Peer AnyConnect VPN cannot ping, RDP each other

Similar Questions

• AnyConnect Clients cannot communicate with each other

  I have a problem that I've been pulling my hair out... my teleworkers connect to our network of Corp. via a connection AnyConnect VPN (version 3.1) to a Cisco ASA5520. I have not split tunneling enabled for this profile, so that all traffic should pass through the tunnel and all guests are in the same subnet L3... as far as their IP VPN address goes. The problem is the teleworker PCs cannot communicate with each other (pings/RDP/etc.). When I look at the newspaper I see traffic from one to another, have denied anything, but they do not communicate. My Network Corp., I can communicate with the two PCs Anyconnect very well. When I go to monitoring. ASDM itineraries I see each host that is connected to the ASA via Anyconnect, and the gateway for each is the default gateway of the SAA.

  Am I missing some setting in the VPN profile that prevents the access between these hosts? I think that something come in the newspaper...

  Have you enabled crossed and also a free NAT between AnyConnect users?

  permit same-security-traffic intra-interface

  network of the AnyConnect_users object

  subnet

  public static AnyConnect_users AnyConnect_users destination NAT (outside, outside) static source AnyConnect_users AnyConnect_users

  If this does not resolve your problem, please post a sanitized complete configuration of your ASA.

• ASA VPN cannot ping ip local pool

  Hello

  We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

  Thanks in advance

  Keith

  Hi Keith,

  I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

  Can you add "same-security-traffic intra-interface permits" and try again?

  Federico.

• HELP: What router supports VLAN? -I wish both groups cannot communicate with each other.

  Hi all

  I have 5 wireless devices must connect to the router.

  I want to divide it into 2 groups:

  That is to say, 1, device A, B, C, group 2, device D, E.

  I would like two groups cannot communicate with each other.

  I've heard, it can be done by VLAN, is e2500 can adapt to what I need?

  What about EA3500 and EA4500?

  I use G wireless, is what it means that ea4500 is out of choice even if it supports VLAN?

  Thank you all!

  Evil

  Thanks for the clarification for the OP

  FWIW

  is this an alternative to routers that do not support of VLAN, to do what you want

  http://www.SmallNetBuilder.com/lanwan/lanwan-HOWTO/32486-how-to-segment-a-small-LAN-using-tagged-VLA...

• AnyConnect client cannot ping gateway

  I'm currently implementing anyconnect for some users in our Organization. Once the clients connect to the VPN via. AnyConnect, they cannot access anything whatsoever, including their default gateway (via ping). I'm not sure what I did wrong, but it's a quick fix, a person can report to me. It's a little frustrating because I had this lab work, but can not see the obvious errors.

  Pool VPN: 192.168.200.0/24

  inside the ASA interface 192.168.2.1

  Grateful for any help received.

  Greg

  :

  ASA Version 8.2 (1)

  !

  hostname asaoutsidedmz

  activate the encrypted 123 password

  123 encrypted passwd

  names of

  !

  interface Ethernet0/0

  link to the description to the ISP router / WAN

  nameif outside

  security-level 0

  IP address x.x.x.235 255.255.255.224

  !

  interface Ethernet0/1

  internal LAN interface Description

  Shutdown

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Ethernet0/2

  description of the DMZ interface

  nameif dmz

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  Shutdown

  !

  boot system Disk0: / asa821 - k8.bin

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS domain-lookup outside

  DNS domain-lookup dmz

  DNS server-group DefaultDNS

  cisco.com-domain name

  outside_access_in list extended access permit tcp any host x.x.x.232 eq www

  outside_access_in list extended access permit tcp any host x.x.x.234 eq ssh

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 dmz

  management of MTU 1500

  local pool SSLVPNDHCP 192.168.200.20 - 192.168.200.25 255.255.255.0 IP mask

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 621.bin

  don't allow no asdm history

  ARP timeout 14400

  Global interface 10 (external)

  Global interface (dmz) 10

  NAT (inside) 10 0.0.0.0 0.0.0.0

  NAT (dmz) 10 0.0.0.0 0.0.0.0

  static (dmz, external) x.x.x.232 192.168.2.18 netmask 255.255.255.255

  static (dmz, external) x.x.x.234 192.168.2.36 netmask 255.255.255.255

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 x.x.x.225 1

  dynamic-access-policy-registration DfltAccessPolicy

  RADIUS Protocol RADIUS AAA server

  GANYMEDE + Protocol Ganymede + AAA-server

  the ssh LOCAL console AAA authentication

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  No encryption isakmp nat-traversal

  Telnet timeout 5

  Console timeout 5

  management-access inside

  !

