Local Lan access through the ASA5510

I'm at my wits end trying to figure this. We are trying to replace our good ol 3030 ' with an ASA 5510 vpn purposes. I have setup the ASA as follows:

E0/0 is the public interface: xxx.xxx.199.10/24

E0/1 is the private interface: 172.20.72.0/24

Remote clients obtain an address of 10.12.27.xxx of the SAA.

The customer get the address very well, but can not access what anyone on the 172.20.72.xxx network. This piece I am missing? Some NAT type?

William, glad everything worked, remember messages useful rate.

Concerning

Tags: Cisco Security

Similar Questions

How to grant local LAN access when you are connected via a central-site

I know how to activate the local LAN access in the properties for the client connection, but I don't know how to allow access to the central site

Central site is a CISCO 1721 with module as well as IOS IPSEC VPN

tanks for any help

Hello

This feature is only supported when you connect to a VPN3K box, its not available for PIX/IOS as a vpn server, allowing it on the client-side custom has no effect when you connect to a server of PIX/IOS.

THX

AFAQ

Setting up a local network private through the device that extracts public wifi internet

I travel a lot in a RV I don't have a continuous Internet connection wherever I go, usually a public wifi some Camping I am for. I have several devices that I use, but I don't want that they are open to the public wifi network. I've had people send photos from their phone to my Xbox so that I use and I want to be more secure and control my devices.

I have a knowledge of basic networking. I was able to use my laptop to connect to a public wifi and then share the connection through Windows on the LAN ethernet port. I then connect that to my old Netgear DGND3700v2 DSL model with its DHCP function disabled. It worked for several months now, and I am able to connect to the ports of my router modem and lan with my devices. But some games on the xbox does not work because I can't redirect ports or control static and other IP addresses. I think that there should be a much easier way to do it.

I looked in my router Repeater functions, but I don't think that's the way I need to go. I have no access to the routers of the campsites configure them as bases. I need something that will pull simply bind an existing wifi and then deliver this private to my LAN connection.

Thanks in advance for any advice.

It worked perfectly. I bought a Netgear AC1200 and easily plugged into the local public wifi. I then wired to the LAN cable/Fiber gray on the Netgear router port and then reset the router ran smart installation thereon and he set up hands down with a new local network on a separate ip address range. Now all my devices independently connect to my router via wifi or LAN and use internet through the Extender without that person outside to get in and I don't have my laptop of aging on all the time to do so.

How to establish a local router connection through the internet

How can I establish a local always on connection router through the internet. I would like to be able to access our local wireless network when you are away from the office.

Thank you!

The major goal of a router with internet is to protect the network from attacks through the firewall. The last thing you want to do is reduce this function.

If you want to access services on specific systems, you can transfer individual ports of these systems. Thus, for example, if one of the internal devices runs a web server you can before port 80 on this device.

However, if you want to make your PC to appear as if it is on the local network, then that requires the use of a VPN tunnel, which depends on the capability of the router.

VPN Local lan access

I have set up a cisco 861 as a vpn server. Could I help you if someone can tell what is the problem? Clients can connect, but cannot access local resources from lan for subnet 10.0.10.0

Building configuration...

Current configuration: 9770 bytes
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec localtime

Show time-zone
Log service timestamps datetime localtime show msec.

time zone
encryption password service
sequence numbers service
!
hostname RT861W
!
boot-start-marker
start the flash c860-universalk9 - mz.124 - 24.T3.bin system
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 warnings
recording console critical
enable secret 5 xxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone IS - 4
clock save interval 24
!
Crypto pki trustpoint TP-self-signed-3796206546
enrollment selfsigned
name of the object cn = IOS-Self-signed-certificate-

3796206546
revocation checking no
rsakeypair TP-self-signed-3796206546
!
!
chain pki crypto TP-self-signed certificates.

