Problem with ASA 5505 VPN remote access

Similar Questions

• No Internet connectivity with ASA 5505 VPN remote access

  Hello

  I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?

  Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.

  Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?

  I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.

  Thank you very much for you help.

  Concerning

  Salman

  Salman

  What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.

  You have at least 2 options:

  -You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.

  -You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command

  permit same-security-traffic intra-interface

  HTH

  Rick

• Site to Site and together on ASA 5505 VPN remote access

  Hello

  I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.

  After you add the new configuration lines, I received the following message when I debug:

  04 Nov 07:06:06 [IKEv1]: group = , IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0).

  04 Nov 07:04:36 [IKEv1]: group = , IP = , peer of drop table Correlator has failed, no match!

  Someone knows what's the problem? And what to change in the config?

  Thanks in advance,

  Ruben

  Hello

  If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"

  Federico.

• ASA 5505 VPN remote access

  Hi all

  I read the http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html and following the steps to create a remote access VPN. At the end of this post is delivered to the FW config.

  I test the connection on a Cisco VPN Client for Windows Remote with plans on the migration of the profile to my Linux laptop. What I see is an error message when you run 'debug cryptop isa 129' of

  Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
  Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntry

  What seems strange to me, is that I have a group policy and a configured connection IPSec 'RemoteHome' profile, but it is not referenced in the debug output. I searched through my config for DefaultRAGroup, but nothing helped. However I found it in the ASDM under IPSec connection profiles.

  I configured the FW to use LOCAL authentication and have configured the VPN Client with the right user name and password.

  So, basically, I'm at a loss on how to correct my mistake. Any help much appreciated.

  After the config FW is the power output of debug crypto isa 129.

  See you soon,.

  Conor

  RemoteHome_splitTunnelAcl list standard access allowed host 10.2.2.2
  RemoteHome_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.0.0
  RemoteHome_splitTunnelAcl standard access list allow 10.3.3.0 255.255.255.0
  RemoteHome_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
  access-list 1 permit line INSIDE_nat0_outbound extended ip host 10.2.2.2 192.168.2.64 255.255.255.192
  allowed to Access - list INSIDE_nat0_outbound line 2 extended ip 172.16.0.0 255.255.0.0 192.168.2.64 255.255.255.192
  permit for access list 3 INSIDE_nat0_outbound line scope ip 10.3.3.0 255.255.255.0 192.168.2.64 255.255.255.192
  allowed to Access - list INSIDE_nat0_outbound line 4 extended ip 192.168.2.0 255.255.255.0 192.168.2.64 255.255.255.192
  local pool VPN_REMOTE_POOL 192.168.2.90 - 192.168.2.99 255.255.255.0 IP mask
  internal RemoteHome group strategy
  Group Policy attributes RemoteHome
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list RemoteHome_splitTunnelAcl
  value of DNS server *.
  cunningtek.com value by default-field
  tunnel-group RemoteHome type remote access
  attributes global-tunnel-group RemoteHome
  Group Policy - by default-RemoteHome
  address VPN_REMOTE_POOL pool
  IPSec-attributes tunnel-group RemoteHome
  pre-shared key *.
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  NAT (INSIDE) 0 access-list INSIDE_nat0_outbound tcp udp 0 0 0