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.3.2016-k9.pkg 1 image

  enable SVC

  tunnel-group-list activate

  internal group SSLVPN strategy

  SSLVPN group policy attributes

  value of SSL VPN profile banner

  VPN - connections 1

  VPN-idle-timeout 30

  Protocol-tunnel-VPN l2tp ipsec svc

  WebVPN

  SVC request no svc default

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec l2tp ipsec

  username password privilege 123 encrypted test11 0

  attributes of test11 username

  type of remote access service

  type tunnel-group SSLVPNTunnel remote access

  attributes global-tunnel-group SSLVPNTunnel

  address SSLVPNDHCP pool

  Group Policy - by default-SSLVPN

  tunnel-group SSLVPNTunnel webvpn-attributes

  enable AgricorpVPN group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  : end

  A few things to look at. Firstly, interface e0/1 is the stop of the config above for connecting clients will not be able to achieve the devices on the "inside" of the SAA. Second, you don't have NAT 0 rules configured to exempt the return of LAN or DMZ traffic to the client IP pool.

• From AnyConnect VPN through an RDP Session

  Hello

  We have AnyConnect (ver. 3.1.01065) set up on our ASA5520 boxes. VPN works well from the office, but I also need the ability to establish a VPN connection through a RDP connection (i.e. I use RDP to connect to a PC that has installed AnyConnect, then try to establish a VPN connection).

  I downloaded the Cisco VPN profile editor, chaned the option to 'AllowRemoteUsers '. Then the relevant group policy profile applied. Connected PC (and not via RDP) VPN, so that it downloads the new profile and then disconnected again.

  However, I can't yet start VPN through an RDP connection. (Error is "the ability to set up VPN for remote desktop is disabled.) A VPN connection cannot be established.")

  I checked the file XML on the local PC to confirm the profile was downloaded (and is, and I do not see the option AllowRemoteUsers.)

  This has also happened with the previous AnyConnect version (3.0.xxxx).

  Local routing tables of the PC look good, and I don't see any conflicts that would cause the RDP session to drop.

  Also - if I connect the VPN, then RDP on the PC, the VPN and the RDP sessions work fine.

  Any ideas would be appreciated!

  Thank you

  Tony

  Hi Tony,.

  To do this both the ASA and the client must have the same XML profile.

  I just tested this with AC 3.1 and ASA 8.4 and it works beautifully.

  I included the XML file.

  * BTW, make sure that the profile is assigned to the appropriate group strategy.

  HTH.

  Portu.

  Please note all useful posts

• Site to Site VPN - cannot ping remote subnet

  Hi all.

  I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

  Any suggestions?

  I'm also an instant learn the ASAs, so I'm not an expert.  I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

  Thanks in advance.

  5505 lack the command:

  management-access inside

  Federico.

• Site to site between ASA 8.2 VPN, cannot ping

  Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

  

  Here is my setup for both.

  Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

  When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  ...
  

  Each attempt to ping responds with "Request timed out" on the computer of ping.

  Why clients cannot mutually ping on the VPN tunnel?

  Hello

  Create a NAT0 ACL at both ends.

  ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

  NAT (inside) 0 access-list SHEEP

  THX

  MS

  Edit: at the beginning, I mentioned ACL #, it may not work.

• VPN - cannot ping the next hop

  Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)

  What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.

  Here is my design of the network and the config below:

  Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)

  Router Cisco 881

  AAA new-model

  !

  AAA of authentication ppp default local

  !

  VPDN enable

  !

  !

  VPDN-group VPDN PPTP

  !

  accept-dialin

  Pptp Protocol

  virtual-model 1

  !

  interface FastEthernet0

  Description link to switch

  switchport access vlan 5

  !

  interface FastEthernet1

  no ip address

  !

  interface FastEthernet2

  no ip address

  !

  interface FastEthernet3

  switchport access vlan 70

  no ip address

  !

  interface FastEthernet4

  Description INTERNET WAN PORT

  IP [IP EXTERNAL address]

  NAT outside IP

  IP virtual-reassembly in

  full duplex

  Speed 100

  card crypto VPN1

  !

  interface Vlan1

  no ip address

  !

  interface Vlan5

  Description $ES_LAN$

  IP 192.168.5.1 255.255.255.248

  no ip redirection

  no ip unreachable

  IP nat inside

  IP virtual-reassembly in

  !

  interface Vlan70

  IP [IP EXTERNAL address]

  IP virtual-reassembly in

  IP tcp adjust-mss 1452

  !

