Need help to access the internal network via VPN on ASA5505 8.4 (1)

Similar Questions

• Cannot access the internal network of VPN with PIX 506th

  Hello

  I seem to have a problem with the configuration of my PIX. I ping the VPN client from the network in-house, but cannot cannot access all the resources of the vpn client. My running configuration is the following:

  Building configuration...

  : Saved

  :

  6.3 (5) PIX version

  interface ethernet0 car

  Auto interface ethernet1

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the encrypted password of N/JZnmeC2l5j3YTN

  2KFQnbNIdI.2KYOU encrypted passwd

  hostname SwantonFw2

  domain name * *.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list outside_access_in allow icmp a whole

  allow_ping list access permit icmp any any echo response

  allow_ping list all permitted access all unreachable icmp

  access-list allow_ping allow icmp all once exceed

  the INSIDE-IN access list allow inside the interface tcp interface outside

  list access to the INSIDE-IN permit udp any any eq field

  list access to the INSIDE-IN permit tcp any any eq www

  list access to the INSIDE-IN permit tcp any any eq ftp

  list access to the INSIDE-IN permit icmp any any echo

  the INSIDE-IN permit tcp access list everything all https eq

  permit access ip 192.168.0.0 list inside_outbound_nat0_acl 255.255.255.0 192.168.240.0 255.255.255.0

  swanton_splitTunnelAcl ip access list allow a whole

  outside_cryptomap_dyn_20 ip access list allow any 192.168.240.0 255.255.255.0

  no pager

  Outside 1500 MTU

  Within 1500 MTU

  192.168.1.150 outside IP address 255.255.255.0

  IP address inside 192.168.0.35 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP pool local VPN_Pool 192.168.240.1 - 192.168.240.254

  location of PDM 0.0.0.0 255.255.255.0 outside

  location of PDM 192.168.1.26 255.255.255.255 outside

  location of PDM 192.168.240.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

  Access-group outside_access_in in interface outside

  group-access INTERIOR-IN in the interface inside

  Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.0.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  client authentication card crypto outside_map LOCAL

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 20

  encryption of ISAKMP policy 20

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  Swanton vpngroup address pool VPN_Pool

  vpngroup swanton 192.168.1.1 dns server

  vpngroup swanton splitting swanton_splitTunnelAcl tunnel

  vpngroup idle 1800 swanton-time

  swanton vpngroup password *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.0.36 - 192.168.0.254 inside

  dhcpd dns 8.8.8.8 8.8.4.4

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  scott hwDnqhIenLiwIr9B of encrypted privilege 15 password username

  username password encrypted ET3skotcnISwb3MV privilege 2 norm

  username password tarmbrecht Zre8euXN6HxXaSdE encrypted privilege 2

  username, password jlillevik 9JMTvNZm3dLhQM/W encrypted privilege 2

  username privilege 15 encrypted password 49ikl05C8VE6k1jG ruralogic

  username bzeiter 1XjpdpkwnSENzfQ0 encrypted password privilege 2

  name of user mwalla encrypted password privilege 2 l5frk9obrNMGOiOD

  username heavyfab1 6.yy0ys7BifWsa9k encrypted password privilege 2

  username heavyfab3 6.yy0ys7BifWsa9k encrypted password privilege 2

  username heavyfab2 6.yy0ys7BifWsa9k encrypted password privilege 2

  username djet encrypted password privilege 2 wj13fSF4BPQzUzB8

  username, password cmorgan y/NeUfNKehh/Vzj6 encrypted privilege 2

  username password cmayfield Pe/felGx7VQ3I7ls encrypted privilege 2

  username privilege 2 encrypted password zQEQceRITRrO4wJa jeffg

  Terminal width 80

  Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8

  : end

  [OK]

  Any help will be greatly appreciated

  BJ,

  You try to access resources behind the inside interface network?

  IP address inside 192.168.0.35 255.255.255.0

  If so, please make the following changes:

  1 SWANTON_VPN_SPLIT permit access ip 192.168.0.0 list 255.255.255.0 192.168.240.0 255.255.255.0

  2-no vpngroup swanton splitting swanton_splitTunnelAcl tunnel

  Swanton vpngroup split tunnel SWANTON_VPN_SPLIT

  outside_cryptomap_dyn_20 3-no-list of ip access allowing any 192.168.240.0 255.255.255.0

  4 - isakmp nat-traversal 30

  Let me know how it goes.

