Remote VPN users cannot access tunnel from site to site
Cisco ASA5505.
I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC. I'm not a network engineer and have spent way too much time just to get to this point.
It works very well since within the office, but users remote VPN can not access the tunnel from site to site. All other remote access looks very good.
The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626
Any help or advice would be greatly appreciated. It is probably super simple for someone who knows what they're doing to see the question.
Hi Paul.
Looking at your configuration:
Remote access:
internal RA_GROUP group policy
RA_GROUP group policy attributes
value of server DNS 8.8.8.8 8.8.4.4
Protocol-tunnel-VPN IPSec
value of Split-tunnel-network-list Split_Tunnel_List
permit same-security-traffic intra-interface
type tunnel-group RA_GROUP remote access
attributes global-tunnel-group RA_GROUP
address RA_VPN_POOL pool
Group Policy - by default-RA_GROUP
IPSec-attributes tunnel-group RA_GROUP
pre-shared key *.
local pool RA_VPN_POOL 10.0.0.10 - 255.255.255.0 IP 10.0.0.50 mask
Site to site:
Tags: Cisco Security
Similar Questions
-
VPN users cannot access Tunnel
Hi all
I have a problem, I have 2 sites both with ASA 5520, they are both connected via a site to site VPN.
It works very well all users in site A can access resources in site B and vice versa.
The problem comes when a user connects to a remote user VPN site has they cannot access or anything in site B same ping if the FW them delivers an ip address in the range for the site.
Im sure there is something simple that I missed.
Thank you
If the VPN Client pool is in the same subnet as the site of A LAN, then you are probably missing just the following:
(1) check if you have divided political tunnel, and site-B LAN is included in the ACL split tunnel.
(2) configure 'same-security-traffic permit intra-interface' on the site A ASA.
If the above has been configured, please share configuration the two ASA to further check where it is.
-
AnyConnect VPN users cannot access remote subnets?
I googled this until blue in the face without result. I don't understand why Cisco this so difficult? When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices. What should I do to allow my anyconnect vpn clients access to my remote sites?
Cisco 5510 8.4
Hello
What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.
In addition to routing, you must have configured for each remote site and the VPN pool NAT0
Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this
object-group network to REMOTE SITES
object-network 10.10.10.0 255.255.255.0
object-network 10.10.20.0 255.255.255.0
object-network 10.10.30.0 255.255.255.0
object-network 10.10.40.0 255.255.255.0
network of the VPN-POOL object
10.10.224.0 subnet 255.255.255.0
NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL
The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.
Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.
My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)
Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?
-Jouni
-
Urgent issue: remote vpn users cannot reach server dmz
Hi all
I have an asa5510 firewall in which remote vpn client users can connect but they cannot ping or access the dmz (192.168.3.5) Server
They also can't ping the out interface (192.168.2.10), below is the show run, please help.
SH run
ASA5510 (config) # sh run
: Saved
:
: Serial number: JMX1243L2BE
: Material: ASA5510, 256 MB RAM, Pentium 4 Celeron 1599 MHz processor
:
ASA 5,0000 Version 55
!
Majed hostname
activate the encrypted password of UFWSxxKWdnx8am8f
2KFQnbNIdI.2KYOU encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP 192.168.2.10 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.1.10 IP address 255.255.255.0
!
