No Internet connectivity with ASA 5505 VPN remote access

Hello

I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?

Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.

Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?

I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.

Thank you very much for you help.

Concerning

Salman

Salman

What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.

You have at least 2 options:

-You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.

-You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command

permit same-security-traffic intra-interface

HTH

Rick

Tags: Cisco Security

Similar Questions

  • Problem with ASA 5505 VPN remote access

    After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?

    Here is the cfg running of the ASA

    ----------------------------------------------------------------------------------------

    : Saved

    :

    ASA Version 8.4 (1)

    !

    hostname NCHCO

    enable encrypted password xxxxxxxxxxxxxxx

    xxxxxxxxxxx encrypted passwd

    names of

    description of NCHCO name 192.168.2.0 City offices

    name 192.168.2.80 VPN_End

    name 192.168.2.70 VPN_Start

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.2.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address **. ***. 255.255.255.248

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    boot system Disk0: / asa841 - k8.bin

    passive FTP mode

    network of the NCHCO object

    Subnet 192.168.2.0 255.255.255.0

    network object obj - 192.168.1.0

    subnet 192.168.1.0 255.255.255.0

    network object obj - 192.168.2.64

    subnet 192.168.2.64 255.255.255.224

    network object obj - 0.0.0.0

    subnet 0.0.0.0 255.255.255.0

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    the Web server object network

    the FINX object network

    Home 192.168.2.11

    rdp service object

    source between 1-65535 destination eq 3389 tcp service

    Rdp description

    outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0

    inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

    permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224

    outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

    LAN_Access list standard access allowed 192.168.2.0 255.255.255.0

    LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

    NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0

    AnyConnect_Client_Local_Print deny ip extended access list a whole

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

    AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

    outside_access_in list extended access permit tcp any object FINX eq 3389

    outside_access_in_1 list extended access allowed object rdp any object FINX

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 649.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0

    NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64

    NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64

    !

    network obj_any object

    NAT dynamic interface (indoor, outdoor)

    the FINX object network

    NAT (inside, outside) interface static service tcp 3389 3389

    Access-group outside_access_in_1 in interface outside

    Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    network-acl outside_nat0_outbound

    WebVPN

    SVC request to enable default svc

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    http *. **. ***. 255.255.255.255 outside

    http *. **. ***. 255.255.255.255 outside

    http NCHCO 255.255.255.0 inside

    http 96.11.251.186 255.255.255.255 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform

    IKEv1 crypto ipsec transform-set l2tp-transformation mode transit

    Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

    transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

    Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1

    transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    crypto dynamic-map dyn-map 10 set pfs Group1

    crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1

    dynamic-map encryption dyn-map 10 value reverse-road

    Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

    Crypto-map dynamic outside_dyn_map 20 the value reverse-road

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    peer set card crypto outside_map 1 74.219.208.50

    card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

    map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    inside crypto map inside_map interface

    card crypto vpn-map 1 match address outside_1_cryptomap_1

    card crypto vpn-card 1 set pfs Group1

    set vpn-card crypto map peer 1 74.219.208.50

    card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map

    dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

    crypto isakmp identity address

    Crypto ikev1 allow inside

    Crypto ikev1 allow outside

    IKEv1 crypto ipsec-over-tcp port 10000

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    IKEv1 crypto policy 15

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 35

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    enable client-implementation to date

    Telnet 192.168.1.0 255.255.255.0 inside

    Telnet NCHCO 255.255.255.0 inside

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.0 inside

    SSH NCHCO 255.255.255.0 inside

    SSH timeout 5

    Console timeout 0

    dhcpd address 192.168.2.150 - 192.168.2.225 inside

    dhcpd dns 216.68.4.10 216.68.5.10 interface inside

    lease interface 64000 dhcpd inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    value of server DNS 192.168.2.1

    L2TP ipsec VPN-tunnel-Protocol ikev1

    nchco.local value by default-field

    attributes of Group Policy DfltGrpPolicy

    value of server DNS 192.168.2.1

    L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

    allow password-storage

    enable IPSec-udp

    enable dhcp Intercept 255.255.255.0

    the address value VPN_Pool pools

    internal NCHCO group policy

    NCHCO group policy attributes

    value of 192.168.2.1 DNS Server 8.8.8.8

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1

    value by default-field NCHCO.local

    admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

    username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

    username NCHvpn99 password dhn. JzttvRmMbHsP encrypted

    attributes global-tunnel-group DefaultRAGroup

    address (inside) VPN_Pool pool

    address pool VPN_Pool

    authentication-server-group (inside) LOCAL

    authentication-server-group (outside LOCAL)

