Remote access VPN client to connect but cannot ping inside the host, after that split tunnel is activated (config-joint)

Similar Questions

• Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

  Hello!

  I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

  ASA Version 9.1 (1)

  !

  ASA host name

  domain xxx.xx

  names of

  local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

  !

  interface GigabitEthernet0/0

  nameif inside

  security-level 100

  192.168.11.1 IP address 255.255.255.0

  !

  interface GigabitEthernet0/1

  Description Interface_to_VPN

  nameif outside

  security-level 0

  IP 111.222.333.444 255.255.255.240

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  management only

  nameif management

  security-level 100

  192.168.5.1 IP address 255.255.255.0

  !

  passive FTP mode

  DNS server-group DefaultDNS

  www.ww domain name

  permit same-security-traffic intra-interface

  the object of the LAN network

  subnet 192.168.11.0 255.255.255.0

  LAN description

  network of the SSLVPN_POOL object

  255.255.255.0 subnet 192.168.12.0

  VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  management of MTU 1500

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 711.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

  Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  list of URLS no

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  LOCAL AAA authorization exec

  Enable http server

  http 192.168.5.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec pmtu aging infinite - the security association

  Crypto ca trustpoint ASDM_TrustPoint5

  Terminal registration

  E-mail [email protected] / * /

  name of the object CN = ASA

  address-IP 111.222.333.444

  Configure CRL

  Crypto ca trustpoint ASDM_TrustPoint6

  Terminal registration

  domain name full vpn.domain.com

  E-mail [email protected] / * /

  name of the object CN = vpn.domain.com

  address-IP 111.222.333.444

  pair of keys sslvpn

  Configure CRL

  trustpool crypto ca policy

  string encryption ca ASDM_TrustPoint6 certificates

  Telnet timeout 5

  SSH 192.168.11.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  No ipv6-vpn-addr-assign aaa

  no local ipv6-vpn-addr-assign

  192.168.5.2 management - dhcpd addresses 192.168.5.254

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL-trust outside ASDM_TrustPoint6 point

  WebVPN

  allow outside

  CSD image disk0:/csd_3.5.2008-k9.pkg

  AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

  internal VPN_CLIENT_POLICY group policy

  VPN_CLIENT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - 5 concurrent connections

  VPN-session-timeout 480

  client ssl-VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  myComp.local value by default-field

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  time to generate a new key 30 AnyConnect ssl

  AnyConnect ssl generate a new method ssl key

  AnyConnect client of dpd-interval 30

  dpd-interval gateway AnyConnect 30

  AnyConnect dtls lzs compression

  AnyConnect modules value vpngina

  value of customization DfltCustomization

  internal IT_POLICY group policy

  IT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - connections 3

  VPN-session-timeout 120

  Protocol-tunnel-VPN-client ssl clientless ssl

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  field default value societe.com

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  AnyConnect dtls lzs compression

  value of customization DfltCustomization

  username vpnuser password PA$ encrypted $WORD

  vpnuser username attributes

  VPN-group-policy VPN_CLIENT_POLICY

  type of remote access service

  Username vpnuser2 password PA$ encrypted $W

  username vpnuser2 attributes

  type of remote access service

  username admin password ADMINPA$ $ encrypted privilege 15

  VPN Tunnel-group type remote access

  General-attributes of VPN Tunnel-group

  address VPN_CLIENT_POOL pool

  Group Policy - by default-VPN_CLIENT_POLICY

  VPN Tunnel-group webvpn-attributes

  the aaa authentication certificate

  enable VPN_to_R group-alias

  type tunnel-group IT_PROFILE remote access

  attributes global-tunnel-group IT_PROFILE

  address VPN_CLIENT_POOL pool

  Group Policy - by default-IT_POLICY

  tunnel-group IT_PROFILE webvpn-attributes

  the aaa authentication certificate

  enable IT Group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  : end

  Help me please! Thank you!