3796206546
certificate self-signed 01
30820259 308201 2 A0030201 02020101 300 D 0609

2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 31312F30

2 536967 6E65642D 43657274
69666963 33373936 32303635 6174652D 3436301E

170 3130 30363130 32323534
33395A 17 0D 323030 31303130 30303030 305A 3031

06035504 03132649 312F302D
65642 43 65727469 5369676E 656C662D 4F532D53

66696361 74652 33 37393632
3630819F 30363534 300 D 0609 2A 864886 F70D0101

01050003 818 0030 81890281
81009C 68 0509FEBA BA0D4251 52AA3F1C DBB7CACB

138D0D3D 8017AB75 04AABD97
16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6

EB32858B 4385DE6C 3ED11616
2B997D14 C6C86431 9A 956161 2D0581F4 767D60E1

82FF426A 911D503E 8995A69B
6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464

E6DA7E06 44F94B16 3EA57809
5B 710203 010001 HAS 3 8180307E 300F0603 551D 1301

01FF0405 FF302B06 30030101
11 04243022 82205254 38363157 2E636F6C 03551D

6C696E73 2E316661 6D696C79
756E6974 65642E63 6F6D301F 0603551D 23041830

1680142C 21E7314B D28AFE1A
26115A1B F53AFB03 1 060355 1D0E0416 0ED1A830

04142C 21 E7314BD2 8AFE1A26
115A1BF5 3AFB030E D1A8300D A 06092, 86 4886F70D

01010405 00038181 008CC48F
6A1BFB52 0F268B05 B977AE8E CA450936 8272 D 889

B46DE9FB 5680782C 59DA2354
04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22

C7BED922 73C35C32 54696F37
89E424C2 561FFF54 99573AC6 713E58D8 E3B67064

295 4331 845FCDEC F6CD8017 D
58006 58 F94A8771 78217788 FE63AA11 0E5DF6B1

1A8D0111 CDD87A1D CC
quit smoking
no ip source route
no ip free-arps
chip-Relay IP dhcp
ignore the IP dhcp bootp
DHCP excluded-address IP 10.0.1.1 10.0.1.10
DHCP excluded-address IP 10.0.10.1 10.0.10.10
!
dhcp VLAN_10 IP pool
Network 10.0.10.0 255.255.255.224
router by default - 10.0.10.1
Domain xxxxxx
10.0.10.1 DNS server
!
dhcp VLAN_1 IP pool
Network 10.0.1.0 255.255.255.224
default router 10.0.1.1
Domain xxxxxx
10.0.1.1 DNS server
!
!
IP cef
inspect the IP log drop-pkt
IP inspect high 1100 max-incomplete
IP inspect 1100 max-incomplete bass
IP inspect a high minute 1100
IP inspect a minute low 1100
inspect the IP udp idle time 60
inspect the IP dns-timeout 10
inspect the name firewall tcp timeout IP 3600
inspect the name firewall udp timeout 15 IP
inspect the name firewall ftp queue time 3600 IP
inspect the name firewall rcmd timeout IP 3600
IP inspect alert firewall smtp name on timeout 3600
inspect the name firewall sqlnet timeout IP 3600
inspect the IP name firewall tftp timeout 30
inspect the name firewall icmp time 15 IP
inspect the name firewall ssh timeout 15 IP
IP inspect name Connection Firewall audit trail on
inspect the name webster firewall IP
IP inspect skinny firewall name
inspect the router IP firewall name
inspect the IP firewall cifs name
inspect the name cuseeme firewall IP
IP inspect the dns name of the firewall
inspect the name realaudio firewall IP
inspect the name firewall rtsp IP
inspect the name streamworks firewall IP
inspect the name vdolive firewall IP
inspect the IP sip firewall name
inspect the name firewall pop3 alert on reset IP
inspect the name ftps firewall IP
inspect the name isakmp firewall IP
inspect the IP name of firewall ipsec-msft
inspect the name ntp FIREWALL IP
inspect the IP name firewall imap
inspect the name imaps firewall IP
inspect the name imap3 FIREWALL IP
inspect the name pop3s firewall IP
no ip bootp Server
IP domain name xxxxxxxxx
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name-server IP 208.67.222.222
IP-server names 208.67.220.220
name of the IP-server 74.128.19.102
name of the IP-server 74.128.17.114
!
!
notify licensing agent