  !

  !

  interface virtual-Template1

  IP unnumbered FastEthernet4

  encapsulation ppp

  peer default ip address pool defaultpool

  Ms-chap PPP chap authentication protocol

  !

  IP local pool defaultpool 192.168.10.200 192.168.10.210

  IP forward-Protocol ND

  IP http server

  23 class IP http access

  local IP http authentication

  IP http secure server

  IP http timeout policy inactive 600 life 86400 request 10000

  !

  overload of IP nat inside source list no. - NAT interface FastEthernet4

  IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]

  Route IP 192.168.0.0 255.255.0.0 192.168.5.2

  !

  No. - NAT extended IP access list

  deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255

  IP 192.168.0.0 allow 0.0.255.255 everything

  VLAN70 extended IP access list

  ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255

  permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp

  permit tcp [IP EXTERNAL] 0.0.0.15 any eq www

  permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15

  permit tcp [IP EXTERNAL] 0.0.0.15 any eq field

  permits any udp [IP EXTERNAL] 0.0.0.15 eq field

  list of IP - VPN access scope

  IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255

  Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255

  WAN extended IP access list

  !

  Layer 3 switch - Dell Powerconnect 6224

  !

  IP routing

  IP route 0.0.0.0 0.0.0.0 192.168.5.1

  interface vlan 5

  name "to connect to the Cisco router.

  Routing

  IP 192.168.5.2 255.255.255.248

  output

  !

  interface vlan 10

  "internal network" name

  Routing

  IP 192.168.10.1 255.255.255.0

  output

  !

  interface ethernet 1/g12

  switchport mode acesss vlan 5

  output

  !

  interface ethernet 1/g29

  switchport mode access vlan 10

  output

  !

  Hi Samuel,.

  I went through your configuration and picked up a few problematic lines...

  First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.

  The cleaner for this is,

  Create a new interface of back of loop with a new subnet

  !

  loopback interface 0
  

  192.168.99.1 IP address 255.255.255.0

  !

  New vpn set up, pool

  !

  IP local pool defaultpool 192.168.99.200 192.168.99.210

  !

  Change your template to point the new loopback interface,

  !

  interface virtual-Template1

  IP unnumbered loopback0

  encapsulation ppp

  peer default ip address pool defaultpool

  Ms-chap PPP chap authentication protocol

  !

  All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.

  PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)

  I hope this helps.

  Please don't forget to rate/brand of useful messages
  

  Shamal

• ESXi 5.5 - VMs cannot talk to each other

  I have a single host ESXi 5.5 in one of our offices abroad. Virtual machines on it cannot ping or otherwise to reach out to the other (RDP, etc.). However, other hosts can communicate with the virtual machines and virtual machines have full out communication - can ping their DG, other addresses, etc.

  The host is a Dell 510 with two network adapters configured on the vSwitch, which is set up at the HP 2510 G - 48 as a trunk. The VLAN is the tag and set up on the single vSwitch with the hash of the IP-based routing.

  I tried to disable one of the network cards on the switch to see if it makes a difference and also to disable the firewall on virtual machines (all virtual machines are running Win2008R2 - a domain controller and Exchange server and machine monitoring PRTG), also with no luck.

  There is only one port of the VM group and a group of unique management ports.

  Virtual machines can ping on the ESXi host.

  Is there any other information I can provide to help diagnose this problem?

  Thank you

  Kurt

  Hello

  We have seen this behavior in clonned VMs, however in most of the changing scenarios the VMXNET to E1000 vNIC solves the problem.

  Please check the followng KB which has information on this behavior, and the patch from microsoft for the guest virtual machines.

  KB.VMware.com/kb/1020078

• Wireless devices cannot connect to each other using the router EA6900

  I use the 2.4 Ghz network and none of my wireless devices are able to communicate with each other...  I could not connect to a wireless printer to my laptop wireless (through the router) and thought it was unusual.  I tried ping does not work either.  I then plugged a cable ethernet to the laptop and could ping the printer wireless without a problem.   I tried other devices (wired and wireless connections) and it seems that no wireless device can ping any other wireless device.  If, however, one of the devices is connected, it works fine...  All wireless devices to connect to the router and internet without problem... It's just when they try to communicate with each other.  I have experimented with the desktop using the ethernet adapter, then the wireless adapter... same results.  My wireless using my previous router devices could communicate with each other.  It's almost as if this device has insulated AP running if this so-called it doesn't support that.

