remote VPN and vpn site to site vpn remote users unable to access the local network

Similar Questions

• Unable to access the local network with VPN with some ISPS

  Hello

  We have a VPN Remote Access IPSEC with an ASA5505. Install VPN it correctly but can not access the inside or the ASA to my office.

  But at home with another Internet service provider, it works! You can access inside.

  We are trying with other ISP and it works with 2 and does not work with the other 2!

  Office we also have an ASA5505, but we have another VPN other sites that work properly.

  Any ideas?

  Thank you and sorry for my English.

  Add...

  ISAKMP nat-traversal crypto

  That should do the trick! Please rate if this can help.

• ASA 5505 IPSEC VPN connected but cannot access the local network

  ASA: 8.2.5

  ASDM: 6.4.5

  LAN: 10.1.0.0/22

  Pool VPN: 172.16.10.0/24

  Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

  I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

  Here is my setup, wrong set up anything?

  ASA Version 8.2 (5)

  !

  hostname asatest

  domain XXX.com

  activate 8Fw1QFqthX2n4uD3 encrypted password

  g9NiG6oUPjkYrHNt encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.1.1.253 255.255.252.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  address IP XXX.XXX.XXX.XXX 255.255.255.240

  !

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS server-group DefaultDNS

  domain vff.com

  vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

  access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

  pager lines 24

  Enable logging

  timestamp of the record

  logging trap warnings

  asdm of logging of information

  logging - the id of the device hostname

  host of logging inside the 10.1.1.230

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA-server protocol nt AD

  AAA-server host 10.1.1.108 AD (inside)

  NT-auth-domain controller 10.1.1.108

  Enable http server

  http 10.1.0.0 255.255.252.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 10.1.0.0 255.255.252.0 inside

  SSH timeout 20

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal group vpntest strategy

  Group vpntest policy attributes

  value of 10.1.1.108 WINS server

  Server DNS 10.1.1.108 value

  Protocol-tunnel-VPN IPSec l2tp ipsec

  disable the password-storage

  disable the IP-comp

  Re-xauth disable

  disable the PFS

  IPSec-udp disable

  IPSec-udp-port 10000

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list vpntest_splitTunnelAcl

  value by default-domain XXX.com

  disable the split-tunnel-all dns

  Dungeon-client-config backup servers

  the address value vpnpool pools

  admin WeiepwREwT66BhE9 encrypted privilege 15 password username

  username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

  the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

  tunnel-group vpntest type remote access

  tunnel-group vpntest General attributes

  address vpnpool pool

  authentication-server-group AD

  authentication-server-group (inside) AD

  Group Policy - by default-vpntest

  band-Kingdom

  vpntest group tunnel ipsec-attributes

  pre-shared-key BEKey123456

  NOCHECK Peer-id-validate

  !

  !

  privilege level 3 mode exec cmd command perfmon

  privilege level 3 mode exec cmd ping command

  mode privileged exec command cmd level 3

  logging of the privilege level 3 mode exec cmd commands

  privilege level 3 exec command failover mode cmd

  privilege level 3 mode exec command packet cmd - draw

  privilege show import at the level 5 exec mode command

  privilege level 5 see fashion exec running-config command

  order of privilege show level 3 exec mode reload

  privilege level 3 exec mode control fashion show

  privilege see the level 3 exec firewall command mode

  privilege see the level 3 exec mode command ASP.

