote VPN access) - dynamic NAT

Similar Questions

Maybe you are looking for