http://10.0.10.11:9710 / clm/servlet/HttpListenServlet

dummy dummy 2.0
!
!
username privilege 15 secret 5 xxxx xxxxxx
username xxxxx xxxxx secret 5
!
!
crypto ISAKMP policy 3
BA aes 256
preshared authentication
Group 2
ISAKMP crypto nat keepalive 3600
!
ISAKMP crypto client configuration group xxxxx
key xxxxxx
DNS 10.0.10.5
domain xxxxxxxx
pool vpnpool
include-local-lan
netmask 255.255.255.224
!
!
Crypto ipsec transform-set esp esp - aes 256 RIGHT-

model of hmac-SHA-lzs
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client authentication

userauthen
card crypto clientmap isakmp authorization list

groupauthor
client configuration address map clientmap crypto

initiate
client configuration address map clientmap crypto

answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
Crypto ctcp port 6000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
Bridge IRB
!
!
!
interface Loopback0
IP 10.100.100.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
switchport mode trunk
!
interface FastEthernet4
WAN description $ FW_OUTSIDE$
address IP dhcp client id FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
stream IP output
inspect the firewall on IP
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
wlan-ap0 interface
description of the Service interface module to manage the

Embedded AP
IP unnumbered Vlan1
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP virtual-reassembly
ARP timeout 0
!
interface GigabitEthernet0 Wlan
description of the Service interface module to manage the

Embedded AP
switchport mode trunk
!
interface Vlan1
VLAN_1 description $ FW_INSIDE$
IP 10.0.1.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface Vlan10
VLAN_10 description $ FW_INSIDE$
IP 10.0.10.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface BVI1
Description $FW_INSIDE$
in the form of address IP WAPB dhcp host name
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
no ip-cache cef route
no ip route cache
!
router RIP
version 1
10.0.0.0 network
!
IP local pool vpnpool 197.0.0.1 197.0.0.5
no ip forward-Protocol nd
IP route 0.0.0.0 0.0.0.0 dhcp
IP route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
!
The dns server IP
IP nat inside source list 1 interface FastEthernet4

Overload
IP nat inside source list 2 interface FastEthernet4

Overload
IP nat inside source static tcp 10.0.10.3 3389

interface FastEthernet4 3389
IP nat inside source static tcp 10.0.10.3 1723

interface FastEthernet4 1723
IP nat inside source static tcp 10.0.10.3 80

interface FastEthernet4 80
!
record 10.0.10.1
access-list 1 permit 10.0.1.0 0.0.0.31
access-list 2 permit 10.0.10.0 0.0.0.31
access-list 199 permit any one
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp a whole Workbench
access-list 199 permit udp any any eq 3389
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
access-list 199 tcp refuse a whole
access-list 199 tcp 10.0.0.0 refuse 0.255.255.255 everything
access-list 199 tcp 172.16.0.0 refuse 0.15.255.255

any
access-list 199 tcp 192.168.0.0 refuse 0.0.0.255 any
access-list 199 refuse udp 10.0.0.0 0.255.255.255 everything
access-list 199 refuse udp 172.16.0.0 0.15.255.255

any
access-list 199 refuse udp 192.168.0.0 0.0.0.255 any
access-list 199 refuse icmp no echo
access-list 199 deny udp any how any eq 135
access-list 199 deny udp any any eq netbios-ns
access-list 199 deny udp any any eq netbios-ss
access-list 199 deny udp any any eq isakmp
access-list 199 tcp refuse any any eq telnet
access-list 199 tcp refuse any any eq smtp
access-list 199 tcp refuse any any eq nntp
access-list 199 tcp refuse any any eq 135
access-list 199 tcp refuse any any eq 137
access-list 199 tcp refuse any any eq 139
access-list 199 tcp refuse any any eq www
access-list 199 tcp refuse any any eq 443
access-list 199 tcp refuse any any eq 445
access-list 199 refuse an entire ip
not run cdp