  processor mode privileged exec command to see the level 3

  privilege command shell see the level 3 exec mode

  privilege show level 3 exec command clock mode

  privilege exec mode level 3 dns-hosts command show

  privilege see the level 3 exec command access-list mode

  logging of orders privilege see the level 3 exec mode

  privilege, level 3 see the exec command mode vlan

  privilege show level 3 exec command ip mode

  privilege, level 3 see fashion exec command ipv6

  privilege, level 3 see the exec command failover mode

  privilege, level 3 see fashion exec command asdm

  exec mode privilege see the level 3 command arp

  command routing privilege see the level 3 exec mode

  privilege, level 3 see fashion exec command ospf

  privilege, level 3 see the exec command in aaa-server mode

  AAA mode privileged exec command to see the level 3

  privilege, level 3 see fashion exec command eigrp

  privilege see the level 3 exec mode command crypto

  privilege, level 3 see fashion exec command vpn-sessiondb

  privilege level 3 exec mode command ssh show

  privilege, level 3 see fashion exec command dhcpd

  privilege, level 3 see the vpnclient command exec mode

  privilege, level 3 see fashion exec command vpn

  privilege level see the 3 blocks from exec mode command

  privilege, level 3 see fashion exec command wccp

  privilege see the level 3 exec command mode dynamic filters

  privilege, level 3 see the exec command in webvpn mode

  privilege control module see the level 3 exec mode

  privilege, level 3 see fashion exec command uauth

  privilege see the level 3 exec command compression mode

  level 3 for the show privilege mode configure the command interface

  level 3 for the show privilege mode set clock command

  level 3 for the show privilege mode configure the access-list command

  level 3 for the show privilege mode set up the registration of the order

  level 3 for the show privilege mode configure ip command

  level 3 for the show privilege mode configure command failover

  level 5 mode see the privilege set up command asdm

  level 3 for the show privilege mode configure arp command

  level 3 for the show privilege mode configure the command routing

  level 3 for the show privilege mode configure aaa-order server

  level mode 3 privilege see the command configure aaa

  level 3 for the show privilege mode configure command crypto

  level 3 for the show privilege mode configure ssh command

  level 3 for the show privilege mode configure command dhcpd

  level 5 mode see the privilege set privilege to command

  privilege level clear 3 mode exec command dns host

  logging of the privilege clear level 3 exec mode commands

  clear level 3 arp command mode privileged exec

  AAA-server of privilege clear level 3 exec mode command

  privilege clear level 3 exec mode command crypto

  privilege clear level 3 exec command mode dynamic filters

  level 3 for the privilege cmd mode configure command failover

  clear level 3 privilege mode set the logging of command

  privilege mode clear level 3 Configure arp command

  clear level 3 privilege mode configure command crypto

  clear level 3 privilege mode configure aaa-order server

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

  : end

  Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

  The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

  On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

• Easy VPN not able to access the local network

  Hi guys,.

  little hope can help me, I'll give you a run down on the config.

  I have a border router that is a no. 2851 connected to the No. 2851 is a switch cisco 3750 running Routing inter - vlan with four VLANS.

  I have easy VPN server on the edge router No. 2851 I am able to connect remotely from a client vpn cisco with a problem but I can't access the local network on the server, I tried everything with no luck.

  I have a cisco VPN client installed on a 64-bit windows system 7 and I also tried with windows xp 32-bit system and still no luck.

  Please I need help I need to get this race to end of trading today.

  I will be copying and pasting the edge router config please if someone get review and see if the config is good.

  You need to change your ACL PAT of standard to extend and to deny traffic to be translated to the Pool of VPN:

  access-list 120 deny ip 10.10.10.0 0.0.0.3 10.10.50.0 0.0.0.255

  access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

  access-list 120 deny ip 172.16.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

  access-list 120 deny ip 172.1X.20.0 0.0.0.255 10.10.50.0 0.0.0.255

  access-list 120 deny ip 192.168.XX.0 0.0.0.255 10.10.50.0 0.0.0.255

  access-list 120 allow ip 10.10.10.0 0.0.0.3 all

  IP access-list 120 permit 192.168.XX.0 0.0.0.255 any

  IP access-list 120 permit 172.16.XX.0 0.0.0.255 aniy

  IP access-list 120 permit 172.1X.20.0 0.0.0.255 any

  IP access-list 120 permit 192.168.XX.0 0.0.0.255 any

  overload of IP nat inside source list 120 interface Dialer0

  no nat ip within the source of the list 1 overload interface Dialer0

  clear the ip nat trans *.

  Hope that helps.

• After I 'google' a web site address, I am unable to access the page directly by clicking on the link in the address; the page hangs and does not respond.