  Hello

  Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

  Thank you

  swap

• Cisco vpn client to connect but can not access to the internal network

  Hi all

  I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network

  Any help would be much appreciated.

  Hi Samir,

  I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  (The link above includes split tunneling, but this is just an option.

  Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.

  Let me know if this can help,

  See you soon,.

  Christian V

• Configure ASA5055 as a remote access VPN client

  Hello world

  I'm trying to configure a 5505 as a remote access VPN client. I have several old hubs VPN 3002, but in the new sites I'll use a 5505 instead of these 3002.

  I think that the configuration is very simple. I have the IP address of the peer (remote server), I know it is an IPsec tunnel without certificate and I have passwords and user name and group.

  How can I translate this configuration for an ASA5505? I have attached a screenshot.

  Here ya go:

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/configuration/guide/ezvpn505.html

  Federico.

• ASA 5540 - cannot ping inside the interface

  Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

  In the ASDM, I see messages like this:

  ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

  This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

  interface Vlanx

  IP x.x.x.x 255.255.255.0

  IP broadcast directed to 199

  IP accounting output-packets

  IP pim sparse - dense mode

  route IP cache flow

  load-interval 30

  Has anyone experiences the problem like this before? Thanks in advance for any help.

  Can you post the output of the following on the ASA:-

  display the route

  And the output of your base layer diverter: -.

  show ip route<>

  HTH >

• Connected to the Internet of VPN remote access VPN clients

  Greetings,

  I need to remote VPN clients to connect to the Internet from the same server VPN ASA

  "client connects to ASA the external interface VPN tunnel can access Internet from the same external interface ASA new."

  Thank you

  you need to configure "same-security-traffic permit intra-interface" on the SAA.

  Also, need to configure the relevant statements of nat for your range of pool of customers.

  i.e.

  Global 1 interface (outside)

  NAT (outside) 1 access-list anyconnectacl

  where anyconnectacl is the pool for your customers:

  permit ip 172.16.1.0 access list anyconnectacl 255.255.255.0 any

• How to prohibit remote access vpn client to use the local DNS server

  Hello

  I'm on ASA5505 remote access vpn configuration.

  Everything works fine so far, except when the client got connected, he always used the local DNS server provided by the ISP.  How can I force the customer to use the DNS server configured on ASA?

  Thank you.

  Kind regards

  The command "Activate dns split-tunnel-all" is supported only on SSL VPN and VPN IKEv2. Since you're using IKEv1, this command is not supported.

  Here's the order reference:

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/S8.html#wp1533793

  You configure no split tunnel? If you are, then you need to configure "tunnelall" split tunnel policy, and that will force the dns resolution and everything else through the VPN tunnel.

• Cisco ASA 8.4 (3) remote access VPN - client connects but cannot access inside the network

  I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well

  Thank you

  interface Ethernet0/0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP x.x.x.x 255.255.255.240

  !

  interface Ethernet0/1

  Speed 100

  full duplex

  nameif inside

  security-level 100

  IP 10.88.10.254 255.255.255.0

  !

  interface Management0/0

  Shutdown

  nameif management

  security-level 0

  no ip address

  !

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  network of the PAT_to_Outside_ClassA object

  10.88.0.0 subnet 255.255.0.0

  network of the PAT_to_Outside_ClassB object

  subnet 172.16.0.0 255.240.0.0

  network of the PAT_to_Outside_ClassC object

  Subnet 192.168.0.0 255.255.240.0

  network of the LocalNetwork object

  10.88.0.0 subnet 255.255.0.0

  network of the RemoteNetwork1 object

  Subnet 192.168.0.0 255.255.0.0

  network of the RemoteNetwork2 object

  172.16.10.0 subnet 255.255.255.0

  network of the RemoteNetwork3 object

  10.86.0.0 subnet 255.255.0.0

  network of the RemoteNetwork4 object

  10.250.1.0 subnet 255.255.255.0

  network of the NatExempt object

  10.88.10.0 subnet 255.255.255.0

  the Site_to_SiteVPN1 object-group network

  object-network 192.168.4.0 255.255.254.0

  object-network 172.16.10.0 255.255.255.0

  object-network 10.0.0.0 255.0.0.0

  outside_access_in deny ip extended access list a whole

  inside_access_in of access allowed any ip an extended list

  11 extended access-list allow ip 10.250.1.0 255.255.255.0 any

  outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1

  mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool

  NAT static NatExempt NatExempt of the source (indoor, outdoor)

  NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search

  NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1

  NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2

  NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3

  NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search

  !

  network of the PAT_to_Outside_ClassA object

  NAT dynamic interface (indoor, outdoor)

  network of the PAT_to_Outside_ClassB object

  NAT dynamic interface (indoor, outdoor)

  network of the PAT_to_Outside_ClassC object

  NAT dynamic interface (indoor, outdoor)

  Access-group outside_access_in in interface outside

  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

  dynamic-access-policy-registration DfltAccessPolicy

  Sysopt connection timewait

  Service resetoutside

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto-map dynamic dynmap 10 set pfs

  Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1

  life together - the association of security crypto dynamic-map dynmap 10 28800 seconds

  Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000

  Crypto-map dynamic dynmap 10 the value reverse-road

  card crypto mymap 1 match address outside_1_cryptomap

  card crypto mymap 1 set counterpart x.x.x.x

  card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1

  card crypto mymap 86400 seconds, 1 lifetime of security association set

  map mymap 1 set security-association life crypto kilobytes 4608000

  map mymap 100-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  crypto isakmp identity address

  Crypto isakmp nat-traversal 30

  Crypto ikev1 allow outside

  IKEv1 crypto ipsec-over-tcp port 10000

  IKEv1 crypto policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 1

  life 86400

  IKEv1 crypto policy 50

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  life 86400

  IKEv1 crypto policy 60

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 70

  preshared authentication

  aes-256 encryption

  sha hash

  Group 1

  life 86400

  IKEv1 crypto policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  Console timeout 0

  management-access inside

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal BACKDOORVPN group policy

  BACKDOORVPN group policy attributes

  value of VPN-filter 11

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelall

  BH.UK value by default-field

  type tunnel-group BACKDOORVPN remote access

  attributes global-tunnel-group BACKDOORVPN

  address pool Admin_Pool

  Group Policy - by default-BACKDOORVPN

  IPSec-attributes tunnel-group BACKDOORVPN

  IKEv1 pre-shared-key *.

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  Excellent.

  Evaluate the useful ticket.

  Thank you

  Rizwan James

• Client VPN connects but cannot ping all hosts

  Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients.  I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX.  Can someone tell me what Miss me in my setup?

  Thanks for your help.

  Chi - pix # sh conf
  : Saved
  : Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
  6.3 (3) version PIX
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate the encrypted password
  encrypted passwd
  hostname chi - pix
  .com domain name
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol they 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
  Allow Access-list allowed a whole icmp ping
  access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
  access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
  pager lines 24
  opening of session
  debug logging in buffered memory
  ICMP deny everything outside
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside pppoe setroute
  IP address inside 192.168.5.1 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  IP local pool ippool 10.10.11.1 - 10.10.11.254
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) - 0 102 access list
  NAT (inside) 1 list-access internet-traffic 0 0
  group-access allowed to ping in external interface
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  RADIUS Protocol RADIUS AAA server
  AAA-server local LOCAL Protocol
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
  Crypto-map dynamic dynmap 10 GvnPix-set transform-set
  toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
  toGvnPix interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
  ISAKMP keepalive 60
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 9
  encryption of ISAKMP policy 9
  ISAKMP policy 9 md5 hash
  9 2 ISAKMP policy group
  ISAKMP policy 9 life 86400
  vpngroup address ippool pool chiclient
  vpngroup dns 192.168.5.1 Server chiclient
  vpngroup wins 192.168.5.1 chiclient-Server
  vpngroup chiclient com default domain
  vpngroup split tunnel 101 chiclient
  vpngroup idle 1800 chiclient-time
  vpngroup password chiclient *.
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet timeout 30
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 30
  management-access inside
  Console timeout 0
  VPDN group chi request dialout pppoe
  VPDN group chi net localname
  VPDN group chi ppp authentication pap
  VPDN username password net *.
  dhcpd address 192.168.5.2 - 192.168.5.33 inside
  dhcpd dns xx
  dhcpd rental 86400
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  dhcpd allow inside
  Terminal width 100
  Cryptochecksum:
  Chi - pix #.

