REMOTE VPN PROBLEM
My remote access vpn client is not able to connect to the internal network.
concentrator is connected with the main switch and the 172.28.31.171 Server (server) is also connected to the main switch.
InterVLN routing works very well. Server and conncentrator is able to reach each other via the main switch.
private hub Ip address 172.28.31.92/248
POOL OF VPN: 172.28.31.128/29
Switch main Ip address is 172.28.31.91
Customer is able to connect without any problem, but not able to ping or connect with any device client network.
In the VPN session I see bytes send and receive. My LAN LAN 2 tunnles properly without any problem.
No firewall involoved in the path between the hub and the desired server 172.28.31.171.
Both connected to the same switch but VLAN different. Inter VLAN routing works and both are able to ping.
Only access remote 172.28.31.128/248 client is not able to reach anywhere.
Switch to kernel routing table
IP route 172.28.0.0 255.255.0.0 172.28.31.68
IP route 172.28.0.0 255.255.224.0 172.28.31.77
IP route 172.28.31.128 255.255.255.248 172.28.31.92
IP route 172.28.32.50 255.255.255.255 172.28.31.92
IP route 172.29.0.0 255.255.0.0 172.28.31.68
Hub routing table
172.28.0.0 via 172.28.31.91 255.255.0.0
172.29.0.0 via 172.28.31.91 255.255.0.0
192.168.0.0 255.255.0.0 via 172.28.31.91
Split tunnel is enabled for
172.28.0.0/0.0.255.255
172.29.0.0/0.0.255.255
172.31.0.0/0.0.255.255
192.168.0.0/0.0.255.255
See attachment that shows the customer connects successfully but not sending receving anything. I checked
with the change in the size of mtu and by activation and deactivation of the NAT_T. But without success.
Did you add the static route of IP subnet of your base pointing back to the VPn concentrator unit?
Tags: Cisco Security
Similar Questions
-
QuickVPN - could not do a ping the remote VPN router!
Hello
I have a RV042 (VPN router) and I have some problems to run properly using the QuickVPN client.
Here is the Log of the QuickVPN client.
2008-10-15 20:14:38 [STATUS] a network interface detected with 192.168.0.104 IP address
2008-10-15 20:14:38 [STATUS] connection...
2008-10-15 20:14:38 [STATUS] connection to a remote gateway with IP address: 96.20.174.84
2008-10-15 20:14:38 [WARNING] server certificate does not exist on your local computer.
2008-10-15 20:14:44 remote gateway [STATE] has been reached with https...
2008-10-15 20:14:44 [STATUS] commissioning...
2008-10-15 20:14:51 [STATUS] Tunnel is connected successfully.
2008-10-15 20:14:51 [STATUS] verification of network...
2008-10-15 20:14:55 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:14:58 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:01 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:05 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:08 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:11 [WARNING] Ping has been blocked, which can be caused by an unexpected disconnection.
2008-10-15 20:15:19 [STATUS] disconnection...
2008-10-15 20:15:25 [STATUS] Tunnel is disconnected successfully.I don't know how it is implemented, but if WuickVPN wait a form ping my router, it will not happen. I was never able to ping my router ouside of my ISP network.
There is a way to disable the Ping process and continue with the VPN connection?
QuickVPN try ping on the router via the VPN tunnel to check the connection. It should work without worrying about whether your ISP filters ICMP messages or not. The tunnel is encrypted your ISP won't know what you're doing.
Please post the corresponding on the RV042 VPN log. That is expected to see how far you get.
You have a firewall running on the computer? I think that some firewalls have difficulty with the traffic of ESP.
What is the router that is connected to the computer? How is it that is configured?
-
Tunnel VPN remote Internet and VPN remote VPN from Site to Site traffic?
Hello
We try to remote traffic from our users VPN tunnel through our ASA 5510 as well as to allow the only access for remote user VPN traffic to the other end of the all our VPN site-to-site connected to the same ASA. Basically, we who want to VPN in the network in order to access all of our networks business. We try to get away with this without using split Tunneling.