  After I 'google' a web site address, I am unable to access the page directly by clicking on the link in the address; the page hangs and does not respond.

  What antivirus you have installed before? Is the virus/malware-free system? If you have a current antivirus installed and you went through at least some of the malware removal steps I list in the link I have given if you are sure that the system is clean, uninstall McAfee and see if that solves your problem. If you connect to the Internet behind a router, you can be sure for this quick test. If you are connected directly to a cable/dsl modem, then firstly download Avast or even Microsoft Security Essentials (both free). Then, disconnect from the Internet and uninstall McAfee. Install the antivirus of your choice and test. If all goes well, your problems have been caused by McAfee. This is not surprising since McAfee is perhaps the worst choice for safety, we could do.

  If you had any antivirus installed before McAfee, then you must go through all stages of thorough removal of malware listed in the my link before anything else. MS - MVP - Elephant Boy computers - don't panic!

• VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

  I tried to set up a simple customer vpn using this document

  http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

  VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

  6.3 (5) PIX version

  interface ethernet0 car

  Auto interface ethernet1

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the encrypted password of VmHKIhnF4Gs5AWk3

  VmHKIhnF4Gs5AWk3 encrypted passwd

  hostname VOIPLABPIX

  domain voicelab.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

  access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside 208.x.x.11 255.255.255.0

  IP address inside 172.10.2.2 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

  history of PDM activate

  ARP timeout 14400

  NAT (inside) - 0 102 access list

  Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

  Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 172.0.0.0 255.0.0.0 inside

  http 0.0.0.0 0.0.0.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

  Crypto-map dynamic map2 10 set transform-set trmset1

  map map1 10 ipsec-isakmp crypto dynamic map2

  client authentication card crypto LOCAL map1

  map1 outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 encryption aes-256

  ISAKMP policy 10 sha hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address voicelabpool pool cuclab

  vpngroup dns 204.x.x.10 Server cuclab

  vpngroup cuclab by default-field voicelab.com

  vpngroup split tunnel 101 cuclab

  vpngroup idle 1800 cuclab-time

  vpngroup password cuclab *.

  Telnet timeout 5

  SSH 208.x.x.11 255.255.255.255 outside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 172.10.1.2 255.255.255.255 inside

  SSH timeout 60

  Console timeout 0

  username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

  Terminal width 80

  Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

  : end

  Try to turn on NAT - T

  PIX (config) #isakmp nat-traversal 20

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

  HTH

• Customer Cisco PIX 501 VPN connects but no connection to the local network

  Hi all:

  I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

  I have attached the PIX configuration.

  Advice will be greatly appreciated.

  ********************

  6.3 (5) PIX version

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxxxx

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool ippool 192.168.2.1 - 192.168.2.5

  location of PDM 192.168.2.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup vpn3000 ippool address pool

  vpngroup vpn3000 Server dns 68.87.72.130

  vpngroup vpn3000-wins 192.168.1.100 Server

  vpngroup vpn3000 split tunnel 101

  vpngroup vpn3000 downtime 1800

  password vpngroup vpn3000 *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:xxxx

  ****************

  The DNS server is the one assigned to me by my ISP.

  My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

  "isakmp nat-traversal 20" can do the trick.

• Unable to access the remote VPN LAN

  My VPN ends very well, but cannot access the local network. The warning is the LAN is a public good 24 subnet.  I'm not sure how to NAT the LAN to access the VPN subnet and not to disturb any other functionality.  I have attached the configuration.

  Thank you in advance.