  Portu.

  Please note all useful posts

• Cisco ASA 5505 VPN L2TP cannot access the internal network

  Hello

  I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

  Can you jhelp me to find the problem?

  I have Cisco ASA:

  within the network - 192.168.1.0

  VPN - 192.168.168.0 network

  I have the router to 192.168.1.2 and I cannot ping or access this router.

  Here is my config:

  ASA Version 8.4 (3)

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 198.X.X.A 255.255.255.248

  !

  passive FTP mode

  permit same-security-traffic intra-interface

  the net-all purpose network

  subnet 0.0.0.0 0.0.0.0

  network vpn_local object

  192.168.168.0 subnet 255.255.255.0

  network inside_nw object

  subnet 192.168.1.0 255.255.255.0

  outside_access_in list extended access permit icmp any any echo response

  outside_access_in list extended access deny ip any any newspaper

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT dynamic interface of net-all source (indoor, outdoor)

  NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

  NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

  !

  network vpn_local object

  dynamic NAT interface (outdoors, outdoor)

  network inside_nw object

  NAT dynamic interface (indoor, outdoor)

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  AAA authentication enable LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

  transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

  Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

  card crypto 20-isakmp ipsec vpn Dynamics dyno

  vpn outside crypto map interface

  Crypto isakmp nat-traversal 3600

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  management-access inside

  dhcpd address 192.168.1.5 - 192.168.1.132 inside

  dhcpd dns 75.75.75.75 76.76.76.76 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal sales_policy group policy

  attributes of the strategy of group sales_policy

  Server DNS 75.75.75.75 value 76.76.76.76

  Protocol-tunnel-VPN l2tp ipsec

  user name-

  user name-

  attributes global-tunnel-group DefaultRAGroup

  address sales_addresses pool

  Group Policy - by default-sales_policy

  IPSec-attributes tunnel-group DefaultRAGroup

  IKEv1 pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  ms-chap-v2 authentication

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

  : end

  Thanks for your help.

  You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  --

  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

  I tried to set up a simple customer vpn using this document

  http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

  VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

  6.3 (5) PIX version

  interface ethernet0 car

  Auto interface ethernet1

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the encrypted password of VmHKIhnF4Gs5AWk3

  VmHKIhnF4Gs5AWk3 encrypted passwd

  hostname VOIPLABPIX

  domain voicelab.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside 208.x.x.11 255.255.255.0

  IP address inside 172.10.2.2 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

  history of PDM activate

  ARP timeout 14400

  NAT (inside) - 0 102 access list

  Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

  Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 172.0.0.0 255.0.0.0 inside

  http 0.0.0.0 0.0.0.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

  Crypto-map dynamic map2 10 set transform-set trmset1

  map map1 10 ipsec-isakmp crypto dynamic map2

  client authentication card crypto LOCAL map1

  map1 outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 encryption aes-256

  ISAKMP policy 10 sha hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address voicelabpool pool cuclab

  vpngroup dns 204.x.x.10 Server cuclab

  vpngroup cuclab by default-field voicelab.com

  vpngroup split tunnel 101 cuclab

  vpngroup idle 1800 cuclab-time

  vpngroup password cuclab *.

  Telnet timeout 5

  SSH 208.x.x.11 255.255.255.255 outside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 172.10.1.2 255.255.255.255 inside

  SSH timeout 60

  Console timeout 0

  username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

  Terminal width 80

  Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

  : end

  Try to turn on NAT - T

  PIX (config) #isakmp nat-traversal 20

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

  HTH

• Cannot access the internal network with Cisco easy vpn client RV320

  I have a cisco RV320 (firmware v1.1.1.06) and created a tunnel easy vpn (= split tunnel tunnel mode), then I installed the cisco client vpn v5.0.07.0290 in Windows 7 64 bit, I can connect to the vpn, but I do not see the other pc ping nor them, no idea?

  Thank you

  Hello

  1. is the firewall on the active Windows 7 computer? If so, please disable it

  2. can you check that you get a correct IP address in the range of the POOL of IP configured?

  3. When you perform the tracert command to access an internal server, it crosses the VPN¨?

  4. is the tunnel of split giving you access to internal IP subnets defined?

  5. on the RV320 you see the user connected and sending and receiving bytes?

  Don t forget to rate and score as correct the helpful post!