interface Ethernet0/2
nameif servers
security-level 90
192.168.3.10 IP address 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa825-55 - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
acl_outside to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
acl_outside list extended access allow icmp 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
acl_outside of access allowed any ip an extended list
acl_outside list extended access permit icmp any one
acl_inside list extended access allowed host ip 192.168.1.150 192.168.5.0 255.255.255.0
acl_inside list extended access allowed host icmp 192.168.1.150 192.168.5.0 255.255.255.0
acl_inside list extended access allowed host ip 192.168.1.200 192.168.5.0 255.255.255.0
acl_inside list extended access allowed host icmp 192.168.1.200 192.168.5.0 255.255.255.0
acl_inside list extended access allowed host ip 192.168.1.13 192.168.5.0 255.255.255.0
acl_inside list extended access allowed host icmp 192.168.1.13 192.168.5.0 255.255.255.0
acl_inside to access ip 192.168.1.0 scope list allow 255.255.255.0 host 192.168.3.5
acl_inside list extended access allow icmp 192.168.1.0 255.255.255.0 host 192.168.3.5
acl_inside list extended access deny ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
acl_inside list extended access deny icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
acl_inside of access allowed any ip an extended list
acl_inside list extended access permit icmp any one
acl_server of access allowed any ip an extended list
acl_server list extended access permit icmp any one
Local_LAN_Access list standard access allowed 10.0.0.0 255.0.0.0
Local_LAN_Access list standard access allowed 172.16.0.0 255.240.0.0
Local_LAN_Access list standard access allowed 192.168.0.0 255.255.0.0
access-list nat0 extended ip 192.168.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0
allow acl_servers to access extensive ip list a whole
acl_servers list extended access allow icmp a whole
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
IP local pool 192.168.5.1 - 192.168.5.100 mask 255.255.255.0 vpnpool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
interface of global (servers) 1
NAT (inside) 0 access-list nat0
NAT (inside) 1 192.168.1.4 255.255.255.255
NAT (inside) 1 192.168.1.9 255.255.255.255
NAT (inside) 1 192.168.1.27 255.255.255.255
NAT (inside) 1 192.168.1.56 255.255.255.255
NAT (inside) 1 192.168.1.150 255.255.255.255
NAT (inside) 1 192.168.1.200 255.255.255.255
NAT (inside) 1 192.168.2.5 255.255.255.255
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 192.168.1.96 192.168.1.96
NAT (servers) - access list 0 nat0
NAT (servers) 1 192.168.3.5 255.255.255.255
static (inside, servers) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (servers, inside) 192.168.3.5 192.168.3.5 netmask 255.255.255.255
Access-group acl_outside in interface outside
Access-group acl_servers in the servers of the interface
Route outside 0.0.0.0 0.0.0.0 192.168.2.15 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.5 255.255.255.255 servers
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA
Crypto-map dynamic outside_dyn_map 10 set security-association life seconds288000
Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 10 the value reverse-road
map Outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map
Outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.2.0 255.255.255.0 outside
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 192.168.3.0 255.255.255.0 servers
Telnet 192.168.38.0 255.255.255.0 servers
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal vpn group policy
attributes of vpn group policy
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Local_LAN_Access
allow to NEM
password encrypted qaedah Ipsf4W9G6cGueuSu user name
password encrypted moneef FLlCyoJakDnWMxSQ user name
chayma X7ESmrqNBIo5eQO9 username encrypted password
sanaa2 zHa8FdVVTkIgfomY encrypted password username
sanaa x5fVXsDxboIhq68A encrypted password username
sanaa1 x5fVXsDxboIhq68A encrypted password username
bajel encrypted DygNLmMkXoZQ3.DX privilege 15 password username
daris BgGTY7d1Rfi8P2zH username encrypted password
taiz Ip3HNgc.pYhYGaQT username encrypted password
damt gz1OUfAq9Ro2NJoR encrypted privilege 15 password username
aden MDmCEhcRe64OxrQv username encrypted password
username hodaidah encrypted password of IYcjP/rqPitKHgyc
username yareem encrypted password ctC9wXl2EwdhH2XY
AMMD ZwYsE3.Hs2/vAChB username encrypted password
haja Q25wF61GjmyJRkjS username encrypted password
cisco 3USUcOPFUiMCO4Jk encrypted password username
ibbmr CNnADp0CvQzcjBY5 username encrypted password
IBBR oJNIDNCT0fBV3OSi encrypted password username
ibbr 2Mx3uA4acAbE8UOp encrypted password username
ibbr1 wiq4lRSHUb3geBaN encrypted password username
password username: TORBA C0eUqr.qWxsD5WNj encrypted
username, password shibam xJaTjWRZyXM34ou. encrypted
ibbreef 2Mx3uA4acAbE8UOp encrypted password username
username torbah encrypted password r3IGnotSy1cddNer
thamar 1JatoqUxf3q9ivcu encrypted password username
dhamar pJdo55.oSunKSvIO encrypted password username
main jsQQRH/5GU772TkF encrypted password username
main1 ef7y88xzPo6o9m1E encrypted password username
password username Moussa encrypted OYXnAYHuV80bB0TH
majed 7I3uhzgJNvIwi2qS encrypted password username
lahj qOAZDON5RwD6GbnI encrypted password username
vpn tunnel-group type remote access
VPN tunnel-group general attributes
address vpnpool pool
Group Policy - by default-vpn
Tunnel vpn ipsec-attributes group
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!Hello brother Mohammed.
"my asa5510 to work easy as Server & client vpn at the same time.?
Yes, it can work as a client and a server at the same time.
I have never seen anyone do it but many years of my understanding, I have no reason to think why it may be because the two configurations (client/server) are independent of each other.
Your ASA function as server uses the "DefaultL2LGroup" or it uses standard group policy and tunnel-group are mapped to the remote clients ASA?