  ciscoasa # sh run
  : Saved
  :
  ASA Version 8.2 (2)
  !
  ciscoasa hostname
  activate the encrypted Anuj/1RTcTy/SmZO password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP address .149.200 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address *.165.37.131 255.255.255.248
  !
  interface Vlan5
  No nameif
  security-level 50
  IP 10.10.10.1 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  switchport access vlan 5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone GMT 0
  standard permit access list MASTERPWRTRANS_splitTunnelAcl *. . 149.0 255.255.255.0
  allow inside_nat0_outbound to access extensive ip list *. . 149.0 255.255.255.0 172.30.110.0 255.255.255.224
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  local pool POOL1 172.30.110.1 - 172.30.110.30 IP 255.255.255.224 mask
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  Global (outside) 2 *.165.37.132
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 2 *. .149.199 255.255.255.255
  NAT (inside) 1 0.0.0.0 0.0.0.0
  static (exterior, Interior) *. .149.199 *.165.37.132 netmask 255.255.255.255
  Route outside 0.0.0.0 0.0.0.0 * 1.165.37.134
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  RADIUS protocol Server AAA MPT
  AAA server MPT (inside) host .149.210
  Timeout 5
  key *.
  AAA authentication enable LOCAL console
  the ssh LOCAL console AAA authentication
  Enable http server
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outdoors
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  Telnet *. . 149.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  management-access inside

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal MASTERPWRTRANS group policy
  MASTERPWRTRANS group policy attributes
  value of DNS server *. . 149.10 *. . 149.11
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list MASTERPWRTRANS_splitTunnelAcl
  MCI.local value by default-field
  ptiadmin encrypted BtOLil2gR0VaUjfX privilege 15 password username
  mptadmin U2T.1fmOIe772zE username password / encrypted
  type tunnel-group MASTERPWRTRANS remote access
  attributes global-tunnel-group MASTERPWRTRANS
  POOL1 address pool
  TPM authentication server group
  Group Policy - by default-MASTERPWRTRANS
  IPSec-attributes tunnel-group MASTERPWRTRANS
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:820529ed70de923a8375694004b2544c
  : end
  ciscoasa #.

  The 2821 should have a route pointing to the ASA for the VPN address pool (because the ASA is not the default gateway for the LAN).

  That should do it.

  Federico.

• AnyConnect VPN full tunnel could not access the site to site VPN

  I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.

  It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.

  I checked the IP addresses of network anyconnect are part of the tunnel on both sides.

  My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.

  Any help would be appreciated.

  Here are the relevant parts of my config:

  (Domestic network is 192.168.0.0/24,

  the AnyConnect network is 192.168.10.0/24,

  site to site VPN network is 192.168.2.0/24)

  --------------------------------------------------------------------------------------

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface

  the DM_INLINE_NETWORK_1 object-group network
  object-network 192.168.0.0 255.255.255.0
  object-network 192.168.10.0 255.255.255.0
  inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0

  outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0

  mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 1 192.168.10.0 255.255.255.0
  access-outside group access component software snap-in interface outside
  Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
  WebVPN
  allow outside
  AnyConnect essentials
  SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
  SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
  enable SVC
  tunnel-group-list activate
  internal AnyConnectGrpPolicy group strategy
  attributes of Group Policy AnyConnectGrpPolicy
  WINS server no
  value of 192.168.0.33 DNS server 192.168.2.33
  VPN-session-timeout no
  Protocol-tunnel-VPN l2tp ipsec svc
  Split-tunnel-policy tunnelall
  the address value AnyConnectPool pools
  type tunnel-group AnyConnectGroup remote access
  attributes global-tunnel-group AnyConnectGroup
  address pool AnyConnectPool
  authentication-server-group SERVER1_AD
  Group Policy - by default-AnyConnectGrpPolicy
  tunnel-group AnyConnectGroup webvpn-attributes
  the aaa authentication certificate
  activation of the Group _AnyConnect alias

  Your dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:

   global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

• ASA5505 can transfer clients to remote VPN access to the local network

  I have currently ASA 5505 and 2911-router and I am trying to configure the VPN topology.

  Can ASA5505 you transmit to remote VPN access clients LAN operated by another router?

  These two cases are possible? :

  (1) ASA 5505 and 2911-router are separate WAN interfaces, each connected directly to the ISP. But so can I connect an other interfaces LAN of ASA 5505 in a switch managed by 2911 router customers to distance-SSL-VPN to inject into the local network managed by the router?
  (2) ASA 5505 is behind router-2911. May 2911 router address public ip or public ip address VPN-access attempts have directly be sent to ASA 5505 when there is only a single public ip address address available?
  Long put short, ASA 5505 can inject its clients to remote-access-VPN as one of the hosts on the local network managed by 2911-router?
  Thank you.