    LOCAL authority-server-group

    authorization-server-group (inside) LOCAL

    authorization-server-group (outside LOCAL)

    Group Policy - by default-DefaultRAGroup

    band-Kingdom

    band-band

    IPSec-attributes tunnel-group DefaultRAGroup

    IKEv1 pre-shared-key *.

    NOCHECK Peer-id-validate

    tunnel-group DefaultRAGroup ppp-attributes

    No chap authentication

    no authentication ms-chap-v1

    ms-chap-v2 authentication

    tunnel-group DefaultWEBVPNGroup ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    tunnel-group 74.219.208.50 type ipsec-l2l

    IPSec-attributes tunnel-group 74.219.208.50

    IKEv1 pre-shared-key *.

    type tunnel-group NCHCO remote access

    attributes global-tunnel-group NCHCO

    address pool VPN_Pool

    Group Policy - by default-NCHCO

    IPSec-attributes tunnel-group NCHCO

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

    : end

    ASDM image disk0: / asdm - 649.bin

    ASDM VPN_Start 255.255.255.255 inside location

    ASDM VPN_End 255.255.255.255 inside location

    don't allow no asdm history

    ---------------------------------------------------------------------------------------------------------------

    And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:

    ---------------------------------------------------------------------------------------------------------------

    Cisco Systems VPN Client Version 5.0.07.0440

    Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 6.1.7601 Service Pack 1

    Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\

    1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026

    Try to find a certificate using hash Serial.

    2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027

    Found a certificate using hash Serial.

    3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011

    RELOADED successfully certificates in all certificate stores.

    4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004

    Establish a secure connection

    6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "*." **. ***. *** »

    7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B

    Try to establish a connection with *. **. ***. ***.

    8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001

    From IKE Phase 1 negotiation

    9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

    10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

    12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001

    Peer is a compatible peer Cisco-Unity

    13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports XAUTH

    14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports the DPD

    15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports NAT - T

    16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

    Peer supports fragmentation IKE payloads

    17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001

    IOS Vendor ID successful construction

    18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

    19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083

    IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4

    20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072

    Automatic NAT detection status:

    Remote endpoint is NOT behind a NAT device

    This effect is NOT behind a NAT device

    21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

    22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015

    Launch application xAuth

    25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012

    Attributes of the authentication request is 6: 00.

    26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017

    xAuth application returned

    27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008

    IPSec driver started successfully

    29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

    34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E

    Customer address a request from firewall to hub

    35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

    36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

    39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

    40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

    41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

    42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

    43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

    44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F

    SPLIT_NET #1

    = 192.168.2.0 subnet

    mask = 255.255.255.0

    Protocol = 0

    SRC port = 0

    port dest = 0

    45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local

    46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710

    47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

    48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11

    49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

    50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019

    Data in mode Config received

    51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056

    Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

    52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

    53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

    55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify has value of 86400 seconds

    56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047

    This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now

    57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">

    59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify is set to 28800 seconds

    60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***

    61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059

    IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)

    62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025

    OUTGOING ESP SPI support: 0xAAAF4C1C

    63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026

    Charges INBOUND ESP SPI: 0x3EBEBFC5

    64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001

    Launch VAInst64 for controlling IPSec virtual card

    66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034

    The virtual card has been activated:

    IP=192.168.2.70/255.255.255.0

    DNS = 192.168.2.1, 8.8.8.8

    WINS = 0.0.0.0 0.0.0.0

    Domain = NCHCO.local

    Split = DNS names

    67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261

    68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038

    Were saved successfully road to file changes.