  David Castro,

  Kind regards

• I need help, turn off the internal mic

  Please explain to me as I am 5. I have a headphone (with mic jack and Jack audio input type). Whenever I plug them in, however, the computer decides to use the internal microphone instead. Is it possible to switch off my internal microphone without turning off sound settings (given that my headset in would appear under micro)?

  I'll try to look in the Device Manager to see if it does not show two microphones.  If so, you can disable one of them.  To get the Device Manager, click Start and right click on computer, then click Properties, then Device Manager.

  Good luck.

• Customer remote cannot access the server LAN via VPN

  Hi friends,

  I'm a new palyer in ASA.

  My business is small. We need to the LAN via VPN remote client access server.

  I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.

  Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.

  Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.

  Who can help me?

  Thank you very much.

  The following configuration:

  ASA Version 7.0(7)
  
      !
  
      hostname VPNhost
  
      names
  
      dns-guard
  
      !
  
      interface Ethernet0/0
  
      nameif outside
  
      security-level 10
  
      ip address 221.122.96.51 255.255.255.240
  
      !
  
      interface Ethernet0/1
  
      nameif inside
  
      security-level 100
  
      ip address 192.168.42.199 255.255.255.0
  
      !
  
      interface Ethernet0/2
  
      shutdown
  
      no nameif
  
      no security-level
  
      no ip address
  
      !
  
      interface Management0/0
  
      shutdown
  
      no nameif
  
      no security-level
  
      no ip address
  
      management-only
  
      !
  
      ftp mode passive
  
      dns domain-lookup inside
  
      access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
  
      access-list allow_PING extended permit icmp any any inactive
  
      access-list Internet extended permit ip host 221.122.96.51 any inactive
  
      access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
  
      access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
  
      access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
  
      access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
  
      pager lines 24
  
      mtu outside 1500
  
      mtu inside 1500
  
      ip local pool testpool 192.168.43.10-192.168.43.20
  arp timeout 14400
  
      global (outside) 1 interface
  
      nat (inside) 0 access-list VPN
  
      nat (inside) 1 access-list PAT_acl
  
      route outside 0.0.0.0 0.0.0.0 221.122.96.49 10
  
  
      username testuser password 123
  
      aaa authentication ssh console LOCAL
  
      aaa local authentication attempts max-fail 3
  no sysopt connection permit-ipsec
  
      crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
  
      crypto dynamic-map dyn1 1 set transform-set FirstSet
  
      crypto dynamic-map dyn1 1 set reverse-route
  
      crypto map mymap 1 ipsec-isakmp dynamic dyn1
  
      crypto map mymap interface outside
  
      isakmp enable outside
  
      isakmp policy 1 authentication pre-share
  
      isakmp policy 1 encryption des
  
      isakmp policy 1 hash md5
  
      isakmp policy 1 group 2
  
      isakmp policy 1 lifetime 86400
  
      isakmp nat-traversal  3600
  
      tunnel-group testgroup type ipsec-ra
  
      tunnel-group testgroup general-attributes
  
      address-pool testpool
  
      tunnel-group testgroup ipsec-attributes
  
      pre-shared-key *
  
      telnet timeout 5
  ssh timeout 10
  
      console timeout 0
  : end
  

  Topology as follows:

  

  Hello

  Configure the split for the VPN tunneling.

  1. Create the access list that defines the network behind the ASA.

     ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0 

  2. Mode of configuration of group policy for the policy you want to change.

     ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#

  3. Specify the policy to split tunnel. In this case, the policy is tunnelspecified.

     ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified 

  4. Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.

     ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List 

  5. Type this command:

     ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes 

  6. Associate the group with the tunnel group policy

     ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn 

  7. Leave the two configuration modes.

     ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#

  8. Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.

  Kind regards
  Abhishek Purohit
  CCIE-S-35269

• Unable to access the local network with VPN with some ISPS

  Hello

  We have a VPN Remote Access IPSEC with an ASA5505. Install VPN it correctly but can not access the inside or the ASA to my office.

  But at home with another Internet service provider, it works! You can access inside.

  We are trying with other ISP and it works with 2 and does not work with the other 2!

  Office we also have an ASA5505, but we have another VPN other sites that work properly.

  Any ideas?

  Thank you and sorry for my English.

  Add...

  ISAKMP nat-traversal crypto

  That should do the trick! Please rate if this can help.