  I could help you more if you can explain the purpose of this configuration and connectivity between the router and ASA.

  You can activate the reverse route on the dynamic plane on the SAA. The ASA will install a static route to the customer on the routing table. You can use a routing protocol to redistribute static routes to your switch on the side of LAN of the SAA.

• Client remote access VPN gets connected without access to the local network

  : Saved

  :

  ASA 1.0000 Version 2

  !

  hostname COL-ASA-01

  domain dr.test.net

  turn on i/RAo1iZPOnp/BK7 encrypted password

  i/RAo1iZPOnp/BK7 encrypted passwd

  names of

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  IP 172.32.0.11 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  IP 192.9.200.126 255.255.255.0

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  nameif failover

  security-level 0

  192.168.168.1 IP address 255.255.255.0 watch 192.168.168.2

  !

  interface Management0/0

  nameif management

  security-level 0

  192.168.2.11 IP address 255.255.255.0

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain dr.test.net

  network of the RAVPN object

  192.168.0.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.200.0_24 object

  192.168.200.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.9.200.0_24 object

  192.9.200.0 subnet 255.255.255.0

  the inside_network object-group network

  object-network 192.9.200.0 255.255.255.0

  external network object-group

  host of the object-Network 172.32.0.25

  Standard access list RAVPN_splitTunnelAcl allow 192.9.200.0 255.255.255.0

  access-list extended test123 permit ip host 192.168.200.1 192.9.200.190

  access-list extended test123 permit ip host 192.9.200.190 192.168.200.1

  access-list extended test123 allowed ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0

  192.9.200.0 IP Access-list extended test123 255.255.255.0 allow object NETWORK_OBJ_192.9.200.0_24

  pager lines 24

  management of MTU 1500

  Outside 1500 MTU

  Within 1500 MTU

  failover of MTU 1500

  local pool RAVPN 192.168.200.1 - 192.168.200.254 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 66114.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) source Dynamics one interface

  NAT (it is, inside) static static source NETWORK_OBJ_192.9.200.0_24 destination NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.9.200.0_24

  Route outside 0.0.0.0 0.0.0.0 172.32.0.2 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  Enable http server

  http 0.0.0.0 0.0.0.0 outdoors

  http 0.0.0.0 0.0.0.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  Crypto ca trustpoint ASDM_TrustPoint0

  Terminal registration

  name of the object CN = KWI-COL-ASA - 01.dr.test .net, C = US, O = KWI

  Configure CRL

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  authentication crack

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 20

  authentication rsa - sig

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 40

  authentication crack

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 50

  authentication rsa - sig

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 60

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 70

  authentication crack

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 80

  authentication rsa - sig

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 100

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 110

  authentication rsa - sig

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 120

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 130

  authentication crack

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 140

  authentication rsa - sig

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 150

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.9.200.0 255.255.255.0 inside

  Telnet timeout 30

  SSH 0.0.0.0 0.0.0.0 management

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 66.35.45.128 255.255.255.192 outside

  SSH 0.0.0.0 0.0.0.0 inside

  SSH timeout 30

  SSH version 2

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  internal RAVPN group policy

  RAVPN group policy attributes

  value of server WINS 192.9.200.164

  value of 66.35.46.84 DNS server 66.35.47.12

  VPN-filter value test123

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value test123

  Dr.kligerweiss.NET value by default-field

  username test encrypted password xxxxxxx

  username admin password encrypted aaaaaaaaaaaa privilege 15

  vpntest Delahaye of encrypted password username

  type tunnel-group RAVPN remote access

  attributes global-tunnel-group RAVPN

  address RAVPN pool

  Group Policy - by default-RAVPN

  IPSec-attributes tunnel-group RAVPN

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory 2

  Subscribe to alert-group configuration periodic monthly 2

  daily periodic subscribe to alert-group telemetry

  aes encryption password

  Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea

  : end

  COL-ASA-01 #.