!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
bridge 10 Protocol ieee
IP route 10 bridge
connection of the banner ^ CAuthorized access only!
Unplug IMMEDIATELY if you are not authorized

user! ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transportation out all
line vty 0 4
access-class 104 in
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
Server NTP 192.43.244.18
end

Hello

The problem is due to NAT configurations. Please, try the following:

no nat ip within the source list 1 interface FastEthernet4 overload

no nat ip inside the source list 2 interface FastEthernet4 overload

access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7

access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255

access-list 101 permit ip 10.0.0.0 0.0.255.31 all

Internet route map

corresponds to the IP 101

output

IP nat inside source overload map route Internet interface FastEthernet4

This will ensure that the VPN clients can access all internal

resources. However, they will not be able to access to the 10.0.10.3 Server

using its private IP address that you can not use the roadmap, when you use the

keyword "interface." If you have a static IP address assigned to your FastEthernet4

You can then use the interface by the ISP, the configuration below:

access-list 102 refuse host ip 10.0.10.3 197.0.0.0 0.0.0.7

access-list 102 refuse 10.0.10.3 ip host 10.0.0.0 0.0.255.255

access-list 102 permit ip 10.0.10.3 host everything

route server map

corresponds to the IP 101

output

no nat ip inside source static tcp 10.0.10.3 interface FastEthernet4 3389

3389

no nat ip inside the source static tcp 10.0.10.3 1723 interface FastEthernet4

1723

no nat ip inside the 80 tcp static 10.0.10.3 source FastEthernet4 80 interface

IP nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389

route server map

IP nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723

route server map

IP nat inside source static tcp 10.0.10.3 80 'FastEthernet4 ip' 80-route map

Server

I hope this helps.

Kind regards

NT

PDF files accessed through the Explorer freeze

Using Window 7 and Acrobat X Pro. Have had this problem for some time. If the PDFs are open short Adobe cut files work fine and can be moved to different screens. However, if the files are opened through the Explorer 80% of the time they open and missing the top of the header, is unable to move the file or drag to another screen. Need to minimize and bring back several times before it corrects itself (now, it does not correct itself). Have to spend a lot of time to open the main shortcut files.
I ran the updates, repairs etc with no luck. All of the suggestions.
BZ

Hi wmz96531208,

Install the drive using this link Adobe - Adobe Acrobat Reader DC Distribution, then check if it makes a difference.

Kind regards

Nicos

Local LAN access on peer-to-peer connection

I'll put up a laptop computer with Windows ME and VPN Client 3.6.3 who faces two remote sites that use the PIX 520 to 6.22. On the first site of the LAN (behind the PIX) uses a NT domain. Here, the laptop is able to connect properly to the domain and map shared drives. On the second site LAN is peer-to-peer (no logon of domain). On this site that the tunnel is created and the laptop can access web services (http, ftp, etc.) on the LAN hosts, but are unable to map shared drives. The WINS server setting seems correct. Are there additional routing or tunneling configuration to allow local access from LAN to LAN to peer? Thank you.

For Win2k, you will need to telnet to port 445 and no 139.

NetBEUI will not work through a VPN tunnel. VPNS are an IP-based solution. NetBEUI works only as a broadcast on the local network. Switched Native can handle NetBEUI, but not the VPN tunnel. Sure just that all the hosts that use TCP/IP instead of NetBEUI, and it should work fine.

Allow specific access through the Interfaces ASA 5510

Hi all

In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

I have an ASA 5510:

WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

Connected to the port E0/0 is a 2811 router

Connected to the port E0/1 is the (external) Internet

Connected to the port E0/2 is a 2821

(I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

I think it is best that I put the links to the files of text here.