• Cannot access the internal resources for VPN site-to-site

  We have two ASA.  We set up just VPN site-to-site.  For some reason, we are not able to access internal resources at the main office of the remote office.  Do you have any suggestions?  Thank you.

  as wu suggested, please first confirm that the tunnel is mounted correctly

  "sh cry isa his '-> will tell u if the phase 1 is in place

  "sh cry ips its '-> say if phase 2 is in place

  now once they r upward, when you ping from site to site b

  program in the site, you should see one and decaps site b for traffic from a to b and vice versa for return transportation

  Now we have to see where it is a failure

  could be tht package is coming up to the asa but not getting is not encrypted or that the package does not come to the asa itself

  You can run tracer package to see if it's getting wrapped, or in other words hits vpn tunnel

  It might be a nat problem, and sometimes if it is a new configuration probably ISP may have blocked the esp traffic in one direction or in the other direction

  the best approach, that it is turn on "management of access to the inside" on the firewall and make a ping of source of asa

  inside ping

• Need help to install the network on laptop drivers

  I have a laptop of HP 2000-239WM and recently erased due to trying to sell. However, when I reinstalled everything back on the PC, no network drivers have been installed, so I have no access to the internet, wireless and wired. Should what programs I install via USB in order to solve this problem?

  The network adapter driver specifically requests the Ethernet, wifi and it...

  Hello McKinley,

  Thank you for visiting Microsoft Community and we provide a detailed description of the issue.

  According to the description, I understand that you need help to install the network drivers into the laptop.

  Certainly, I understand your concern and will try my best to help you.

  In order to install the NIC drivers in the system, I suggest to visit the link below and check if that helps.

  http://support.HP.com/us-en/drivers/selfservice/HP-2000-200-notebook-PC-series/5091493/model/5119030

  Note: Make sure you have access to the internet to another computer and download the network drivers using the USB and install on your laptop.

  I hope this information is useful.

  Please let us know if you need more help, we will be happy to help you.

  Thank you.

• Cisco vpn client to connect but can not access to the internal network

  Hi all

  I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network

  Any help would be much appreciated.

  Hi Samir,

  I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  (The link above includes split tunneling, but this is just an option.

  Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.

  Let me know if this can help,

  See you soon,.

  Christian V

• VPN client without access to the internal network

  Hi all

  I try to get IPsec VPN clients talk to my internal network.  Can ping the IP address of internal port, but not the bridge beyond the period of INVESTIGATION, or all the resources on the internal network.

  Thoughts?

  Hello Tony

  You need to check on the following things

  1. Split tunnel network

  2. "no nat" split tunnel network

  What is a network or production test (I hope that the customer have the right configuration of bridge)

  Also, if possible please post your config for a better understanding

  concerning

  Harish

• ASA 5505 IPSEC VPN connected but cannot access the local network

  ASA: 8.2.5

  ASDM: 6.4.5

  LAN: 10.1.0.0/22

  Pool VPN: 172.16.10.0/24

  Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

  I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

  Here is my setup, wrong set up anything?

  ASA Version 8.2 (5)

  !

  hostname asatest

  domain XXX.com

  activate 8Fw1QFqthX2n4uD3 encrypted password

  g9NiG6oUPjkYrHNt encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.1.1.253 255.255.252.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  address IP XXX.XXX.XXX.XXX 255.255.255.240

  !

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS server-group DefaultDNS

  domain vff.com

  vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

  access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

  pager lines 24

  Enable logging

  timestamp of the record

  logging trap warnings

  asdm of logging of information

  logging - the id of the device hostname

  host of logging inside the 10.1.1.230

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA-server protocol nt AD

  AAA-server host 10.1.1.108 AD (inside)

  NT-auth-domain controller 10.1.1.108

  Enable http server

  http 10.1.0.0 255.255.252.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 10.1.0.0 255.255.252.0 inside

  SSH timeout 20

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal group vpntest strategy

  Group vpntest policy attributes

  value of 10.1.1.108 WINS server

  Server DNS 10.1.1.108 value

  Protocol-tunnel-VPN IPSec l2tp ipsec

  disable the password-storage

  disable the IP-comp

  Re-xauth disable

  disable the PFS

  IPSec-udp disable

  IPSec-udp-port 10000

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list vpntest_splitTunnelAcl

  value by default-domain XXX.com

  disable the split-tunnel-all dns

  Dungeon-client-config backup servers

  the address value vpnpool pools

  admin WeiepwREwT66BhE9 encrypted privilege 15 password username

  username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

  the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

  tunnel-group vpntest type remote access

  tunnel-group vpntest General attributes

  address vpnpool pool

  authentication-server-group AD

  authentication-server-group (inside) AD

  Group Policy - by default-vpntest

  band-Kingdom

  vpntest group tunnel ipsec-attributes

  pre-shared-key BEKey123456

  NOCHECK Peer-id-validate

  !