  Firewall # Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) the SELLER (13) + the SELLER (13) + SOLD
  OR (13) of the SELLER (13) + the SELLER (13) + (0) NONE total length: 849
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, SA payload processing
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ke payload
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ISA_KE
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, nonce payload processing
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received xauth V6 VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, DPD received VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received Fragmentation VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received NAT-Traversal worm 02 VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, the customer has received Cisco Unity VID
  Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, message received ISAKMP Aggressive Mode 1 with the name of Group of unknown tunnel "conor".
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA payload processing
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA proposal # 1, transform # 5 entry overall IKE acceptable matches # 1
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build the payloads of ISAKMP security
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building ke payload
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building nonce payload
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Generating keys for answering machine...
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of payload ID
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of hash
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, calculation of hash for ISAKMP
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of Cisco Unity VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing payload V6 VID xauth
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing the payload of the NAT-Traversal VID ver 02
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of Fragmentation VID + load useful functionality
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads VID
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) + HASH (8) the SELLER (13) + the SELLER (13) + SOLD
  OR (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + (0) NONE total length: 424
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, case of mistaken IKE AM Responder WSF (struct & 0xd8d3bed8) , : AM_DONE, EV_ERROR--> AM_SND_MSG2, EV_
  SND_MSG--> AM_SND_MSG2, EV_START_TMR--> AM_BLD_MSG2, EV_BLD_MSG2_TRL--> AM_BLD_MSG2, EV_SKEYID_OK--> AM_BLD_MSG2, NullEvent--> AM_BLD_MSG2, EV_GEN_SKEYID--> AM_BLD_MSG2, EV_BLD_MSG2_HDR
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA AM:7ff48db9 ending: 0x0104c001, refcnt flags 0, tuncnt 0
  Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, sending clear/delete with the message of reason
  Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
  Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntry

  I think this is the beginning of your question.

  Message received ISAKMP aggressive Mode 1 with the name of the unknown group tunnel "conor".

  In the vpn client, you must enter the name of the group, RemoteHome and pre shared key, NOT your username. You will be asked your username after login.

  As the name conor group does not exist, it is failing in the DefaultRAGroup

• ASA 5505 VPN cannot access inside the host

  I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.

  framework for configuration below

  interface Vlan1

  nameif inside

  security-level 100

  10.1.1.1 IP address 255.255.255.0

  IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 set pfs

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  PFS set 40 crypto dynamic-map outside_dyn_map

  Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

  Crypto-map dynamic inside_dyn_map 20 set pfs

  Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map

  inside crypto map inside_map interface

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  global service-policy global_policy

  XXXXXXX strategy of Group internal

  attributes of the strategy group xxxxxxx

  banner value xxxxx Site Recovery

  WINS server no

  24.xxx.xxx.xx value of DNS server

  VPN-access-hour no

  VPN - connections 3

  VPN-idle-timeout 30

  VPN-session-timeout no

  VPN-filter no

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelall

  by default no

  disable secure authentication unit

  disable authentication of the user

  user-authentication-idle-timeout no

  disable the IP-phone-bypass

  disable the leap-bypass

  disable the NEM

  disable the NAC

  NAC-sq-period 300

  NAC-reval-period 36000

  NAC-by default-acl no

  the address value xxxxxx pools

  enable Smartcard-Removal-disconnect

  the firewall client no

  WebVPN

  url-entry functions

  Free VPN of CNA no

  No vpn-addr-assign aaa

  No dhcp vpn-addr-assign

  tunnel-group xxxx type ipsec-ra

  tunnel-group xxxx general attributes

  xxxx address pool

  Group Policy - by default-xxxx

  blountdr group of tunnel ipsec-attributes

  pre-shared-key *.

  Missing nat exemption for vpn clients. Add the following and you should be good to go.

  inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

  NAT (inside) 0-list of access inside_nat0_outbound

• ASA 5505 VPN remote cannot access with my local network

  Hello guys, I have a problem with my asa 5505 remote VPN access to the local network, the VPn connection works well and connected, but the problem is that I can't reach my inside connection network of 192.168.30.x, here's my setup, please can you help me

  ASA Version 8.2 (1)

  !

  !

  interface Vlan1

  nameif inside

  security-level 100

  192.168.30.1 IP address 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 155.155.155.10 255.255.255.0

  !

  interface Vlan5

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.240

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool vpn-pool 192.168.100.1 - 192.168.100.10 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  Mull strategy of Group internal

  attributes of the Group mull strategy

  Protocol-tunnel-VPN IPSec

  username privilege 0 encrypted password eKJj9owsQwAIk6Cw xxx

  VPN-group-policy Mull

  type mull tunnel-group remote access

  tunnel-group mull General attributes

  address vpn-pool pool

  Group Policy - by default-mull

  Mull group tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Yes, you will need to either configure split tunnel so that internet traffic goes out through your local Internet service provider, GOLD / directed by configuration current you are tunneling all traffic (internet traffic Inc.) to the ASA, then you will need to create NAT for internet traffic.