  Customer service said: I'm the only one with this problem.  Does anyone else have this problem?

  I have an ea6900 and it works fine for me. Sounds almost like you are connected to the guest network which would be sort of this way. Did you do a power reset? It has never worked? Try to remove the power and back to see if it clears up it.

• Customer remote VPN cannot ping certain IP

  My Cisco VPN client can establish the tunnel with my successful ASA5505 Office vpn but cannot ping some IP such as an internal server (10.100.194.6).

  FIREWALL-1 # ping 10.100.194.6
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.100.194.6, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

  Why I can't ping certain IP?

  Help, please.

  Thank you.

  Hey Kevin,

  Check out the capture, it is obvious that there is a problem of internal routing as we can see packets from the VPN client requests, but there is no response from the server package.

  Please ensure that the server has pointing on the Firewall VPN subnet route.
  HTH.

  Kind regards

  Dinesh Moudgil

  PS: Please check the useful messages.

• Phones AnyConnect VPN cannot connect to network ASA high-speed AT & T uverse

  Phones AnyConnect VPN are configured to connect to the ASA 5510 running 8.4 (4), and it uses the Active Directory credentials to connect. The connection is successful external ISP systems including Comcast and smaller independent service providers. However, when all of us at the AT & T uverse service take this phone 7965 even at home it networks fails to make any connection to the ASA at all. A capture of packets on the ASA shows no activity connection to the IP address of our uverse.

  What's more, is that we can successfully authenticate the VPN of the phone when using the local account credentials (e.g. username admin password * priv 15) that are entered on the SAA. AT & T said that they are not blocking the ports. It is the confusion that this works for users to access local connection, but not with A/D.

  So I guess the question is: what is the first handshake TCP/UDP composed when a Cisco IP phone links AnyConnect SSL to an ASA and negotiates the authentication of the number of A/D? For example, what are the port numbers used in this handshake?  I couldn't find all the diagrams illustrating the HRT and the RFC for DTLS do not seem to have the answer either.

  Thanks in advance.

  -Athonia

  Note: we have a TAC case open currently with subject ASA 5510 VPN Edition w / 250 annyconnect user - SSL VPN for phones. Configuration

  I too ran on this issue and here is a description of what I found.

  If you use automatic network detection first trys phone ping the TFTP server, he has learned from the DHCP server or manually set with the parameter of the alternate TFTP server.  If the TFTP server is accessible the VPN will not connect and will not allow the user to connect manually.

  ATT Uverse use DHCP option 150, the same option as Cisco UC uses to automatically set the TFTP servers, to locate the local home gateway so that the STB can join him.  For this reason, you should notice that when you have a VPN phone on the network and view network settings the IP address of the TFTP server is the IP address of your default gatewat (The ATT router).

  Because of the automatic detection of network works in ping the TFTP server that the phone will always think that it is connected to the local network.  The workaround is to manually set the TFTP server on the phone * to the IP address that the TFTP server would have been if she had leared it from the DHCP server on your corporate network.  The reason you should do this instead of just using a Bogon address, is that once the VPN is connected it tryes to register to the address that you specified.

  Please let me know if this solves your problem as it did in our case.

  * If you do not know how to set the TFTP replacement setting you must first select the "replacement" TFTP protocol and press on * #.  This will allow you to change the default no to Yes.  The below named parameter TFTP Server 1 will then allow you to manually specify the address.

• Cisco ASA 5515 - Anyconnect users cannot ping other users Anyconnect. How can I allow icmp between Anyconnect users traffic?

  Configuration of the ASA is below!

  ASA Version 9.1 (1)

  !