Thank you!

You must remove the following statements on the two routers:
-# ip nat inside source... overload
-for each # ip nat inside/outside interface, if they have configured.

Remove ads rip of the networks that are not directly connected:
-2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
-2811: 199.195.xxx.0
-ASA: 128.0.0.0

No way should be added to the routers, since he is the one by default, put in scene to ASA.

Check the tables of routing on routers and the ASA.

On ASA:

-Remove:
object-group network # PAT - SOURCE
# nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

-create objects of the networks behind the LAN router and enable dynamic NAT:
network object #.
subnet
NAT (inside, outside) dynamic interface

-review remains NAT rules.

-to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

-Disable rip on the outside interface.

No Local Lan access

Hello

I set up a VPN of RA for cisco router 871, I am able to connect, but I don't seem to

to have any network local access and I am not able to connect to the internet.

Also, I have configured the router as dmvpn sticks, it works as desired.

If someone has an idea, let know me please, I have attached the running configuration.

Thank you

Hello

I suggest you consult the following configuration guide that describes the split tunneling

http://www.Cisco.com/en/us/products/HW/routers/ps274/products_configuration_example09186a0080819289.shtml

What is the single subnet you want to encrypt?

splitremote extended IP access list
IP 192.168.254.0 allow 0.0.0.255 any

If Yes this LCA has not been applied in crypto isakmp client configuration group configuration. See the guide for more details.

Also your NAT config is incomplete:

NAT extended IP access list

The guide also explains how to exclude only the VPN pool using a NAT.

See the Guide below:
```
    !--- Enables Network Address Translation (NAT)

    !--- of the inside source address that matches access list 111

    !--- and gets PATed with the FastEthernet IP address.

ip nat inside source list 111 interface FastEthernet1/0 overload

    !

    

    !--- The access list is used to specify which traffic

    !--- is to be translated for the outside Internet.


    

    access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 111 permit ip any any


    Please remember to rate all posts that are helpful.

    
```

If I buy a monthly account of xfinity wifi (which allows internet access through the device unique registred) can I use apple TV connected to my TV to the stream of the device on my TV?

using apple tv to stream xfinity wifi

The Apple tv needs Internet - wifi or Ethernet. Access normally means places that they have agreements with wifi (i.e. from Starbucks, McDonald's etc.). But you will need a connection Internet for the Apple TV work from your home. Although some use the hotspot on their phone. You need a speed of ISP at 8mbps for HD streaming on iTunes or netflix requires only 5 for HD (due to compression).

short answer is that you must get xfinity as your ISP not only access hotspot...

Instruments GPIB remote access through the GPIBConf device names

Hello

I am trying to run the Labwindows 2009 SP1 code on a PC based office while trying to exploit the GPIB instruments

on another part of the network.

Normally, this isn't problem with VISA server on the target computer and the use of names of Alias VISA within the

Office PC code.

But this code was inherited and uses a different method which has been the best over time.

The code uses device name strings that have been defined using the GPIB utility: GpibConfig.exe,.

on the target computer. So when a device is first initialized, the name defined in the GPIB utility is used

by the code and the associate instrument access are reached. It works fine when the code and

the instruments are located on the same PC.

My question: is there some way I can use VISA access server remote GPIB instruments help

defined names on the computer target with the GpibConfig.exe utility?

Thank you

Gary.

The low-level GPIB functions have no knowledge functions VISA or aliases. This must be a very old application since the VISA has been around for 10 years. Have you always the source code so you can change your GPIB for VISA?

ASA + no local lan access

Hi all

I have an ASA 5510 configured, when I try to connect to my asa fom the VPN client

I can connect but can not reach my internal network.

I have attached the running configuration, if anyone has an idea please let know me.

Thank you

This NAT exemption does not seem to be correct, can you please indicate why there is exemption from NAT 2 configured on the inside interface and the other with the keyword 'outside '?

NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 0 inside_nat0_outbound_2 list of outdoor access

I suggest you remove the second line because it's not really sense:

no nat (inside) 0 inside_nat0_outbound_2 list of outdoor access

Then 'clear xlate' to clear the existing translation.

Secondly, please configure: management-access inside, then once your vpn is connected, see if you can reach 192.0.0.40.

Finally, if it works, if you try to test with ping, please configure the following:

Policy-map global_policy
class inspection_default

inspect the icmp

and see if you can test the ip address of the router 192.0.0.187.

Hope that helps.

Embedded Web access through the PL/SQL gateway
Hello

I'm trying to use the PL/SQL gateway embarked on an application written for 10g XE with APEX 3.2. I can access the application from the computer on which APEX is installed by going to http:// < hostname >: 8080/apex /, but this page does not load on any other computer. I followed all the steps to configure the EPG that I could find in the guide on this forum and installation, and it still does not work.

Here's what I've done so far:
(1) run the apex_epg_config.sql script to configure the EPG
(2) unblocked the anonymous user account (EDIT USER ANONYMOUS ACCOUNT UNLOCK)
3) updated the directory of the images (apxldimg.sql)
(4) set the port HTTP (EXEC DBMS_XDB. SETHTTPPORT (8080))
(5) enabled remote access (exec dbms_xdb.setListenerLocalAccess (l_access = > FALSE))

Any thoughts on why web access may not work? Is there something else I need to do before users can access my application on the internet?

Thank you
Josh
Well, you tried to shut down (or add an exception) / firewall/antivirus?

Published by: Felipe Bertaglia on July 28, 2009 19:36 - / antivirus

ASA 5505 VPN established, cannot access inside the network

Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.

After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.

Here is my config:

ASA Version 8.2 (5)
!
hostname asa01
domain kevinasa01.net
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan5
No nameif
security-level 50
IP 172.16.1.1 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
domain kevinasa01.net
permit same-security-traffic intra-interface
Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.254.0 255.255.255.0
NAT (inside) 0 access-list sheep - in
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Remote_Kevin group strategy
attributes of Group Policy Remote_Kevin
value of server DNS 192.168.1.12 192.168.1.13
VPN - connections 3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
kevinasa01.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy Remote_Kevin
type tunnel-group Remote_Kevin remote access
attributes global-tunnel-group Remote_Kevin
address-pool
Group Policy - by default-Remote_Kevin
IPSec-attributes tunnel-group Remote_Kevin
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
: end

Thank you

Hello

I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.

I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.

The acl must be:

sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

For nat (inside), you have 2 lines:

NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
NAT (inside) 1 0.0.0.0 0.0.0.0

Why are you doing this nat (outside)?

NAT (outside) 1 192.168.254.0 255.255.255.0

Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)

Thank you.

PS: Please do not forget to rate and score as good response if this solves your problem.

Cisco VPN Client anything cannot access through VPN on an ASA5505 8.4

Hello

Completely new to Cisco ASA and the need to get this working ASAP.

8.4 (1) ASA 5505 is the secondary FW and I need to authorize all out and block everything coming, but for the VPN clients. Since a jerk of Cisco, I used the ASDM and it's sorcerers to make this work, which may explain my situation.

192.168.101.0/24 is the local network

192.168.101.5 is the IP of ASA

192.168.101.2 is the primary FW (and the default gateway for servers, I have to access through the VPN)

10.10.101.0/24 is the VPN IP range (this can be what you want, I'm not married to it somehow)

My Cisco VPN Client connects to the ASA and receives 10.10.101.1 IP address, but I get no connectivity to the ASA or any other 192.168.101.x or service server (tried RDP, telnet, ping, etc.)

Configuration file is attached.

Help pretty please!

Thank you.

Did you add a route for the VPN Pool on the main firewall to the ASA?

Best regards

Peer

Sent by Cisco Support technique iPad App

Local Lan access through the ASA5510

Similar Questions

Maybe you are looking for