  To set up a tunnel from split:

  split-acl access-list allowed 192.168.30.0 255.255.255.0

  attributes of the Group mull strategy

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split-acl

  I hope this helps.

• On ASA 5505 VPN cannot access remote (LAN)

  I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.

  Tyler

  Just remove the line of nat (outside) and ACL outside_nat0_outbound.

  And talk about these statements:

  IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).

  2, crypto isakmp nat traversal 10 or 20

  3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.

  4, create the other ACL (ST) with different name and source and destination like no nat ACL.

  5, then type nat (inside) 0 access-list sheep

  6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).

  Concerning

• Problems with Windows 7 Pro Remote Access

  I'm on a Windows 7 Pro machine, but it is connected to a working network.

  I'm trying to access Windows 7 Pro machine to my parents at home.

  I went through These Instructions.  We have created a password for one of the user accounts.  I checked the name of the computer (there is no listed area).  We confirmed that remote access has been enabled and allow remote access has been verified in the firewall settings.

  However, when I start "Remote Desktop connection" on my computer and put their computer name in the box, I get a message that it cannot find the computer.  Then, the message indicates that the computer cannot belong to "the network specified."  But there is no specified network, and I see no where to do it.

  In addition, it is possible that my work security settings prevent me from remote accessing another computer?

  Last question: if I used the Fusion of the virtual machine on my Mac, with Windows 7, I can remote access to another computer?

  Real technique.  The problem boils down to the IP address.  Your computer probably has an IP of 192.168.1.8 or something like that.  But the router any fact domestic in the world.  So when you want to connect to the remote computer, you must use the IP public face (which the internet service provider home assigns to your router/home, not that of your router assigns to your computer).  But then, you're always short because now you have at home, but you have to tell the House what PC actually send this letter too.  It's like an envelope with an address half. Port forwarding it tells the final step which PC should receive the message.

  But yes I agree they could at least put a link or an explanation.

• ASA Cisco VPN remote access

  Hi guys

  I have a few questions regarding vpn and vpn traffic record remote access. Please can someone advise how I can capture traffic decrypted for client vpn for remote access on the firewall. now, firewall has any source any dest and list of service associated with Group tunnel (no interface access list) but the default one group policy. I don't know what kind of traffic comes from the remote vpn machine, and I want to capture and create more specfic acl and who associate Group via vpn tunnel filter so no all are allowed.

  I also configured for load balancing vpn and I know not if I add vpn filter via Group Policy and add it to the default group that can cause interruptions of service, but since I have vpn load balancing configured shoudnt remote customer affect. Am I wrong?

  concerning

  F

  There is no balancing load with active / standby (standby really means "only watch"!). And it's not even RA - VPN with active/active.

• ASA 5510 vpn remote access - must now be added vpn site-to-site.

  We currently have a configuration of remote access vpn and all this hard work.

  I need to configure a vpn lan lan 2 now.

  Can someone point me to the documentation on that? I used the command line to add a site to site and wrong on it and disconnected me when I applied the crypto map to the external interface. Do I need another card encryption or should I use my existing?

  Shannon,

  Please see the below URL for more configuration information. Even if that configuration is dynamic to static IPSEC, you can use the concept to build the Tunnel L2L with static IP.

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a00805733df.shtml

  Let me know if it helps.

  Kind regards

  Arul

  * Please note all useful messages *.

• Restrict the public IP address of Source-based ASA 5500 VPN remote access

  Hello

  Please clarify my doubt below

  is it possible to restrict access to remote VPN to ASA based on the IP public Source, if yes how?

  Here is not the VPN filter under group policy. I want to restrict access from the indicated source IP (public IP)

  Thanks in advance

  Anoop

  Hi Anoop,

  This discussion will do it for you:

  https://supportforums.Cisco.com/thread/2027600

  Kind regards

  Julio

• LAN ASA 5505 VPN client access issue

  Hello

  I'm no expert in ASA and routing so I ask support the following case.

  There is a (running on Windows 7) Cisco VPN client and an ASA5505.

  The objectives are client can use the gateway remote on SAA for Skype and able to access devices in SAA within the interface.