  Here is a shot made inside interface which can help as well, I've tried pointing the front door inside the interface on the target device, but I think it was a switch without ip route available on this subject I think which is always send package back to Cisco within the interface

  Test of Cape COLLAR-ASA-01 # sho | in 192.168.200

  25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request

  29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137: udp 68

  38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137: udp 68

  56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137: udp 68

  69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request

  98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request

  99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137: udp 68

  108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137: udp 68

  115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137: udp 68

  116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request

  COL-ASA-01 #.

  Any help or pointers greatly appreciated, I have do this config after a long interval on Cisco of the last time I was working it was all PIX so just need to expert eyes to let me know if I'm missing something.

  And yes I don't have a domestic network host to test against, all I have is a switch that cannot route and bridge default ip helps too...

  Hello

  The first thing you should do to avoid problems is to change the pool VPN to something else than the current LAN they are not really directly connected in the same network segment.

  You can try the following changes

  attributes global-tunnel-group RAVPN

  No address RAVPN pool

  no mask RAVPN 192.168.200.1 - 192.168.200.254 255.255.255.0 ip local pool

  local pool RAVPN 192.168.201.1 - 192.168.201.254 255.255.255.0 IP mask

  attributes global-tunnel-group RAVPN

  address RAVPN pool

  no nat (it is, inside) static source NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 static destination NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24

  In the above you first delete the VPN "tunnel-group" Pool and then delete and re-create the VPN pool with another network and then insert the same "tunnel-group". NEX will remove the current configuration of the NAT.

  the object of the LAN network

  192.168.200.0 subnet 255.255.255.0

  network of the VPN-POOL object

  192.168.201.0 subnet 255.255.255.0

  NAT (inside, outside) 1 static source LAN LAN to static destination VPN-VPN-POOL

  NAT configurations above adds the correct NAT0 configuration for the VPN Pool has changed. It also inserts the NAT rule to the Summit before the dynamic PAT rule you currently have. He is also one of the problems with the configurations that it replaces your current NAT configurations.

  You have your dynamic PAT rule at the top of your NAT rules currently that is not a good idea. If you want to change to something else will not replace other NAT configurations in the future, you can make the following change.

  No source (indoor, outdoor) nat Dynamics one interface

  NAT source auto after (indoor, outdoor) dynamic one interface

  NOTICE! PAT dynamic configuration change above temporarily interrupt all connections for users on the local network as you reconfigure the dynamic State PAT. So if you make this change, make sure you that its ok to still cause little reduced in the current internal users connections

  Hope this helps

  Let me know if it works for you

  -Jouni

• How can I configure VPN to allow someone to see my local network but use their own internet?

  OK, I have the VPN all the settings and it works decently, but one thing I really want I can't understand.
  When 'Default gateway to use on a remote connection' is checked in the customer then remote users can connect to the vpn, access in the right subnet and to access the internet

  When it is not enabled, users cannot access the computers on the subnet (other than the remote desktop to the vpn Server itself using the local IP address), but they can access the internet through my network.
  If it is checked and then access the internet through my network and subnet.

  What I would like is to be able to have users access the subnet as if they were here, but use their own internet for everything else.
  Who is? What Miss me to make it work?

  OK, I have the VPN all the settings and it works decently, but one thing I really want I can't understand.
  When 'Default gateway to use on a remote connection' is checked in the customer then remote users can connect to the vpn, access in the right subnet and to access the internet

  When it is not enabled, users cannot access the computers on the subnet (other than the remote desktop to the vpn Server itself using the local IP address), but they can access the internet through my network.
  If it is checked and then access the internet through my network and subnet.

  What I would like is to be able to have users access the subnet as if they were here, but use their own internet for everything else.
  Who is? What Miss me to make it work?

  Hi, Talkingscientist,

  Try this

  Linksys

  http://TechNet.Microsoft.com/en-us/library/cc302437.aspx

• Cisco ASA 5505 VPN L2TP cannot access the internal network

  Hello

  I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

  Can you jhelp me to find the problem?

  I have Cisco ASA:

  within the network - 192.168.1.0

  VPN - 192.168.168.0 network

  I have the router to 192.168.1.2 and I cannot ping or access this router.