I can currently get internal traffic from the remote user VPN to reach all other vpn site-to-site tunnels without the internet in tunnel. The problem is when I add the following statement to the NAT:
NAT (outside) 1 10.10.19.0 255.255.255.0 * 10.10.19.0 is the address of the remote VPN Client
Internet traffic to the remote VPN starts to get in the tunnel, but I lose the opportunity to reach one of the other tunnels from site to site by the remote VPN tunnel.
I also begin to receive the following errors in the journal of the ASA
3 July 1, 2009 12:34:18 305005 10.10.19.255 137 no group of translation not found for udp src outside:10.10.19.3/137 dst outside:10.10.19.255/137
Any help with how NAT statements must be defined for this work would be appreciated.
Thank you
Will be
Will,
the link of this post for your scenario of vpn hub & speak reference, you problem may be on exempt nat rules.
Have a second look at your sheep rules.
Be sure to eliminate tunnel rules related to rheumatoid arthritis, as appropriate, to not let him get in the way of splitting.
If always emits discribe topology for l2ls and info logic RA and sanatized hub config asa... but I think if you look at the thread above, you should be able to solve.
Concerning
-
Did anyone see anything that would prevent a remote VPN to work? My L2L runs like a champ. I can connect via the remote VPN client end, but I can't talk about anything on the network. I see not the routes appear under my client software under the statistics section. Help!
domain default.domain.invalid
activate the password
passwd
names of
interface Ethernet0
nameif outside
security-level 0
IP xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
address 192.168.3.1 IP 255.255.255.0
!
interface Ethernet2
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
90 extended access-list allow ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 extended permit ip any 10.10.10.0 255.255.255.0
acl_inside list extended access deny tcp 192.168.3.0 255.255.255.0 any eq smtp
acl_inside of access allowed any ip an extended list
access-list Split_tunnel_list note SPlit tunnel list
Standard access list Split_tunnel_list allow a
local pool YW #vpn 10.10.10.1 - 10.10.10.32 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0-90 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group acl_outside in interface outside
acl_inside access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 69.57.59.137 1
Timeout xlate 03:00
Timeout conn 04:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
http 192.168.3.0 255.255.255.0 inside
Crypto ipsec transform-set strong esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
Marina 20 crypto card matches the address 90
card crypto Marina 20 set peer 69.57.51.194
card crypto Marina 20 set strong transform-set ESP-3DES-MD5 SHA-ESP-3DES
map Marina 65535-isakmp ipsec crypto dynamic outside_dyn_map
Marina crypto map interface outside
crypto ISAKMP allow outside
crypto ISAKMP policy 9
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
VPN-sessiondb max-session-limit 30
Telnet 192.168.3.0 255.255.255.0 inside
Telnet timeout 5
SSH 69.85.192.0 255.255.192.0 outside
SSH 67.177.64.0 255.255.255.0 outside
SSH timeout 5
SSH version 2
Console timeout 0
internal group YW #vpn policy
YW #vpn group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_tunnel_list
Group Policy - 69.57.51.194 internal
attributes of Group Policy - 69.57.51.194
Protocol-tunnel-VPN IPSec
admin RqwfSgGaHexJEm4c encrypted privilege 15 password username
attributes of user admin name
Group-VPN-YW #vpn strategy
tunnel-group 69.57.51.194 type ipsec-l2l
IPSec-attributes tunnel-group 69.57.51.194
pre-shared-key *.
tunnel-group YW #vpn type ipsec-ra
tunnel-group YW #vpn General-attributes
YW #vpn address pool
LOCAL authority-server-group
authorization-server-group (outside LOCAL)
Group Policy - by default-YW #vpn
tunnel-group YW #vpn ipsec-attributes
pre-shared-key *.
!