  The Skype works well, but I can't access devices in the interface inside through a VPN connection.

  Can you please check my following config and give me any advice to fix NAT or VPN settings?

  ASA Version 7.2 (4)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate wDnglsHo3Tm87.tM encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Vlan3

  prior to interface Vlan1

  nameif dmz

  security-level 50

  no ip address

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain default.domain.invalid

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any

  inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 any

  outside_access_in list of allowed ip extended access entire 192.168.1.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 dmz

  local pool VPNPOOL 10.0.0.200 - 10.0.0.220 255.255.255.0 IP mask

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 524.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global 1 interface (outside)

  NAT (inside) 1 10.0.0.0 255.255.255.0

  NAT (inside) 1 192.168.1.0 255.255.255.0

  NAT (outside) 1 10.0.0.0 255.255.255.0

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map pfs set 20 Group1

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 0

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd dns xx.xx.xx.xx interface inside

  dhcpd allow inside

  !

  attributes of Group Policy DfltGrpPolicy

  No banner

  WINS server no

  value of server DNS 84.2.44.1

  DHCP-network-scope no

  VPN-access-hour no

  VPN - connections 3

  VPN-idle-timeout 30

  VPN-session-timeout no

  VPN-filter no

  Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

  disable the password-storage

  disable the IP-comp

  Re-xauth disable

  Group-lock no

  disable the PFS

  IPSec-udp disable

  IPSec-udp-port 10000

  Split-tunnel-policy tunnelall

  Split-tunnel-network-list no

  by default no

  Split-dns no

  Disable dhcp Intercept 255.255.255.255

  disable secure authentication unit

  disable authentication of the user

  user-authentication-idle-timeout 30

  disable the IP-phone-bypass

  disable the leap-bypass

  allow to NEM

  Dungeon-client-config backup servers

  MSIE proxy server no

  MSIE-proxy method non - change

  Internet Explorer proxy except list - no

  Disable Internet Explorer-proxy local-bypass

  disable the NAC

  NAC-sq-period 300

  NAC-reval-period 36000

  NAC-by default-acl no

  address pools no

  enable Smartcard-Removal-disconnect

  the firewall client no

  rule of access-client-none

  WebVPN

  url-entry functions

  HTML-content-filter none

  Home page no

  4 Keep-alive-ignore

  gzip http-comp

  no filter

  list of URLS no

  value of customization DfltCustomization

  port - forward, no

  port-forward-name value access to applications

  SSO-Server no

  value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information

  SVC no

  SVC Dungeon-Installer installed

  SVC keepalive no

  generate a new key SVC time no

  method to generate a new key of SVC no

  client of dpd-interval SVC no

  dpd-interval SVC bridge no

  deflate compression of SVC

  internal group XXXXXX strategy

  attributes of XXXXXX group policy

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelall

  Split-tunnel-network-list no

  XXXXXX G910DDfbV7mNprdR encrypted privilege 15 password username

  username password encrypted XXXXXX privilege 0 5p9CbIe7WdF8GZF8

  attributes of username XXXXXX

  Strategy Group-VPN-XXXXXX

  username privilege 15 encrypted password cRQbJhC92XjdFQvb XXXXX

  tunnel-group XXXXXX type ipsec-ra

  attributes global-tunnel-group XXXXXX

  address VPNPOOL pool

  Group Policy - by default-XXXXXX

  tunnel-group ipsec-attributes XXXXXX

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23

  : end

  ciscoasa #.

  Thanks in advance!

  fbela

  config #no nat (inside) 1 10.0.0.0 255.255.255.0< this="" is="" not="">

  Add - config #same-Security-permit intra-interface

  #access - extended list allowed sheep ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

  #nat (inside) 0 access-list sheep

  Please add and test it.

  Thank you

  Ajay

• ASA 5505 VPN cannot access inside hosts

  I set up VPN on the using 5505 ASDM and I am able to connect to the 5505 and the customer is also getting an IP address from the configured pool.

  The Cisco VPN client displays an error in the log: AddRoute cannot add a route: code 87

  Cisco

  You may need to nat traversal lit. Try to add crypto isakmp nat-traversal 3600

• ASA 5505 VPN Ping problems

  Hi all

  First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.