  On the PIX configuration seems correct.

  I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?

  How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.

• VPN connects but cannot ping or access resources

  I hope this is an easy fix and it's something that I am missing.  I've been looking at this for several hours.

  Scenario:

  I Anyconnect Essentials so I use the SSL connection

  I changed my domain name and external IP in my setup, I write.

  My VPN connection seems to work very well.  In fact, I was able to connect to 3 locations with 3 different external IP address.

  1 location, I get IP address 192.168.30.10, as it should.  I can ping 192.168.1.1, but not the 192.168.1.6 which is my temporary resource, the firewall is disabled on 192.168.1.6.

  2 location, I get an IP of 192.168.30.11, as it should.  I was able to ping 192.168.30.10, could not sue 192.168.1.1 as the place closed.

  Any help would be appreciated, it's getting late so I hope I gave enough details.  I feel so close but yet so far.

  See the ciscoasa # running

  : Saved

  :

  ASA Version 8.2 (1)

  !

  ciscoasa hostname

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 22.22.22.246 255.255.255.252

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone CST - 6

  clock to summer time recurring CDT

  DNS lookup field inside

  DNS domain-lookup outside

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  ICMP-type of object-group ALLOWPING

  echo ICMP-object

  ICMP-object has exceeded the time

  response to echo ICMP-object

  Object-ICMP traceroute

  Object-ICMP source-quench

  ICMP-unreachable object

  access-list 10 scope ip allow a whole

  10 extended access-list allow icmp a whole

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.30.10 - 192.168.30.25 255.255.255.0 IP local pool SSLClientPoolNew

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 192.168.1.0 255.255.255.0

  Route outside 0.0.0.0 0.0.0.0 22.22.22.245 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  network-acl 10

  WebVPN

  SVC request no svc default

  AAA authentication LOCAL telnet console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd dns 8.8.8.8

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow inside

  allow outside

  AnyConnect essentials

  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 image

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 2 image

  enable SVC

  tunnel-group-list activate

  internal SSLClientPolicy group strategy

  attributes of Group Policy SSLClientPolicy

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  field default value mondomaine.fr

  the address value SSLClientPoolNew pools

  WebVPN

  SVC Dungeon-Installer installed

  time to generate a new key of SVC 180

  SVC generate a new method ssl key

  SVC value vpngina modules

  attributes of Group Policy DfltGrpPolicy

  VPN-tunnel-Protocol webvpn

  username test encrypted password privilege 15 xxxxxxxxxxxxxx

  username ljb1 password encrypted xxxxxxxxxxxxxx

  type tunnel-group SSLClientProfile remote access

  attributes global-tunnel-group SSLClientProfile

  Group Policy - by default-SSLClientPolicy

  tunnel-group SSLClientProfile webvpn-attributes

  enable SSLVPNClient group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:ed683c7f1b86066d1d8c4fff6b08c592

  : end

  Patrick,

  'Re missing you the excemption NAT. Please add the following and try again:

  access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  Let us know if you still have problems after that.

  Raga

• Remote access VPN Client to PIX, DNS issue

  Hi all.  I searched on this, but I can't find my answer.