    69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

    Destination mask subnet Gateway Interface metric

    0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

    **. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100

    96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

    96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

    96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

    127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

    127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

    192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261

    192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100

    192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261

    192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261

    224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

    224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

    224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

    224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261

    255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

    255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

    255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

    255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261

    70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036

    The routing table has been updated for the virtual card

    71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A

    A secure connection established

    72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

    Look at address added to 96.11.251.149.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

    73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

    Look at address added to 192.168.2.70.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

    74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001

    Did not find the smart card to watch for removal

    75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

    Creates a new key structure

    77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

    Adding key with SPI = 0x1c4cafaa in the list of keys

    78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

    Creates a new key structure

    79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

    Adding key with SPI = 0xc5bfbe3e in the list of keys

    80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F

    Assigned WILL interface private addr 192.168.2.70

    81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037

    Configure the public interface: 96.11.251.149. SG: **.**.***.***

    82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046

    Define indicator tunnel set up in the registry to 1.

    83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205276

    85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276

    88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019

    Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e

    89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205277

    91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277

    94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

    95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D

    Upon request of the DPD to *. **. ***. , our seq # = 107205278

    96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = *. **. ***. ***

    97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

    98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040

    Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278

    ---------------------------------------------------------------------------------------------------------------

    Any help would be appreciated, thanks!

    try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.

  • Site to Site and together on ASA 5505 VPN remote access

    Hello

    I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.

    After you add the new configuration lines, I received the following message when I debug:

    04 Nov 07:06:06 [IKEv1]: group = , IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0).

    04 Nov 07:04:36 [IKEv1]: group = , IP = , peer of drop table Correlator has failed, no match!

    Someone knows what's the problem? And what to change in the config?

    Thanks in advance,

    Ruben

    Hello

    If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"

    Federico.

  • ASA 5505 VPN remote access

    Hi all

    I read the http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html and following the steps to create a remote access VPN. At the end of this post is delivered to the FW config.

    I test the connection on a Cisco VPN Client for Windows Remote with plans on the migration of the profile to my Linux laptop. What I see is an error message when you run 'debug cryptop isa 129' of

    Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
    Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntry

    What seems strange to me, is that I have a group policy and a configured connection IPSec 'RemoteHome' profile, but it is not referenced in the debug output. I searched through my config for DefaultRAGroup, but nothing helped. However I found it in the ASDM under IPSec connection profiles.

    I configured the FW to use LOCAL authentication and have configured the VPN Client with the right user name and password.

    So, basically, I'm at a loss on how to correct my mistake. Any help much appreciated.

    After the config FW is the power output of debug crypto isa 129.

    See you soon,.

    Conor

    RemoteHome_splitTunnelAcl list standard access allowed host 10.2.2.2
    RemoteHome_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.0.0
    RemoteHome_splitTunnelAcl standard access list allow 10.3.3.0 255.255.255.0
    RemoteHome_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
    access-list 1 permit line INSIDE_nat0_outbound extended ip host 10.2.2.2 192.168.2.64 255.255.255.192
    allowed to Access - list INSIDE_nat0_outbound line 2 extended ip 172.16.0.0 255.255.0.0 192.168.2.64 255.255.255.192
    permit for access list 3 INSIDE_nat0_outbound line scope ip 10.3.3.0 255.255.255.0 192.168.2.64 255.255.255.192
    allowed to Access - list INSIDE_nat0_outbound line 4 extended ip 192.168.2.0 255.255.255.0 192.168.2.64 255.255.255.192
    local pool VPN_REMOTE_POOL 192.168.2.90 - 192.168.2.99 255.255.255.0 IP mask
    internal RemoteHome group strategy
    Group Policy attributes RemoteHome
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list RemoteHome_splitTunnelAcl
    value of DNS server *.
    cunningtek.com value by default-field
    tunnel-group RemoteHome type remote access
    attributes global-tunnel-group RemoteHome
    Group Policy - by default-RemoteHome
    address VPN_REMOTE_POOL pool
    IPSec-attributes tunnel-group RemoteHome
    pre-shared key *.
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    NAT (INSIDE) 0 access-list INSIDE_nat0_outbound tcp udp 0 0 0