  The main problem is that when ping devices internal when you are connected to the results are very inconsistent.

  Ping 192.168.15.102 with 32 bytes of data:

  Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128

  Request timed out.

  Request timed out.

  Request timed out.

  We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?

  Here is a dump of the configuration:

  Output of the command: "show config".

  : Saved

  : Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013

  !

  ASA Version 8.2 (5)

  !

  hostname VPN_Test

  activate the encrypted password of D37rIydCZ/bnf1uj

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  192.168.15.0 - internal network name

  DDNS update method DDNS_Update

  DDNS both

  maximum interval 0 4 0 0

  !

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  Description VLAN internal guests

  nameif inside

  security-level 100

  DDNS update hostname 0.0.0.0

  DDNS update DDNS_Update

  DHCP client updated dns server time

  192.168.15.1 IP address 255.255.255.0

  !

  interface Vlan2

  Description of VLAN external to the internet

  nameif outside

  security-level 0

  address IP xx.xx.xx.xx 255.255.255.248

  !

  passive FTP mode

  clock timezone CST - 6

  clock to summer time recurring CDT

  DNS server-group DefaultDNS

  Server name 216.221.96.37

  Name-Server 8.8.8.8

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  outside_access_in list extended access permit icmp any one

  outside_access_in list extended access deny interface icmp outside interface inside

  access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all

  Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0

  inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192

  Note to inside_access_in to access list blocking Internet traffic

  access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all

  Note to inside_access_in to access list blocking Internet traffic

  inside_access_in extended access list allow interface ip inside the interface inside

  inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192

  Note to inside_access_in to access list blocking Internet traffic

  access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool

  inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow any response of echo outdoors

  ICMP allow all outside

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

  NAT (inside) 1 192.168.15.192 255.255.255.192

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  inside_access_ipv6_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  255.255.255.0 inside internal network http

  http yy.yy.yy.yy 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Sysopt connection timewait

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd outside auto_config

  !

  dhcpd address 192.168.15.200 - 192.168.15.250 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  NTP server 192.168.15.101 source inside

  prefer NTP server 192.168.15.100 source inside

  WebVPN

  internal remote group strategy

  Group remote attributes policy

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Remote_splitTunnelAcl

  username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz

  username StockUser attributes

  Strategy-Group-VPN remote

  tunnel-group type remote access remotely

  tunnel-group remote General attributes

  address pool VPN_IP_Pool

  Group Policy - by default-remote control

  tunnel-group remote ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

  Hi Graham,

  My first question is do you have a site to site VPN and VPN remote access client.

  After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.

  And if I understand you are able to connect VPN client, but you not able to access internal resources properly.

  I recommend tey and make the following changes.

  First remove the following configuration:

  NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

  NAT (inside) 1 192.168.15.192 255.255.255.192

  You don't need the 1st one and I do not understand the reason for the second

  Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.

  If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.

  Try the changes described above and let me know in case if you have any problem.

  Thank you

  Jeet Kumar

• 1841 as Concentrator VPN remote access with manual keying

  Hi there and happy new year 2011 with best wishes!

  I would use a router 1841 as VPN hub for up to 20 remote connections.

  My remote (third party) clients have IPsec capacity supported by IKE and the Manual Keying, but I have not found information about simple configuration of Cisco VPN remote access (only on the easy VPN server).

  I'd like to configure the VPN entry Server Manual (I think it's an easy way to start), no problem to do?

  files:

  -topology

  -third party router Ethernet / 3G GUI IPsec with choice of algorithm auth

  -third party router Ethernet / 3G GUI IPsec with choice of encryption algorithm

  I feel so much better that someone help me!

  Kind regards

  Amaury

  As the remote end is third-party routers, the only option you have will be LAN-to-LAN IPSec VPN. You can not run VPN easy because that is only supported on Cisco devices.

  If your remote end has a static external ip address that ends the VPN, you can configure card crypto static LAN-to-LAN on the 1841 router, however, if your remote end has dynamic external ip address, you must configure card crypto dynamic LAN-to-LAN on the 1841 router. All remote LAN subnets must be unique.