  I set up a VPN connection to a PIX Firewall (running the version 8.0 (4)) for my business.  The VPN connection works correctly, in that I can connect to it using my software (v 5.0.02.0090) Cisco VPN Client and ping servers/resources internal IP address. However, if I try to ping by host name, it does not resolve to an IP address.  If I open a command prompt on my PC and type ipconfig/all, there are no DNS servers for my VPN, just for my normal Intel NIC adapter - I think I should have a DNS server listed under the map of VPN, right?  Here is the relevant (I think) for the VPN config lines:

  8.0 (4) version PIX

  domain xx.xx

  DNS lookup field inside

  DNS server-group DefaultDNS

  Server name 192.168.20.23

  domain xx.xx

  IP local pool vpnpoolIT 10.10.8.2 - 10.10.8.254 mask 255.255.255.0

  Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

  Crypto-map dynamic dyn1 1jeu transform-set FirstSet

  Crypto-map dynamic dyn1 1 lifetime of security association set seconds 28800

  Crypto-map dynamic dyn1 kilobytes of life 1 set security-association 4608000

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  tunnel-group ITGroup type remote access

  tunnel-group ITGroup General attributes

  address vpnpoolIT pool

  Group-RADIUS authentication server

  tunnel-group ITGroup ipsec-attributes

  pre-shared-key *.

  Am I missing?  I can solve the DNS on the PIX itself requests.

  All the info I can find online is for an older version of the PIX software which says that I should enter the vpngroup dns- IP address of the server command, but this command is not available in my version of the software.

  Hello

  To set a DNS server to be injected into the VPN clients when they connect, you can do the following:

  This is the tunnel-group where lands the remote connection:

  tunnel-group ITGroup type remote access

  tunnel-group ITGroup General attributes

  address vpnpoolIT pool

  Group-RADIUS authentication server

  tunnel-group ITGroup ipsec-attributes

  pre-shared-key *.

  For example, create a group policy:

  internal VPN group policy
  attributes of VPN group policy

  DNS value--> x.x.x.x where x.x.x.x is the IP address of the DNS server

  Then, apply the group policy for the Group of tunnel:

  tunnel-group ITGroup General attributes

  Group Policy - by default-VPN

  It will be useful.

  Federico.

• Remote access VPN clients

  Hello

  I've set up IPSec VPN remotely and it works fine. I need access to connected VPN clients, and it does not work. I have already added an entry to traffic allowing sheep ACL from inside my network to the VPN.

  More information:

  Inside of the net: 10.1.1.0/24

  Pool VPN: 172.30.1.0/24

  Is it possible to access from my internal network to the VPN users?

  Thanks in advance.

  Best regards.

  Marcelo

  VPN users have access to certain servers via the list of Tunnel from Split.

  Marcelo,

  Split tunnel ACLs must be an IP acl, it is not recommended and supported to set the TCP ports on the split tunnel ACL, the vpn client don't interpret this ACl as a lot are interested in IP, TCP ports, and that could cause you a problem. You can change your config to reflect this. Regarding ACL split tunnel, it must contain the server line. networks that this vpn, customers arrive, remind you this is two-way, as you know.

  So if IT supports the IP range is on this vpnExample ACL vpn clients will be able to reach the IT support guys and vice versa.

  I advise you to change your split tunnel ACLs to specific ports to only the desired servers and the presenters what these customers need to achieve.

  Remove the ports out of this Split tunnel ACLs.

  If you need to restrict services for vpn rather clients use VPN filters.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

• Get VPN client to connect, but request timed out when ping

  Hi, I use the router Cisco 837 as my VPN server. I am connected using Cisco VPN Client Version 5. But when I ping the ip of the router, I have request timed out. Here is my configuration:

  Building configuration... Current configuration : 3704 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname michael ! boot-start-marker boot-end-marker ! memory-size iomem 5 no logging console enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0 ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! ip subnet-zero no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 ! ip dhcp pool michael    network 192.168.1.0 255.255.255.0    default-router 192.168.1.1    dns-server 202.134.0.155 ! ip dhcp pool excluded-address    host 192.168.1.4 255.255.255.0    hardware-address 01c8.d719.957a.b9 ! ! ip cef ip name-server 202.134.0.155 ip name-server 203.130.193.74 vpdn enable ! ! ! ! username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f. username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/ ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group michaelvpn key vpnpassword pool SDM_POOL_1 acl 199 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/35   pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Virtual-PPP1 no ip address ! interface Dialer1 description $FW_OUTSIDE$ mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp chap hostname ispusername ppp chap password 0 isppassword ppp pap sent-username ispusername password 0 isppassword crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723 ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ! access-list 1 remark SDM_ACL Category=16 access-list 1 permit 192.0.0.0 0.255.255.255 access-list 102 remark SDM_ACL Category=2 access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! control-plane ! banner motd ^C Authorized Access Only UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. ^C ! line con 0 no modem enable line aux 0 line vty 0 4 ! scheduler max-task-time 5000 end
  
  Thank you, anny help will be appreciated.
  			 
  Hi Michael,
  I have been through the newspapers, they are not conclusive and only detrmine that Phase 1 is coming. However according to this error message % SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr = 81B50AD8, count = 0 we are hiiting a bug on ios. The id of the bug is CSCsl24693 and the solution is to switch to 12.4 (11) XJ.
  Can you re-execute him debugs and send me the detailed results.
  Kind regards
  Aman
  		   

• DMVPN with based remote access VPN client

  Hi all

  We DMVPN deployed to connect to our remote location now I want to configure the vpn remote access also with DMVPN tunnel so if somehow our DMVPN tunnel goes down we can connect to the router through vpn remote access client based around... I want experts to do the light on it is it possible or what are the technical challenges that I have to face in this regard.

  Thank you

  Salman Jamshed

  Hello Salman,

  It's 100% possible, there is no harm in having them both up on your router.

  In fact, as you have said that it will provide an extra layer of redundancy if by chance the DMVPN tunnel breaks down.

  That being said, you can go ahead and do it is a movement course

  Julio

• Cannot ping inside the vpn client hosts. It's a NAT problem

  Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

  AAA new-model

  !

  !

  AAA authentication login default local

  radius of group AAA authentication login userauthen

  AAA authorization exec default local

  AAA authorization groupauthor LAN

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group businessVPN

  key xxxxxx

  DNS 192.168.10.2

  business.local field

  pool vpnpool

  ACL 108

  Crypto isakmp VPNclient profile

  businessVPN group identity match

  client authentication list userauthen

  ISAKMP authorization list groupauthor

  client configuration address respond

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  Define VPNclient isakmp-profile

  market arriere-route

  !

  !

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  interface Loopback0

  IP 10.1.10.2 255.255.255.252

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  !

  Null0 interface

  no ip unreachable

  !

  interface FastEthernet0/0

  IP 111.111.111.138 255.255.255.252

  IP access-group outside_in in

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  inspect the outgoing IP outside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  clientmap card crypto

  !

  the integrated-Service-Engine0/0 interface

  description Locator is initialized with default IMAP group

  IP unnumbered Loopback0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  ip address of service-module 10.1.10.1 255.255.255.252

  Service-module ip default gateway - 10.1.10.2

  interface BVI1

  IP 192.168.10.1 255.255.255.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  IP virtual-reassembly

  IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

  IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

  IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

  IP nat inside source map route nat interface FastEthernet0/0 overload

  nat extended IP access list

  deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 any

  permit ip 192.168.10.0 0.0.0.255 any

  sheep extended IP access list

  permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

  outside_in extended IP access list

  permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

  permit any any eq 443 tcp

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

  allow any host 111.111.111.138 esp

  allow any host 111.111.111.138 eq isakmp udp

  allow any host 111.111.111.138 eq non500-isakmp udp

  allow any host 111.111.111.138 ahp

  allow accord any host 111.111.111.138

  access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

  !

  !

  !

  !

  route nat allowed 10 map

  match ip address nat

  1 channel ip bridge

  In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

  To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

  Kind regards