Policy-map global_policy
class class by default
Well, your main problem is your definition of correspondence address:
Marina 20 crypto card matches the address 90
It is the access list used for the sheep which includes access time S2S and remote, traffic used on correspondence address for the remote access connection, then go ahead and change it to avoid:
Marina 192.168.3.0 ip access list allow 255.255.255.0 192.168.2.0 255.255.255.0
No crypto Marina 20 card matches the address 90
Marina 20 crypto card matches the address Marina
and the other problem that is not afecting, but is badly configured is your policy of Split tunnel, you set the network as part of the split tunnel which is just as if you did nto have divided the active tunnel (where the reason why road shows 0.0.0.0 on the client)
Go ahead and change it to be:
Split_tunnel_list list standard access allowed 192.168.3.0 255.255.255.0
-
Access to the internal mail (Exchange) by centimeters remote VPN server
Hi all
I have a problem in the configuration of ASA 5510 to access my internal mail (Exchange) through remote access VPN server
one... I have set up my D-Link ADSL router to port before the SMPTP (25) & POP3 (110) to the external interface of ASA 5510 (192.168.5.101 255.255.255.0)
b. How can I configure ASA 5510 (using ASDM) to portforward (SMTP POP3 110 25) to my internal mail server with IP 192.168.50.2 255.255.255.0
c. my internal LAN network (192.168.50.0 255.255.255.0) is coordinated at 10.1.1.0 255.255.255.224 for vpn clients
d. my IP of mail server (192.168.50.2 255.255.255.0) will also be translated while clients are accessing content through remote VPN access
e.What IP (Exchange of IP of the server (192.168.50.2) do I have to set up in Microsoft Outlook (incoming & outgoing mail server), vpn clients receive using a NAT IP 10.1.1.10
Here's my configuration details of access remote vpn
: Saved
: Written by enable_15 at 13:42:51.243 UTC Thursday, November 27, 2008
!
ASA Version 7.0 (6)
!
hostname xxxx
domain xxxx
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP 192.168.5.101 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.50.101 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
!
interface Management0/0
nameif management
security-level 100
management only
IP 192.168.1.1 255.255.255.0
!
passive FTP mode
list of access inside the _nat0_outbound extended permits all ip 10.1.1.0 255.255.255.224
allow a standard vpn access list
outside_cryptomap_dyn_20 list of allowed ip extended access any 10.1.1.0 255.255.255.224
vpn-ip-pool 10.1.1.10 mask - 255.255.255.0 IP local pool 10.1.1.25
Global interface 10 (external)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 192.168.5.1 (D-Link ADSL router LAN IP) 1
internal vpn group policy
attributes of vpn group policy
Split-tunnel-policy excludespecified
Split-tunnel-network-list value vpn
WebVPN
xxxxx xxxx of encrypted password privilege 0 username
attributes of username xxxxx
Strategy-Group-VPN vpn
WebVPN
ASDM image disk0: / asdm - 508.bin
don't allow no asdm history
ARP timeout 14400
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-SHA edes-esp esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card outside_map 655535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
tunnel vpn ipsec-ra group type
VPN tunnel-group general attributes
ip vpn-pool address pool
Group Policy - by default-vpn
Tunnel vpn ipsec-attributes group
pre-shared-key *.
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
dhcpd lease 3600
dhcpd ping_timeout 50
enable dhcpd management
!
Policy-map global_policy
class inspection_default
inspect the dns-length maximum 512
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
: end
So can someone help me, how can I configure these tasks
You can without problem
-
Tunnel remote VPN Site to Site
Hello
I am facing a problem with my remote VPN users, I describe my network here. I have a site to another tunnel for my USA, tht IP 169.X.X.X. office client, we are able to connect this tunnel. now I configured remote vpn for users of my home, my office inside the IP is 192.168.2.X and once I connect to home, in the office through vpn cisco client, then, my ip is 192.168.3.X I put the IP in ASA pool, now 192.168.3.X and 192.168.2.X communicates correctly , but I need to access my Tunnel IP 169.1.X.X also from 192.168.3.X (Home).