  ASA host name

  domain xxx.xx

  names of

  local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

  !

  interface GigabitEthernet0/0

  nameif inside

  security-level 100

  192.168.11.1 IP address 255.255.255.0

  !

  interface GigabitEthernet0/1

  Description Interface_to_VPN

  nameif outside

  security-level 0

  IP 111.222.333.444 255.255.255.240

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  management only

  nameif management

  security-level 100

  192.168.5.1 IP address 255.255.255.0

  !

  passive FTP mode

  DNS server-group DefaultDNS

  www.ww domain name

  permit same-security-traffic intra-interface

  the object of the LAN network

  subnet 192.168.11.0 255.255.255.0

  LAN description

  network of the SSLVPN_POOL object

  255.255.255.0 subnet 192.168.12.0

  VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  management of MTU 1500

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 711.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

  Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  list of URLS no

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  LOCAL AAA authorization exec

  Enable http server

  http 192.168.5.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec pmtu aging infinite - the security association

  Crypto ca trustpoint ASDM_TrustPoint5

  Terminal registration

  E-mail [email protected] / * /

  name of the object CN = ASA

  address-IP 111.222.333.444

  Configure CRL

  Crypto ca trustpoint ASDM_TrustPoint6

  Terminal registration

  domain name full vpn.domain.com

  E-mail [email protected] / * /

  name of the object CN = vpn.domain.com

  address-IP 111.222.333.444

  pair of keys sslvpn

  Configure CRL

  trustpool crypto ca policy

  string encryption ca ASDM_TrustPoint6 certificates

  Telnet timeout 5

  SSH 192.168.11.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  No ipv6-vpn-addr-assign aaa

  no local ipv6-vpn-addr-assign

  192.168.5.2 management - dhcpd addresses 192.168.5.254

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL-trust outside ASDM_TrustPoint6 point

  WebVPN

  allow outside

  CSD image disk0:/csd_3.5.2008-k9.pkg

  AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

  internal VPN_CLIENT_POLICY group policy

  VPN_CLIENT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - 5 concurrent connections

  VPN-session-timeout 480

  client ssl-VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  myComp.local value by default-field

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  time to generate a new key 30 AnyConnect ssl

  AnyConnect ssl generate a new method ssl key

  AnyConnect client of dpd-interval 30

  dpd-interval gateway AnyConnect 30

  AnyConnect dtls lzs compression

  AnyConnect modules value vpngina

  value of customization DfltCustomization

  internal IT_POLICY group policy

  IT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - connections 3

  VPN-session-timeout 120

  Protocol-tunnel-VPN-client ssl clientless ssl

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  field default value societe.com

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  AnyConnect dtls lzs compression

  value of customization DfltCustomization

  username vpnuser password PA$ encrypted $WORD

  vpnuser username attributes

  VPN-group-policy VPN_CLIENT_POLICY

  type of remote access service

  Username vpnuser2 password PA$ encrypted $W

  username vpnuser2 attributes

  type of remote access service

  username admin password ADMINPA$ $ encrypted privilege 15

  VPN Tunnel-group type remote access

  General-attributes of VPN Tunnel-group

  address VPN_CLIENT_POOL pool

  Group Policy - by default-VPN_CLIENT_POLICY

  VPN Tunnel-group webvpn-attributes

  the aaa authentication certificate

  enable VPN_to_R group-alias

  type tunnel-group IT_PROFILE remote access

  attributes global-tunnel-group IT_PROFILE

  address VPN_CLIENT_POOL pool

  Group Policy - by default-IT_POLICY

  tunnel-group IT_PROFILE webvpn-attributes

  the aaa authentication certificate

  enable IT Group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  : end

  Hello

  Here's what you'll need:

  permit same-security-traffic intra-interface

  VPN_CLIENT_ACL standard access list allow 192.168.12.0 255.255.255.0

  destination NAT (outside, outside) SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL static static source

  Patrick

• The success, but AnyConnect VPN cannot remote desktop

  Hi all

  I have a problem when I am unable to remote desktop in any PC LAN when I am connected via VPN.  I can ping all the nodes inside the network and I can open a web page from my local PC address inside, as well.  So it seems like it was only the RDP (3389) is affected.  Remote access for PCs are turned on, as I am able to get to them via a different method (SBS Remote Web Access).