  !

  privilege level 3 mode exec cmd command perfmon

  privilege level 3 mode exec cmd ping command

  mode privileged exec command cmd level 3

  logging of the privilege level 3 mode exec cmd commands

  privilege level 3 exec command failover mode cmd

  privilege level 3 mode exec command packet cmd - draw

  privilege show import at the level 5 exec mode command

  privilege level 5 see fashion exec running-config command

  order of privilege show level 3 exec mode reload

  privilege level 3 exec mode control fashion show

  privilege see the level 3 exec firewall command mode

  privilege see the level 3 exec mode command ASP.

  processor mode privileged exec command to see the level 3

  privilege command shell see the level 3 exec mode

  privilege show level 3 exec command clock mode

  privilege exec mode level 3 dns-hosts command show

  privilege see the level 3 exec command access-list mode

  logging of orders privilege see the level 3 exec mode

  privilege, level 3 see the exec command mode vlan

  privilege show level 3 exec command ip mode

  privilege, level 3 see fashion exec command ipv6

  privilege, level 3 see the exec command failover mode

  privilege, level 3 see fashion exec command asdm

  exec mode privilege see the level 3 command arp

  command routing privilege see the level 3 exec mode

  privilege, level 3 see fashion exec command ospf

  privilege, level 3 see the exec command in aaa-server mode

  AAA mode privileged exec command to see the level 3

  privilege, level 3 see fashion exec command eigrp

  privilege see the level 3 exec mode command crypto

  privilege, level 3 see fashion exec command vpn-sessiondb

  privilege level 3 exec mode command ssh show

  privilege, level 3 see fashion exec command dhcpd

  privilege, level 3 see the vpnclient command exec mode

  privilege, level 3 see fashion exec command vpn

  privilege level see the 3 blocks from exec mode command

  privilege, level 3 see fashion exec command wccp

  privilege see the level 3 exec command mode dynamic filters

  privilege, level 3 see the exec command in webvpn mode

  privilege control module see the level 3 exec mode

  privilege, level 3 see fashion exec command uauth

  privilege see the level 3 exec command compression mode

  level 3 for the show privilege mode configure the command interface

  level 3 for the show privilege mode set clock command

  level 3 for the show privilege mode configure the access-list command

  level 3 for the show privilege mode set up the registration of the order

  level 3 for the show privilege mode configure ip command

  level 3 for the show privilege mode configure command failover

  level 5 mode see the privilege set up command asdm

  level 3 for the show privilege mode configure arp command

  level 3 for the show privilege mode configure the command routing

  level 3 for the show privilege mode configure aaa-order server

  level mode 3 privilege see the command configure aaa

  level 3 for the show privilege mode configure command crypto

  level 3 for the show privilege mode configure ssh command

  level 3 for the show privilege mode configure command dhcpd

  level 5 mode see the privilege set privilege to command

  privilege level clear 3 mode exec command dns host

  logging of the privilege clear level 3 exec mode commands

  clear level 3 arp command mode privileged exec

  AAA-server of privilege clear level 3 exec mode command

  privilege clear level 3 exec mode command crypto

  privilege clear level 3 exec command mode dynamic filters

  level 3 for the privilege cmd mode configure command failover

  clear level 3 privilege mode set the logging of command

  privilege mode clear level 3 Configure arp command

  clear level 3 privilege mode configure command crypto

  clear level 3 privilege mode configure aaa-order server

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

  : end

  Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

  The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

  On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

• Unable to access an internal network while being connected with VPN

  Hello

  We have a PIX 515E with a remote access vpn.

  Our internal network has an address network 192.168.1.0/24, and addresses we assign to vpn clients are 192.168.1.49 - 192.168.1.62, or 192.168.1.48/28.

  When I connect to the vpn, I cannot ping none of my hosts internal. The error I get is "no group of translation not found for icmp src:...» »

  It is quite clear that I would need a NAT rule, but why? Addresses are in the same network...