203.92.X.X is my static public Ip address that is allowed in the client side for the tunnel.
If something confussing please let me know.
Thank you
Nitin
Nitin,
It is not possible to have a NATing on 192.168.3.0/24 to public ip address because it has default route (which you can reach L2L remote host) on the SAA pointing to the external interface. This default route will be redirect/road traffic on the external interface only vpn client so NATing will reach us.
HTH
Sangaré
-
Here's the situation
I am slowly migrating from a Cisco VPN 3030 to a Cisco ASA5540 hub
My L2L tunnels come along fine, but I'm running issues with attachment for remote VPN Clients.
I implemented the AAA and it works correctly, as well as the profile. (we use IPSec)
My issues are with the IP Pool address. We use a different set of the IP as the hub.
I have implemented routing on the next hop within the ASA as the home of the ip address pool of.
But I don't get any through put.
Can I join the ASA with a Client remote check the Radius Server and all authentication through. But I can't access anything whatsoever.
All lanes of route for the IP address pool from within the network to the ASA.
Is there something else I need to put in place also just assign the IP address Pool?
any suggestions would be helpful
Thank you
The problem isn't necessarily routing. Check the following things:
1. have you for the pool VPN nat exemption (you need)... If this isn't the case you will see on any group of translation found syslog messages and traffic will be dropped. Assume that your VPN pool is 172.16.4.0 255.255.255.255. You add:
sheep ip access-list allow any 172.16.4.0 255.255.255.0
NAT (inside) 0 access-list sheep
2. do you have an access-group applied to the interface? Make a ' group-access show run. If you have applied, make sure that the access list permits traffic at the pool of the VPN client
3. If it is IPSec and the customer or the SAA is behind a NAT, you must have the following:
ISAKMP nat-traversal
-heather
Please rate this message if this helped you.
-
Hi all
I have a client who uses a 506e with the cleint 4.02 for the remote VPN Cisco. The pix is multiple inside roads. The first network inside is 192.168.1.X and E1 of the 506 is 192.168.1.1. The second network is 10.71.56.X.
The problem is as soon as the VPN is connected I can ping any host on the 192.168.1.X, but not anything on the 10.71.56.X network. Without netbios or the other. From the PIX, I can ping hosts on two internal networks.
Here is the config below. Thank you!
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password xxxxx
passwd xxxxxxx
hostname GNB - PIX
cisco.com-domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
QUBEADMIN tcp service object-group
Beach of port-object 444 444
outside_access_in list access permit tcp any host 12.X.X.X eq pop3
outside_access_in list access permit tcp any host 12.X.X.X eq smtp
outside_access_in list access permit tcp any host 12.X.X.X EQ field
outside_access_in list access permit tcp any host 12.X.X.X eq www
outside_access_in list access permit tcp any host 12.X.X.X QUBEADMIN object-group
outside_access_in list access permit icmp any any echo response
access-list outside_access_in allow icmp all once exceed
outside_access_in list access permit tcp any host 12.169.2.21 eq ssh
GNB_splitTunnelAcl ip 10.71.56.0 access list allow 255.255.255.0 any
outside_cryptomap_dyn_20 ip access list allow any 10.71.56.32 255.255.255.224
pager lines 24
opening of session
timestamp of the record
logging paused
logging buffered stored notifications
Logging trap errors
notifications to the history of logging
the logging queue 0
host of logging inside the 10.71.55.10
logging out of the 192.104.109.91 host
interface ethernet0 car
Auto interface ethernet1
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside 12.X.X.X 255.255.254.0
IP address inside 192.168.1.254 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
local IP VPNPOOL 10.71.56.40 pool - 10.71.56.50
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
public static 12.X.X.X (Interior, exterior) 192.168.1.1 mask subnet 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 12.X.X.X 1
Route inside 10.71.55.0 255.255.255.0 192.168.1.1 1
Route inside 10.71.56.0 255.255.255.0 192.168.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address VPNPOOL pool GUARD
vpngroup dns-server 10.71.56.10 GNB 10.71.56.10
GNB GNB_splitTunnelAcl vpngroup split tunnel
vpngroup GNB 1800 idle time
GNB vpngroup password *.