    Firewall # Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) the SELLER (13) + the SELLER (13) + SOLD
    OR (13) of the SELLER (13) + the SELLER (13) + (0) NONE total length: 849
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, SA payload processing
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ke payload
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ISA_KE
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, nonce payload processing
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received xauth V6 VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, DPD received VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received Fragmentation VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received NAT-Traversal worm 02 VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, the customer has received Cisco Unity VID
    Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, message received ISAKMP Aggressive Mode 1 with the name of Group of unknown tunnel "conor".
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA payload processing
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA proposal # 1, transform # 5 entry overall IKE acceptable matches # 1
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build the payloads of ISAKMP security
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building ke payload
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building nonce payload
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Generating keys for answering machine...
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of payload ID
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of hash
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, calculation of hash for ISAKMP
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of Cisco Unity VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing payload V6 VID xauth
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing the payload of the NAT-Traversal VID ver 02
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of Fragmentation VID + load useful functionality
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads VID
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) + HASH (8) the SELLER (13) + the SELLER (13) + SOLD
    OR (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + (0) NONE total length: 424
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, case of mistaken IKE AM Responder WSF (struct & 0xd8d3bed8) , : AM_DONE, EV_ERROR--> AM_SND_MSG2, EV_
    SND_MSG--> AM_SND_MSG2, EV_START_TMR--> AM_BLD_MSG2, EV_BLD_MSG2_TRL--> AM_BLD_MSG2, EV_SKEYID_OK--> AM_BLD_MSG2, NullEvent--> AM_BLD_MSG2, EV_GEN_SKEYID--> AM_BLD_MSG2, EV_BLD_MSG2_HDR
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA AM:7ff48db9 ending: 0x0104c001, refcnt flags 0, tuncnt 0
    Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, sending clear/delete with the message of reason
    Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
    Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntry

    I think this is the beginning of your question.

    Message received ISAKMP aggressive Mode 1 with the name of the unknown group tunnel "conor".

    In the vpn client, you must enter the name of the group, RemoteHome and pre shared key, NOT your username. You will be asked your username after login.

    As the name conor group does not exist, it is failing in the DefaultRAGroup

  • ASA 5505 VPN cannot access inside the host

    I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.

    framework for configuration below

    interface Vlan1

    nameif inside

    security-level 100

    10.1.1.1 IP address 255.255.255.0

    IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map 20 set pfs

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    PFS set 40 crypto dynamic-map outside_dyn_map

    Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

    Crypto-map dynamic inside_dyn_map 20 set pfs

    Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map

    inside crypto map inside_map interface

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    global service-policy global_policy

    XXXXXXX strategy of Group internal

    attributes of the strategy group xxxxxxx

    banner value xxxxx Site Recovery

    WINS server no

    24.xxx.xxx.xx value of DNS server

    VPN-access-hour no

    VPN - connections 3

    VPN-idle-timeout 30

    VPN-session-timeout no

    VPN-filter no

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelall

    by default no

    disable secure authentication unit

    disable authentication of the user

    user-authentication-idle-timeout no

    disable the IP-phone-bypass

    disable the leap-bypass

    disable the NEM

    disable the NAC

    NAC-sq-period 300

    NAC-reval-period 36000

    NAC-by default-acl no

    the address value xxxxxx pools

    enable Smartcard-Removal-disconnect

    the firewall client no

    WebVPN

    url-entry functions

    Free VPN of CNA no

    No vpn-addr-assign aaa

    No dhcp vpn-addr-assign

    tunnel-group xxxx type ipsec-ra

    tunnel-group xxxx general attributes

    xxxx address pool

    Group Policy - by default-xxxx

    blountdr group of tunnel ipsec-attributes

    pre-shared-key *.

    Missing nat exemption for vpn clients. Add the following and you should be good to go.

    inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

    NAT (inside) 0-list of access inside_nat0_outbound

  • ASA 5505 VPN remote cannot access with my local network

    Hello guys, I have a problem with my asa 5505 remote VPN access to the local network, the VPn connection works well and connected, but the problem is that I can't reach my inside connection network of 192.168.30.x, here's my setup, please can you help me

    ASA Version 8.2 (1)

    !

    !

    interface Vlan1

    nameif inside

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 155.155.155.10 255.255.255.0

    !

    interface Vlan5

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.240

    pager lines 24

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool vpn-pool 192.168.100.1 - 192.168.100.10 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    Mull strategy of Group internal

    attributes of the Group mull strategy

    Protocol-tunnel-VPN IPSec

    username privilege 0 encrypted password eKJj9owsQwAIk6Cw xxx

    VPN-group-policy Mull

    type mull tunnel-group remote access

    tunnel-group mull General attributes

    address vpn-pool pool

    Group Policy - by default-mull

    Mull group tunnel ipsec-attributes

    pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Yes, you will need to either configure split tunnel so that internet traffic goes out through your local Internet service provider, GOLD / directed by configuration current you are tunneling all traffic (internet traffic Inc.) to the ASA, then you will need to create NAT for internet traffic.