  I'm a bit new to ASAs, so any help is greatly appreciated.  TIA

  ASA 5505

  ASA Version 8.2 (5)
  !
  host name asa
  activate the encrypted password of IqUJj3NwPkd23LO9
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  name 10.0.1.0 Net-10
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  switchport access vlan 3
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  192.168.1.98 IP address 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  11.11.11.11 IP address 255.255.255.0
  !
  interface Vlan3
  No nameif
  security-level 50
  192.168.5.1 IP address 255.255.255.0
  !
  passive FTP mode
  object-group service RDP - tcp
  EQ port 3389 object
  TSTGRP_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
  inside_nat0_outbound list extended access permits all ip Net-10 255.255.255.224
  inside_nat0_outbound list of allowed ip extended access all 12.0.1.0 255.255.255.224
  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 12.0.1.0 255.255.255.224
  inside_access_in of access allowed any ip an extended list
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  mask IP local pool SSLClientPool-10 10.0.1.1 - 10.0.1.20 255.255.255.128
  12.0.1.1 mask - 12.0.1.20 local pool IPSec-12 IP 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 11.11.11.11 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA authentication enable LOCAL console
  the ssh LOCAL console AAA authentication
  LOCAL AAA authorization command
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  Crypto ca trustpoint ASDM_TrustPoint0
  registration auto
  name of the object CN = not - asa .null
  pasvpnkey key pair
  Configure CRL
  string encryption ca ASDM_TrustPoint0 certificates
  certificate fecf8751
  308202da 308201c 2 a0030201 020204fe cf875130 0d06092a 864886f7 0d 010105
  31153013 06035504 03130c 70 61732d 61 73612e6e 756c6c31 16301406 0500302f
  092a 8648 86f70d01 09021607 7061732d 61736130 33303530 36323134 1e170d31
  3131365a 170d 3233 30353034 32313431 31365a 30 2f311530 13060355 0403130c
  7061732d 6173612e 6e756c6c 01090216 07706173 4886f70d a 31163014 06092, 86
  2D 617361 30820122 300 d 0609 2a 864886 f70d0101 01050003 82010f00 3082010 has
  00dc6f5c 02820101 584be603 1219ad4a 43085 has 97 b8fd7e33 c887933d 1b46dbca
  deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c 15 a9447e1e 8ba749cb
  61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
  25c035e4 86870084 ea9ab8ae 8b 664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
  0c81d2dd bcdc8393 3f4fbcba 1b477d45 af862bdf 50499615 7b9dac1b 502063b 8
  67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd e5ad6cba 999ae711 ca 71, 9310
  c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
  6379a 040 90469661 and 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
  a32a1003 af020301 0001300d 4886f70d 01010505 00038201 010084b 1 a 06092, 86
  c96aeec0 62698729 4e65cace e6f2e325 62909905 df31fbeb 8d767c74 395b 9053
  434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
  f1d715b9 89da338b f5ac9726 2de50629 34520055 55d1fcc5 f59c1271 ad14cd7e
  14adc454 f9072744 bf66ffb5 20 c 04069 375b858c 723999f8 5cc2ae38 4bb4013a
  2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
  6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
  f08b2946 be8e04d7 9d15ef96 2e511fc5 804c402b 33987858 46a7b473 a 429, 1936
  681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
  quit smoking
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH 192.168.1.100 255.255.255.255 inside
  SSH 10.0.1.1 255.255.255.255 outside
  SSH timeout 5
  Console timeout 0
  dhcpd auto_config inside
  !
  dhcpd address 192.168.1.222 - 192.168.1.223 inside
  dhcpd dns 11.11.11.12 11.11.12.12 interface inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL-trust outside ASDM_TrustPoint0 point
  WebVPN
  allow outside
  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
  enable SVC
  tunnel-group-list activate
  internal SSLClientPolicy group strategy
  attributes of Group Policy SSLClientPolicy
  VPN-tunnel-Protocol svc
  attributes of Group Policy DfltGrpPolicy
  value of 11.11.11.12 DNS server 11.11.12.12
  Protocol-tunnel-VPN IPSec webvpn
  username, password test 1w1. Encrypted F5oqiDOWdcll privilege 0
  username test attributes
  VPN-group-policy SSLClientPolicy
  test1 lQ8frBN8p.5fQvth encrypted privilege 15 password username
  username, password test2 w4USQXpU8Wj/RFt8 encrypted privilege 0
  name of user test2 attributes
  VPN-group-policy SSLClientPolicy
  username password test3 SC8q/LweL74qU0Zu encrypted privilege 0
  test3 username attributes
  VPN-group-policy SSLClientPolicy
  attributes global-tunnel-group DefaultRAGroup
  address pool IPSec-12
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared key *.
  NO-SSL-VPN Tunnel-group type remote access
  General-attributes of the NO-SSL-VPN Tunnel-group
  address-pool SSLClientPool-10
  Group Policy - by default-SSLClientPolicy