Telnet timeout 5
SSH timeout 60
Terminal width 80
Cryptochecksum:XXXXX
: end
[OK]
GNB - PIX #.
You use 10.71.56.0 255.255.255.0 in two places
you route to it via 192.168.1.1, but you're also allocation of addresses for vpn clients. Guests who are on the segment 10.71.56.0/24, if they manage to get the connected vpn client package (which is assigned a 10.71.56.x) address, would not send the response packet to this request on the local subnet, the router that has the 192.168.1.1 interface, which is what would be needed to make it work.
You must use a different network for your vpn clients block - you cannot use the same ip through two different networks space.
-
You try to run a Site to site VPN and remote VPN from the same IP remotely
We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.
Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.
My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.
Hi John,.
Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.
CSCuc75090 Details of bug
The crypto IPSec Security Association are created by dynamic crypto map to static peers
Symptom:
When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.
Conditions:
It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.
The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.
Workaround solution:
N/A
Some possible workarounds are:
Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.
Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.
Below some information:
Hope this helps,
Luis.
-
remote VPN on 7.2 (2)
Hello
I came across a problem with a client where configure us the vpn to access remote via ASDM and used the same name (for example, itvpn) for the tunnel-group and group strategy. After putting the ASA on the network, we have been able to connect through the VPN client, however we never saw any traffic that is decrypted at the client end.
Then I took all the config of the CLI remote vpn access-related and put them again through the CLI (instead of ASDM). The only difference I see between the two configs is the second I used another name for the Group (for example. itvpnpolicy) policy and tunnel-group(eg. itvpn). We were then able to see packets deciphered at the client end and everything worked.
Does anyone have a working configuration, where they use the same name for the group policy and tunnel-group? Am I crazy thinking that you can't use the same name for both? Just curious, if maybe miss something when we compare two configs.
Thank you!
Brad
Hi Brad,
I've seen many configurations of work with the same name. If its fine. You're certainly missing something else.
Kind regards
Kamal
-
Remote VPN cannot ping any host on remote site
Hi all!
I tried to deploy remote vpn on my asa 5515-x. And my VPN client properly connected, but I can't ping any host on a remote network.
Here is my configuration:
ASA 1.0000 Version 2
!
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.10.252 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/2
DMZ description
nameif dmz
security-level 50
IP 192.168.20.252 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.2.40 255.255.255.0
management only
!
boot system Disk0: / asa861-2-smp - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
internal subnet object-
192.168.10.0 subnet 255.255.255.0
network dmz subnet object
subnet 192.168.20.0 255.255.255.0
Note to access-list LAN_VLAN_10 split_tunnel
split_tunnel list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
MTU 1500 dmz
IP local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 714.bin
don't allow no asdm history
ARP timeout 14400
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
network dmz subnet object
NAT (dmz, outside) dynamic interface
Route outside 0.0.0.0 0.0.0.0 93.174.55.181 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.0.0 255.255.0.0 management
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set esp - esp-md5-hmac ikev1 firstset
Crypto-map dynamic dyn1 ikev1 transform-set firstset 1 set
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
the Encryption
md5 hash
Group 2
life 43200
Telnet 0.0.0.0 0.0.0.0 inside
Telnet 0.0.0.0 0.0.0.0 management
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 management
SSH timeout 5
Console timeout 0
interface ID client DHCP-client to the outside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group testgroup strategy
testgroup group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list split_tunnel
user1 fvosA8L1anfyxTw3 encrypted password username
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
address testpool pool
strategy-group-by default testgroup
testgroup group tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
What's wrong?