    To set up a tunnel from split:

    split-acl access-list allowed 192.168.30.0 255.255.255.0

    attributes of the Group mull strategy

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split-acl

    I hope this helps.

  • On ASA 5505 VPN cannot access remote (LAN)

    I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.

    Tyler

    Just remove the line of nat (outside) and ACL outside_nat0_outbound.

    And talk about these statements:

    IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).

    2, crypto isakmp nat traversal 10 or 20

    3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.

    4, create the other ACL (ST) with different name and source and destination like no nat ACL.

    5, then type nat (inside) 0 access-list sheep

    6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).

    Concerning

  • ASA 5505 VPN cannot access inside hosts

    I set up VPN on the using 5505 ASDM and I am able to connect to the 5505 and the customer is also getting an IP address from the configured pool.

    The Cisco VPN client displays an error in the log: AddRoute cannot add a route: code 87

    Cisco

    You may need to nat traversal lit. Try to add crypto isakmp nat-traversal 3600

  • ASA Cisco VPN remote access

    Hi guys

    I have a few questions regarding vpn and vpn traffic record remote access. Please can someone advise how I can capture traffic decrypted for client vpn for remote access on the firewall. now, firewall has any source any dest and list of service associated with Group tunnel (no interface access list) but the default one group policy. I don't know what kind of traffic comes from the remote vpn machine, and I want to capture and create more specfic acl and who associate Group via vpn tunnel filter so no all are allowed.

    I also configured for load balancing vpn and I know not if I add vpn filter via Group Policy and add it to the default group that can cause interruptions of service, but since I have vpn load balancing configured shoudnt remote customer affect. Am I wrong?

    concerning

    F

    There is no balancing load with active / standby (standby really means "only watch"!). And it's not even RA - VPN with active/active.

  • ASA 5510 vpn remote access - must now be added vpn site-to-site.

    We currently have a configuration of remote access vpn and all this hard work.

    I need to configure a vpn lan lan 2 now.

    Can someone point me to the documentation on that? I used the command line to add a site to site and wrong on it and disconnected me when I applied the crypto map to the external interface. Do I need another card encryption or should I use my existing?

    Shannon,

    Please see the below URL for more configuration information. Even if that configuration is dynamic to static IPSEC, you can use the concept to build the Tunnel L2L with static IP.

    http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a00805733df.shtml

    Let me know if it helps.

    Kind regards

    Arul

    * Please note all useful messages *.

  • LAN ASA 5505 VPN client access issue

    Hello

    I'm no expert in ASA and routing so I ask support the following case.

    There is a (running on Windows 7) Cisco VPN client and an ASA5505.

    The objectives are client can use the gateway remote on SAA for Skype and able to access devices in SAA within the interface.

    The Skype works well, but I can't access devices in the interface inside through a VPN connection.

    Can you please check my following config and give me any advice to fix NAT or VPN settings?

    ASA Version 7.2 (4)

    !

    ciscoasa hostname

    domain default.domain.invalid

    activate wDnglsHo3Tm87.tM encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    interface Vlan3

    prior to interface Vlan1

    nameif dmz

    security-level 50

    no ip address

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    DNS server-group DefaultDNS

    domain default.domain.invalid

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any

    inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 any

    outside_access_in list of allowed ip extended access entire 192.168.1.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    MTU 1500 dmz

    local pool VPNPOOL 10.0.0.200 - 10.0.0.220 255.255.255.0 IP mask

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 524.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT-control

    Global 1 interface (outside)

    NAT (inside) 1 10.0.0.0 255.255.255.0

    NAT (inside) 1 192.168.1.0 255.255.255.0

    NAT (outside) 1 10.0.0.0 255.255.255.0

    inside_access_in access to the interface inside group

    Access-group outside_access_in in interface outside

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map pfs set 20 Group1

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.0 inside

    SSH timeout 5

    SSH version 2

    Console timeout 0

    dhcpd outside auto_config

    !

    dhcpd address 192.168.1.2 - 192.168.1.33 inside

    dhcpd dns xx.xx.xx.xx interface inside

    dhcpd allow inside

    !