  Here is my config:

  ASA Version 8.4 (3)

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 198.X.X.A 255.255.255.248

  !

  passive FTP mode

  permit same-security-traffic intra-interface

  the net-all purpose network

  subnet 0.0.0.0 0.0.0.0

  network vpn_local object

  192.168.168.0 subnet 255.255.255.0

  network inside_nw object

  subnet 192.168.1.0 255.255.255.0

  outside_access_in list extended access permit icmp any any echo response

  outside_access_in list extended access deny ip any any newspaper

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT dynamic interface of net-all source (indoor, outdoor)

  NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

  NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

  !

  network vpn_local object

  dynamic NAT interface (outdoors, outdoor)

  network inside_nw object

  NAT dynamic interface (indoor, outdoor)

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  AAA authentication enable LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

  transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

  Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

  card crypto 20-isakmp ipsec vpn Dynamics dyno

  vpn outside crypto map interface

  Crypto isakmp nat-traversal 3600

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  management-access inside

  dhcpd address 192.168.1.5 - 192.168.1.132 inside

  dhcpd dns 75.75.75.75 76.76.76.76 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal sales_policy group policy

  attributes of the strategy of group sales_policy

  Server DNS 75.75.75.75 value 76.76.76.76

  Protocol-tunnel-VPN l2tp ipsec

  user name-

  user name-

  attributes global-tunnel-group DefaultRAGroup

  address sales_addresses pool

  Group Policy - by default-sales_policy

  IPSec-attributes tunnel-group DefaultRAGroup

  IKEv1 pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  ms-chap-v2 authentication

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

  : end

  Thanks for your help.

  You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  --

  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Ipad Cisco ipsec VPN connects but not access to the local network

  Hi guys,.

  I am trying to connect our ipads to vpn to access network resources. IPSec cisco ipad connects but not lan access and cannot ping anything not even not the interfaces of the router.

  If I configure the vpn from cisco on a laptop, it works perfectly, I can ping all and can access resources on the local network if my guess is that the traffic is not going in the tunnel vpn between ipad and desktop.

  Cisco 877.

  My config is attached.

  Any ideas?

  Thank you

  Build-in iPad-client is not useful to your configuration.

  You have three options:

  (1) remove the ACL of your vpn group. Without split tunneling client will work.

  2) migrate legacy config crypto-map style. Here, you can use split tunneling

  3) migrate AnyConnect.

  The root of the problem is that the iPad Gets the split tunneling-information. But instead of control with routing traffic should pass through the window / the tunnel and which traffic is allowed without the VPN of the iPad tries to build a set of SAs for each line in your split-tunnel-ACL. But with the model-virtual, SA only is allowed.

• ASA 5510 VPN - using a public IP address for the local network

  Hello, I have a problem which is probably very simple, but I can't seem to understand.

  I set up a site IPsec connection to another with a company, something I've done many times before without a problem. I use ASDM to configure this, because it is quick and painless, usually.

  We have one number of other site-to-site currently configured connections and works very well on this ASA, these are configured with the "Protected network - LAN" configured with the IP private of hosts within our network, we want to make available through the separate tunnels. This includes the configuration setting on our ASA for each connection to "guests aside ASA exempt from NAT.

  With this new link, however, the company asked us to use a public IP address for the host that we want to achieve through the tunnel. I don't know why, but they demand it. So I added a NAT rule for inside the host and set up the connection with the public IP address under "Local network". During the test to try to reach a host to their side, the tunnel didn't even try to open.

  What is the method here? I don't see where I'm wrong. I'm guessing that the 'host side ASA exempt from NAT' does not require for this, how if the ASA would know which internal host is the public IP address.

  Any ideas?

  Hi Leo,

  The steps are:

  1. Add the policy rule NAT for the specific host.

  2 - define the IP NAT as your LOCAL NETWORK address in the encryption settings.

  3 make sure that there is no rule NAT exempt for this host to the specific destination.

  What happens if you run a package tracer?

  Thank you.