TNX!
Hello
I would like to change the current reserve of VPN to something overlapping to the LAN.
You're also missing NAT0 for the VPN Client connection that is your problem more likely.
You can try these changes
mask of 192.168.100.1 - local 192.168.100.254 pool POOL VPN IP 255.255.255.0
tunnel-group testgroup General attributes
No address testpool pool
address VPN-POOL pool
no ip local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
network of the VPN-POOL object
255.255.255.0 subnet 192.168.100.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
You can also change your settings for encryption for anything other than a. You can use AES.
Hope this helps
Let us know if this helped.
Don't forget to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Hello, I'm having a problem with my VPN configuration. I have two locations each with she is has a subnett. I have a VPN site-to site between the two locations. The site to site VPN is up and fully functional without any problem. Now if I'm away from work and to connect with the site A VPN client, I cannot ping or connect what either on site B. Or if I am connected to site B by a VPN I can't ping or connect what to site A.
I hope that makes sense, but I'll be happy to give more details on Setup if necessary.
I think that the command you need is:
same-security-traffic permit Intra-interface (not inter-interface)
The remote VPN and VPN site - to use the same outside interface, so this command allows VPN traffic out this interface pin
Sent by Cisco Support technique iPad App
-
How to allow remote VPN Sessions to communicate
Hi all
I'm trying to understand how to enable remote VPN client sessions to communicate. For example, if my manager has been connected via VPN to the office and needed me to fix something on his laptop, I cannot VPN to the office and RDP into her laptop. Not sure if this can be done without pain.
A brief out of my config. Remote client VPN sessions work fine. It's only when I try to access other customer VPN sessions, is where I have a problem.
Thank you is advanced!
FW # executed sho
: Saved
:
interface Ethernet0/0
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP 4.4.1.8 255.255.255.252
!
interface Ethernet0/2
!
interface Ethernet0/3
!
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
outside_in list extended access permit icmp any one
split_tunnel list standard access allowed 192.168.1.0 255.255.255.0
inside_access_in of access allowed any ip an extended list
outside_access_in of access allowed any ip an extended list
access-list sheep extended 10.10.10.0 any allowed ip 255.255.255.0
IP local pool vpn 10.10.10.1 - 10.10.10.15 mask 255.255.255.0
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 4.4.1.7 1
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto-map dynamic inetdyn_map 20 the value transform-set ESP-DES-SHA
map inet_map 65535-isakmp ipsec crypto dynamic inetdyn_map
inet_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 21
internal vpnipsec group policy
attributes of the strategy of group vpnipsec
value of 192.168.1.5 WINS server
value of server DNS 192.168.1.5
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list split_tunnel
moobie.com value by default-field
type tunnel-group vpnipsec remote access
tunnel-group vpnipsec General-attributes
vpn address pool
Group Policy - by default-vpnipsec
vpnipsec group of tunnel ipsec-attributes
pre-shared key nope
!
Hello
You need to allow pool vpn split tunnel, here's what you need to do
split_tunnel list standard access allowed 10.10.10.0 255.255.255.0
same-security- allowed traffic intra-interface
Kind regards
Bad Boy
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Auth of remote VPN through LDAP allow all users!
Hello
I have 5505 firewall and security license. I have configure remote VPN on firewall through CLI with the commands below. Remote VPN works well, but the problem is, it allows all remote VPN users. I need to restrict remote VPN access bit user, I need to configure via CLI, I don't want to go through ASDM, can someone help me with CLI?