    attributes of Group Policy DfltGrpPolicy

    No banner

    WINS server no

    value of server DNS 84.2.44.1

    DHCP-network-scope no

    VPN-access-hour no

    VPN - connections 3

    VPN-idle-timeout 30

    VPN-session-timeout no

    VPN-filter no

    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

    disable the password-storage

    disable the IP-comp

    Re-xauth disable

    Group-lock no

    disable the PFS

    IPSec-udp disable

    IPSec-udp-port 10000

    Split-tunnel-policy tunnelall

    Split-tunnel-network-list no

    by default no

    Split-dns no

    Disable dhcp Intercept 255.255.255.255

    disable secure authentication unit

    disable authentication of the user

    user-authentication-idle-timeout 30

    disable the IP-phone-bypass

    disable the leap-bypass

    allow to NEM

    Dungeon-client-config backup servers

    MSIE proxy server no

    MSIE-proxy method non - change

    Internet Explorer proxy except list - no

    Disable Internet Explorer-proxy local-bypass

    disable the NAC

    NAC-sq-period 300

    NAC-reval-period 36000

    NAC-by default-acl no

    address pools no

    enable Smartcard-Removal-disconnect

    the firewall client no

    rule of access-client-none

    WebVPN

    url-entry functions

    HTML-content-filter none

    Home page no

    4 Keep-alive-ignore

    gzip http-comp

    no filter

    list of URLS no

    value of customization DfltCustomization

    port - forward, no

    port-forward-name value access to applications

    SSO-Server no

    value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information

    SVC no

    SVC Dungeon-Installer installed

    SVC keepalive no

    generate a new key SVC time no

    method to generate a new key of SVC no

    client of dpd-interval SVC no

    dpd-interval SVC bridge no

    deflate compression of SVC

    internal group XXXXXX strategy

    attributes of XXXXXX group policy

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelall

    Split-tunnel-network-list no

    XXXXXX G910DDfbV7mNprdR encrypted privilege 15 password username

    username password encrypted XXXXXX privilege 0 5p9CbIe7WdF8GZF8

    attributes of username XXXXXX

    Strategy Group-VPN-XXXXXX

    username privilege 15 encrypted password cRQbJhC92XjdFQvb XXXXX

    tunnel-group XXXXXX type ipsec-ra

    attributes global-tunnel-group XXXXXX

    address VPNPOOL pool

    Group Policy - by default-XXXXXX

    tunnel-group ipsec-attributes XXXXXX

    pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    inspect the icmp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23

    : end

    ciscoasa #.

    Thanks in advance!

    fbela

    config #no nat (inside) 1 10.0.0.0 255.255.255.0< this="" is="" not="">

    Add - config #same-Security-permit intra-interface

    #access - extended list allowed sheep ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

    #nat (inside) 0 access-list sheep

    Please add and test it.

    Thank you

    Ajay

  • Restrict the public IP address of Source-based ASA 5500 VPN remote access

    Hello

    Please clarify my doubt below

    is it possible to restrict access to remote VPN to ASA based on the IP public Source, if yes how?

    Here is not the VPN filter under group policy. I want to restrict access from the indicated source IP (public IP)

    Thanks in advance

    Anoop

    Hi Anoop,

    This discussion will do it for you:

    https://supportforums.Cisco.com/thread/2027600

    Kind regards

    Julio

  • ASA 5505 VPN Ping problems

    Hi all

    First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.

    The main problem is that when ping devices internal when you are connected to the results are very inconsistent.

    Ping 192.168.15.102 with 32 bytes of data:

    Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128

    Request timed out.

    Request timed out.

    Request timed out.

    We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?

    Here is a dump of the configuration:

    Output of the command: "show config".

    : Saved

    : Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013

    !

    ASA Version 8.2 (5)

    !

    hostname VPN_Test

    activate the encrypted password of D37rIydCZ/bnf1uj

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    192.168.15.0 - internal network name

    DDNS update method DDNS_Update

    DDNS both

    maximum interval 0 4 0 0

    !