  NO-SSL-VPN Tunnel - webvpn-attributes group
  enable PAS_VPN group-alias
  allow group-url https://11.11.11.11/PAS_VPN
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  privilege level 3 mode exec cmd command perfmon
  privilege level 3 mode exec cmd ping command
  mode privileged exec command cmd level 3
  logging of the privilege level 3 mode exec cmd commands
  privilege level 3 exec command failover mode cmd
  privilege level 3 mode exec command packet cmd - draw
  privilege show import at the level 5 exec mode command
  privilege level 5 see fashion exec running-config command
  order of privilege show level 3 exec mode reload
  privilege level 3 exec mode control fashion show
  privilege see the level 3 exec firewall command mode
  privilege see the level 3 exec mode command ASP.
  processor mode privileged exec command to see the level 3
  privilege command shell see the level 3 exec mode
  privilege show level 3 exec command clock mode
  privilege exec mode level 3 dns-hosts command show
  privilege see the level 3 exec command access-list mode
  logging of orders privilege see the level 3 exec mode
  privilege, level 3 see the exec command mode vlan
  privilege show level 3 exec command ip mode
  privilege, level 3 see fashion exec command ipv6
  privilege, level 3 see the exec command failover mode
  privilege, level 3 see fashion exec command asdm
  exec mode privilege see the level 3 command arp
  command routing privilege see the level 3 exec mode
  privilege, level 3 see fashion exec command ospf
  privilege, level 3 see the exec command in aaa-server mode
  AAA mode privileged exec command to see the level 3
  privilege, level 3 see fashion exec command eigrp
  privilege see the level 3 exec mode command crypto
  privilege, level 3 see fashion exec command vpn-sessiondb
  privilege level 3 exec mode command ssh show
  privilege, level 3 see fashion exec command dhcpd
  privilege, level 3 see the vpnclient command exec mode
  privilege, level 3 see fashion exec command vpn
  privilege level see the 3 blocks from exec mode command
  privilege, level 3 see fashion exec command wccp
  privilege see the level 3 exec command mode dynamic filters
  privilege, level 3 see the exec command in webvpn mode
  privilege control module see the level 3 exec mode
  privilege, level 3 see fashion exec command uauth
  privilege see the level 3 exec command compression mode
  level 3 for the show privilege mode configure the command interface
  level 3 for the show privilege mode set clock command
  level 3 for the show privilege mode configure the access-list command
  level 3 for the show privilege mode set up the registration of the order
  level 3 for the show privilege mode configure ip command
  level 3 for the show privilege mode configure command failover
  level 5 mode see the privilege set up command asdm
  level 3 for the show privilege mode configure arp command
  level 3 for the show privilege mode configure the command routing
  level 3 for the show privilege mode configure aaa-order server
  level mode 3 privilege see the command configure aaa
  level 3 for the show privilege mode configure command crypto
  level 3 for the show privilege mode configure ssh command
  level 3 for the show privilege mode configure command dhcpd
  level 5 mode see the privilege set privilege to command
  privilege level clear 3 mode exec command dns host
  logging of the privilege clear level 3 exec mode commands
  clear level 3 arp command mode privileged exec
  AAA-server of privilege clear level 3 exec mode command
  privilege clear level 3 exec mode command crypto
  privilege clear level 3 exec command mode dynamic filters
  level 3 for the privilege cmd mode configure command failover
  clear level 3 privilege mode set the logging of command
  privilege mode clear level 3 Configure arp command
  clear level 3 privilege mode configure command crypto
  clear level 3 privilege mode configure aaa-order server
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:7f67d8c8b24bc533cf546b545aa33327

  Looks like traffic is underway for RDP but there is no response packet

  7: 22:24:58.824954 802. 1 q vlan P0 10.0.1.1.49162 #1 > 192.168.1.20.3389: S 3361152799:3361152799 (0) win 65535

  8: 22:24:59.824740 802. 1 q vlan P0 10.0.1.1.49162 #1 > 192.168.1.20.3389: S 3361152799:3361152799 (0) win 65535

  This can result from Neatgear (192.168.1.1), drop the packets. You can have solutions on SAA by tapping the traffic on the inside of the interface on the ASA. Here's what you need to do:

  vpn_nat_inside 10.0.1.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

  NAT (10 vpn_nat_inside list of outdoor outdoor access)

  Global interface (10 Interior)

  This pat only vpn traffic entering the pool and will not have effect on anything else.

  Kind regards

  Bad Boy

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community