ASDM I can able to perfom below things I'm not able to perform through CLI
Configuration-> access to the network (Client)-> dynamic access policies
Through ASDM I'm able to set the VPN users are allow to remote VPN access, how to set up same thing through CLI
Here's my CLI:
LDAP attribute-map CISCOMAP
name of the KFG IETF Radius-class card
map-value VPN CN = VPN, DC = domain, DC = com noaccess_pri
map-value VPN CN = VPN, DC = domain, DC = com noaccess_bk
map-value VPN CN = VPN, DC = domain, DC = com splitgroup_pri
map-value VPN CN = VPN, DC = domain, DC = com splitgroup_bk
AAA-server ldapgroup protocol ldap
ldapgroup AAA-server (inside) host 10.1.10.5
LDAP-base-dn dc = domain, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password Inf0rmati0n1
LDAP-connection-dn cn = VPN, dc = domain, dc = com
microsoft server type
LDAP-attribute-map CISCOMAP
internal noaccess_pri group policy
attributes of the strategy of group noaccess_pri
VPN - concurrent connections 0
output
internal noaccess_bk group policy
attributes of the strategy of group noaccess_bk
VPN - concurrent connections 0
output
internal splitpolicy_pri group policy
Protocol-tunnel-VPN IPSEC l2tp ipsec
tunnel-group splitgroup_pri General-attributes
ldapgroup group-LOCAL authentication server
internal splitpolicy_bk group policy
Protocol-tunnel-VPN IPSEC l2tp ipsec
tunnel-group splitgroup_bk General-attributes
ldapgroup group-LOCAL authentication server
Thank you
Abhishek
Hello
You cannot configure the DAP via CLI Protocol because the configuration is saved in a file dap.xml and is stored in flash of the SAA.
You can configure the DAP protocol using the following link:
http://www.ciscosystems.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml#T4
Also note that the link mentions the following:
Note:
The dap.xml file that contains the attributes of selection policies DAP, is stored in flash of the SAA. Although you can export the file dap.xml out, the edit box (if you know about the xml syntax), and re - import again, be very careful, because you might ASDM stop treatment of DAP files if you have misconfigured something. There is no CLI to handle this part of the configuration.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this message as answered if you feel that your query is resolved. Note the useful messages.
-
l2l ipsec vpn - problem XAUTH need-based policy
Hello
I have a problem that I see a few solutions but they do not work.
I have a p2p IPSec vpn, which worked until I added access remote VPN configuration (which works perfectly).
According to the documents, I used isakmp policy allowing mixed tunnels. Now, whenever I try to send traffic through the l2l link I get the following debugging results telling me that the remote router is demanding XAUTH.
September 8 09:53:12: ISAKMP: (2015): the total payload length: 12
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): need XAUTH
September 8 09:53:12: ISAKMP: node set 1635909437 to CONF_XAUTH
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_NAME_V2 attribute
September 8 09:53:12: ISAKMP/xauth: application XAUTH_USER_PASSWORD_V2 attribute
September 8 09:53:12: ISAKMP: (2015): launch peer config [source]. ID = 1635909437
September 8 09:53:12: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:12: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:12: ISAKMP: (2015): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
September 8 09:53:12: ISAKMP: (2015): former State = new State IKE_P1_COMPLETE = IKE_XAUTH_REQ_SENT
September 8 09:53:12: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:20: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:27: ISAKMP (2015): increment the count of errors on the node, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP (2015): increment the count of errors on his, try 1 5: retransmit the phase 2
September 8 09:53:27: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:27: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:28: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:36: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 CONF_XAUTH 1635909437...
September 8 09:53:42: ISAKMP (2015): increment the count of errors on the node, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP (2015): increment the count of errors on his, try 2 of 5: retransmit the phase 2
September 8 09:53:42: ISAKMP: (2015): transmit phase 2 1635909437 CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): send package to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
September 8 09:53:42: ISAKMP: (2015): sending a packet IPv4 IKE.
September 8 09:53:44: ISAKMP (2015): package receipt from [source] 500 Global 500 (R) sport dport CONF_XAUTH
September 8 09:53:44: ISAKMP: node set 2054552354 to CONF_XAUTH
September 8 09:53:44: ISAKMP: (2015): HASH payload processing. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): treatment of payload to DELETE. Message ID = 2054552354
September 8 09:53:44: ISAKMP: (2015): peer does not paranoid KeepAlive.