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    Description VLAN internal guests

    nameif inside

    security-level 100

    DDNS update hostname 0.0.0.0

    DDNS update DDNS_Update

    DHCP client updated dns server time

    192.168.15.1 IP address 255.255.255.0

    !

    interface Vlan2

    Description of VLAN external to the internet

    nameif outside

    security-level 0

    address IP xx.xx.xx.xx 255.255.255.248

    !

    passive FTP mode

    clock timezone CST - 6

    clock to summer time recurring CDT

    DNS server-group DefaultDNS

    Server name 216.221.96.37

    Name-Server 8.8.8.8

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    DM_INLINE_TCP_1 tcp service object-group

    port-object eq www

    EQ object of the https port

    outside_access_in list extended access permit icmp any one

    outside_access_in list extended access deny interface icmp outside interface inside

    access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all

    Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0

    inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192

    Note to inside_access_in to access list blocking Internet traffic

    access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all

    Note to inside_access_in to access list blocking Internet traffic

    inside_access_in extended access list allow interface ip inside the interface inside

    inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192

    Note to inside_access_in to access list blocking Internet traffic

    access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool

    inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ICMP allow any response of echo outdoors

    ICMP allow all outside

    don't allow no asdm history

    ARP timeout 14400

    NAT-control

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

    NAT (inside) 1 192.168.15.192 255.255.255.192

    NAT (inside) 1 0.0.0.0 0.0.0.0

    inside_access_in access to the interface inside group

    inside_access_ipv6_in access to the interface inside group

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    255.255.255.0 inside internal network http

    http yy.yy.yy.yy 255.255.255.255 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Sysopt connection timewait

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    management-access inside

    dhcpd outside auto_config

    !

    dhcpd address 192.168.15.200 - 192.168.15.250 inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

    NTP server 192.168.15.101 source inside

    prefer NTP server 192.168.15.100 source inside

    WebVPN

    internal remote group strategy

    Group remote attributes policy

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list Remote_splitTunnelAcl

    username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz

    username StockUser attributes

    Strategy-Group-VPN remote

    tunnel-group type remote access remotely

    tunnel-group remote General attributes

    address pool VPN_IP_Pool

    Group Policy - by default-remote control

    tunnel-group remote ipsec-attributes

    pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    inspect the icmp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

    Hi Graham,

    My first question is do you have a site to site VPN and VPN remote access client.

    After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.

    And if I understand you are able to connect VPN client, but you not able to access internal resources properly.

    I recommend tey and make the following changes.

    First remove the following configuration:

    NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

    NAT (inside) 1 192.168.15.192 255.255.255.192

    You don't need the 1st one and I do not understand the reason for the second

    Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.

    If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.

    Try the changes described above and let me know in case if you have any problem.

    Thank you

    Jeet Kumar

  • Create different group with VPN remote access

    Hello world

    The last time, I ve put in place a VPN for remote access to my network with ASA 5510

    I ve access to all my internal LAn helped with my VPN

    But I want to set up a vpn group in the CLI for a different group of the user who accesses the different server or a different network on my local network.

    Example: computer group - access to 10.70.5.X network

    Group consultant network - access to 10.70.10.X

    I need to know how I can do this, and if you can give me some example script to complete this

    Here is my configuration:

    ASA Version 8.0 (2)
    !
    ASA-Vidrul host name
    vidrul domain name - ao.com
    activate 8Ry2YjIyt7RRXU24 encrypted password
    names of
    DNS-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    address IP X.X.X.X 255.255.255.X
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    address IP X.X.X.X 255.255.255.X
    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    Description Port_Device_Management
    nameif management
    security-level 99
    address IP X.X.X.X 255.255.255.X
    management only
    !
    2KFQnbNIdI.2KYOU encrypted passwd
    passive FTP mode
    DNS server-group DefaultDNS
    vidrul domain name - ao.com
    access-list 100 scope ip allow a whole
    access-list extended 100 permit icmp any any echo
    access-list extended 100 permit icmp any any echo response
    vpn-vidrul_splitTunnelAcl permit 10.70.1.0 access list standard 255.255.255.0
    vpn-vidrul_splitTunnelAcl permit 10.70.99.0 access list standard 255.255.255.0
    inside_nat0_outbound list of allowed ip extended access all 10.70.255.0 255.255.255.0
    pager lines 24
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 management
    IP local pool clientvpngroup 10.70.255.100 - 10.70.255.200 mask 255.255.255.0
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 602.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 10.70.0.0 255.255.0.0
    Access-group 100 in the interface inside
    Access-group 100 interface inside