  Could someone enlighten me on how I should proceed to nat traffic between vpn clients and the internal network?

  Thank you.

  Here is my current setup:

  6.3 (1) version PIX

  interface ethernet0 car

  Auto interface ethernet1

  Auto interface ethernet2

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif dmz security50 ethernet2

  activate the password * encrypted

  passwd * encrypted

  hostname pix

  domain callio.com

  outside_inbound list access permit tcp any host 66 *. **. * eq www

  outside_inbound list access permit tcp any host 66 *. **. * eq https

  outside_inbound list of access permit udp any host 66 *. **. * Log domain eq

  outside_inbound list access permit tcp any host 66 *. **. * Log domain eq

  outside_inbound list access permit tcp any host 66 *. **. * object-group mailserver

  outside_inbound list access permit tcp any host 66 *. **. * Newspaper ftp object-group 5

  outside_inbound list access permit tcp any host 66 *. **. * eq 9999 journal 5

  outside_inbound list access permit tcp any host 66 *. **. * eq www

  outside_inbound list access permit tcp any host 66 *. **. * eq www

  access-list outside_inbound udp host 66 license *. **. * Welcome 66 *. **. * eq syslog

  outside_inbound deny ip access list a whole

  pager lines 24

  IP address outside 66 *. **. * 255.255.255.240

  IP address inside 192.168.1.1 255.255.255.0

  IP dmz 192.168.2.1 255.255.255.0

  IP verify reverse path to the outside interface

  local pool IP VPN-RemoteAccess 192.168.1.49 - 192.168.1.62

  ARP timeout 14400

  Global (outside) 10 66 *. **. * netmask 255.255.255.0

  NAT (inside) 0-list of access no_nat_dmz

  NAT (inside) 10 192.168.1.0 255.255.255.0 0 0

  static (dmz, outside) 66 *. **. * c4 netmask 255.255.255.255 0 0

  static (dmz, outside) 66 *. **. * 192.168.2.3 netmask 255.255.255.255 0 0

  static (dmz, outside) 66 *. **. * 192.168.2.5 netmask 255.255.255.255 0 0

  static (dmz, outside) 66 *. **. * 192.168.2.6 netmask 255.255.255.255 0 0

  static (dmz, outside) 66 *. **. * 192.168.2.100 netmask 255.255.255.255 0 0

  static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

  Access-group outside_inbound in interface outside

  Route outside 0.0.0.0 0.0.0.0 66 *. **. * 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  NTP server 199.212.17.15 source outdoors

  Enable http server

  http 192.168.1.101 255.255.255.255 inside

  http 192.168.1.105 255.255.255.255 inside

  SNMP-server host inside 192.168.1.105

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Sysopt connection permit-pptp

  Telnet timeout 5

  SSH 192.168.1.105 255.255.255.255 inside

  SSH timeout 5

  Console timeout 0

  VPDN PPTP VPN group accept dialin pptp

  VPDN group VPN-PPTP ppp mschap authentication

  VPDN group VPN-PPTP ppp mppe auto encryption required

  the client configuration address local VPN-RemoteAccess VPDN group PPTP VPN

  VPDN group VPN-PPTP client configuration dns 192.168.1.2

  VPDN group VPN-PPTP pptp echo 60

  authentication of VPN-PPTP client to the Group local VPDN

  VPDN username someuser password *.

  VPDN allow outside

  Terminal width 80

  Please use the following URL to check your config:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

  I hope this helps.

  Jay

• Cannot access the Media folder via App IOS Readycloud

  I have a RN204 4.6.2 running in an OSX system which will not allow access to the Media folder via the IOS app on iPhone or iPad. I can access the media folder via the ReadyCloud portal or the finder on MAC without problem, but the IOS App shows "Access Denied" and requests user & password, which, when entered, does not. I can access all other folders via the application, just not the media folder. Permissions are set the same as the other issues so I'm not sure what the question is that if she's Readycloud app for IOS. I guess the user & password requested is for NAS, although I tried the credientals of Readycloud just for fun but no help. As a note, I don't get "Connection failed" but "Access Denied", so the network access is OK but access to the file is doesn't understand why all other folders are accessible but not the media folder. And that's on both VPN connections & local. Any ideas?

  OK, get it fixed. I have changed the name of the folder, allowed full access, then he changed the name of moose. Now I can access the folder via the ios app. I'll have to rescan the actions in my media streamer, but to the East, I now access app.