So, it seems that Phase 1 ends without XAUTH.
Here's my cryptographic configurations:
Keyring cryptographic s2s
pre-shared key key address [source] [key]
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
lifetime 28800
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
lifetime 28800
!
crypto ISAKMP policy 10
preshared authentication
lifetime 28800
!
Configuration group customer crypto isakmp [RA_GROUP]
key [key2]
DNS 192.168.7.7
win 192.168.7.222
ninterface.com field
pool SDM_POOL_1
ACL 100
Max-users 6
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp ISA_PROF profile
S2S keyring
function identity [source] address 255.255.255.255
ISAKMP crypto unified profile
identity group match [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac VPN_T_BW
Crypto ipsec transform-set MY - SET esp - aes 256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac trans-rem
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec df - bit clear
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Crypto dynamic-map [RA_GROUP] 77
the transform-set trans-rem value
Isakmp profile unified set
market arriere-route
!
!
!
list of authentication of card crypto clientmap client RAD_GRP
map clientmap isakmp authorization list rtr crypto / remote
client configuration address map clientmap crypto answer
card crypto clientmap 77-isakmp dynamic ipsec [RA_GROUP]
!
client configuration address card crypto [RA_GROUP] answer
!
Crypto card remote isakmp authorization list rtr / remote
!
RTP 10 ipsec-isakmp crypto map
set peer [source]
MY - Set transform-set
PFS group2 Set
match address 111
It is a bit of a breakfast dogs because I'm at the time of implementation of policies.
I managed to block xauth before I used policy by adding no_xauth the end of my speech key but I can't work out how to add this using the strategy.
I'm something simple Paris that I missed.
Thanks for your help!
Hi Bruno.
Thanks for the brief explanation.
What crypto map is applied on the external interface?
I think the "crypto isakmp profile" solution is the best way and they seem to be ok, however, we must remember that you cannot have a single card encryption by interface, so you should have something like this:
1 - crypto dynamic-map outside_dynamic 10
game of transformation-ESP-AES-SHA
2-outside_map 10 ipsec-isakmp crypto map
the value of xxxx.xxxx.xxxx.xxxx peer
Map 3-crypto outside_map 65535-isakmp ipsec dynamic outside_dynamic
4-interface f0/0
outside_map card crypto
* I'm not configure all of the cryptographic configuration, I wanted to give you a better idea.
Please correct your configuration to accommodate one card encryption.
Just to add more information on isakmp profiles:
Let me know.
Thank you.
Portu.
Maybe you are looking for
-
Publish the time on FCP parameter
Is it possible that I can create a query template that contains text appear in a variable time? I'm hoping to create a model that will have the Bullets appear when the speaker speaks for them. I know the point of free bullet model floating around but
-
How to determine the size of the binary file data set
Hi all I write specific sets of data in table in a binary file, by adding each time so the file grows a set of data for each write operation. I use the set file position function to make sure that I'm at the end of the file each time. When I read th
-
Every time you start, my 4 monitors rearrange their order - it is not included on the desktop
Recently, I downloaded several updates to Windows Vista. Among them have been updated for my NVIDIA GeFroce 6200 display THE and NVIDIA nForce Networking Controller. Restarts, 2 of my 4 screens would not appear. By checking Device Manager, there w
-
[Resolved] 6H2VMW1 request preventivo fuori co
Su error display: CPU1 vcore regulator failure, reinstall CPU Fatti run I diagnostici: richiedo request by riparazione Lorenzo reliefs Zaitex S.p.A. PIVA 02034790242 Via artigianato, 15 36031 Dueville (VI) Grazie
-
help find excessive use of storage
used storage space is excessive can not find what is too much space