    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout, uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    Protocol RADIUS AAA-server 10.70.99.10
    AAA authentication enable LOCAL console
    the ssh LOCAL console AAA authentication
    LOCAL AAA authorization command
    Enable http server
    http 192.168.1.2 255.255.255.255 management
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 86400
    Crypto isakmp nat-traversal 30
    Telnet 0.0.0.0 0.0.0.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 5
    Console timeout 0
    outside access management
    dhcpd manage 192.168.1.2 - 192.168.1.5
    dhcpd enable management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    !
    class-map inspection_default
    match default-inspection-traffic
    block-url-class of the class-map
    class-map imblock
    match any
    class-map P2P
    game port tcp eq www
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    Policy-map IM_P2P
    class imblock
    class P2P
    !
    global service-policy global_policy
    vpn-vidrul group policy internal
    vpn-vidrul group policy attributes
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
    value by default-field vidrul - ao.com
    test 274Y4GRAbNElaCoV of encrypted password privilege 0 username
    username admin privilege 15 encrypted password bTpUzgLxalekyhxQ
    attributes of user admin name
    Strategy-Group-VPN-vpn-vidrul
    username, password suporte zjQEaX/fm0NjEp4k encrypted privilege 15
    type tunnel-group vidrul-vpn remote access
    vpn-vidrul general-attributes tunnel-group
    address clientvpngroup pool
    Group Policy - by default-vpn-vidrul
    IPSec-vpn-vidrul tunnel group attributes
    pre-shared-key *.
    context of prompt hostname
    Cryptochecksum:d84e64c87cc5b263c84567e22400591c
    : end

    What you need to configure is to imitate the configuration on the tunnel-group and group strategy and to configure access to specific network you need.

    Currently, you have configured the following:

    vpn-vidrul group policy internal
    vpn-vidrul group policy attributes
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
    value by default-field vidrul - ao.com

    type tunnel-group vidrul-vpn remote access
    vpn-vidrul general-attributes tunnel-group
    address clientvpngroup pool
    Group Policy - by default-vpn-vidrul
    IPSec-vpn-vidrul tunnel group attributes
    pre-shared-key *.

    What you need is to create new group policy and the new tunnel-group and configure the tunnel split ACL to allow access to specific access required.

    The user must then connect with the new group name and the new pre-shared key (password).

    Hope that helps.

  • VPN remote access with router 2610

    Guys,

    A router Cisco 2610 series with IOS Version 11.3 (2) software version XA4 (fc1) will support a VPN remote access VPN Clients using standard Windows (LT2P on IPSec or PPTP) via a connection of Remote LAN-based access to wide band.

    I have bought this device and need an answer fast if possible.

    Thank you 1 million.

    Vito

    The navigation feature is the ideal tool for this:

    http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

    Search by function and enter PPTP and you will see he came to 12.2 code.

    Do the same for L2TP and you will see he came in 12.1 T code.

    The short answer is no.

Maybe you are looking for

  • I can't find my external hard drive

    Hello I have a drive hard new, not used externally. It has its own drive system and goes into USB. A friend got for me (he knows computers!), it's a drive hard there, for which he bought coverage. He says that it's compatible pc and mac and my friend

  • How can I find the question I asked yesterday? I can't find it!

    I'm in Australia. I have a question, go to bed, get up the next day and there are 1 million new questions and answers - how to find mines. Looked for what seems hours!

  • Satellite X 200-not satisfied with the brightness

    Hello I'm pretty happy with my laptop, the only thing that bothers me, it's a screen brightness. I tried to increase it with maps pre-installed flash, with Manager of NVidia (quite desperate tool) and it was not enough. Now, I think that if it is pos

  • Current inaccurate measurement using Shunt resistance

    Hello I try to measure the power of a pressure sensor 4-20 my using the PCI - 6251 DAQ and 249 Ohm shunt resistance.  The measurements taken by the DAQ card are slightly lower than expected.  Performed by a digital multimeter measures appear to be mo

  • I have a HP laptop with vista that no longer starts.

    I have a HP laptop with vista that no longer starts. I get the initial screen of HP and can access the configuration, but after that, all I get is a black screen with a blinking cursor. I ran the diagnostic test on my hard drive and it happened, but