Thank you
-
Remote VPN users cannot reach OSPF Inter networks
Hi all
Area0 & Grenier1. Grenier1 ASA has remote VPN configuration where users also use split tunneling. When the VPN plug-in users, accessing all respurces successfully in the area euro1, but unable to reach Area0 resources.
But Area0 PCs can 'ping' on addresses IP VPN component software plug-in. I tried 'debug icmp trace', but not poping up even one message upwards all to initiate the 'ping' of the computer laptop VPN users.
FYI... Grenier1 N/w: 10.251.0.0/16 and 10.251.40.0/24 has been used for VPN DHCP users. Everything works well except for the Area0 accessibility.
Any suggestions... ?
Thank you
MS
access-list extended sheep ip SiteA 255.255.0.0 255.255.255.0 SiteAVPN allow
access-list extended sheep ip SiteB 255.255.0.0 255.255.255.0 SiteAVPN allow
-
How to install the VPN Client and the tunnel from site to site on Cisco 831
How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator? I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward. I could only put on the side of the hub. If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.
Thank you.
The dynamic map is called clientmap
The static map is called mymapYou should have:
no card crypto not outmap 10-isakmp ipsec dynamic dynmap
map mymap 10-isakmp ipsec crypto dynamic clientmapinterface Ethernet1
crypto mymap mapFederico.
-
VPN users cannot access all resources
User is able to connect, get's assigned an IP, we can see them connected
via ASDM, they can't access anything in our network.
Hello
Check the following:
When you try to send the traffic check the output of "sh cry ips her" to make sure packages encrypted/decrypted by slices.
If it isn't...
May be that NAT - T is not configured.
Check the configuration of:
ISAKMP crypto nat - t
SH run all sysopt--> should show sysopt connection permit VPN
Test:
Add the command
management-access inside
And try to PING IP address of the VPN client ASA inside.
We will consider here...
Federico.
-
Routing of a VPN from Site to site to remote VPN users
Hello
We have a site and remote vpn site configured in the same interface in ASA 5520 (software version 8.3). When the remote vpn users try to connect to the computers located at the far end of the site to site VPN, their request has failed. I tried No.-Nat between remote vpn IP private to the private IP address of remote site, also said the same split tunneling. I can't find even the tracert, ping has also expired.
Is there any solution to make this live thing.
Shankar.
There are a few things that need to be added to make it work:
(1) on the SAA where remote vpn users connect to, you must add "permit same-security-traffic intra-interface"
(2) you mention that you have added the LAN of remote site-to-site in the list of split tunnel, so that's good.
(3) on the SAA ending the vpn for remote access, you must also add the following text:
-Crypto ACL for the site to site VPN must include the following:
permit ip access list
(4) on the ASA site to remote site, you must add:
-Crypto ACL for the site to site VPN must include the following:
permit ip access list
-No - Nat: ip access list allow
-
VPN clients hairpining through a tunnel from site to site
I have a 8.2 (5) ASA 5510 in Site1 and a 8.2 (1) ASA 5505 Site2 they are configured with a tunnel from site to site.
Each site has VPN clients that connect and I would like to allow customers to access on both sides across the site-to-site tunnel servers.
I enabled same-security-traffic permit intra-interface I also added the remote networks to access list who made the split tunneling.
I think I'm doing something wrong with nat, but I don't know, any help would be greatly appreciated.
Site1 Clients1 (172.17.2.0/24) (10.0.254.0/24)
ASA Version 8.2 (5)
!
hostname site1
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address site1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
nameif DMZ
security-level 0
IP 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 0
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
permit same-security-traffic intra-interface
VPN - UK wide ip 172.17.2.0 access list allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 192.168.123.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
Notice of inside_nat0_outbound access-list us Client Server UK
access extensive list ip 10.0.254.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 192.168.123.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0
Split_Tunnel_List list standard access allowed 192.168.123.0 255.255.255.0
Split_Tunnel_List of access note list UK VPN Client pool
Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0
outside-2 extended access list permit tcp any any eq smtp
outside-2 extended access list permit tcp any any eq 82
outside-2 extended access list permit tcp any any eq 81
outside-2 extended access list permit tcp everything any https eq
outside-2 extended access list permit tcp any any eq imap4
outside-2 extended access list permit tcp any any eq ldaps
outside-2 extended access list permit tcp any any eq pop3
outside-2 extended access list permit tcp any any eq www
outside-2 extended access list permit tcp any any eq 5963
outside-2 extended access list permit tcp any any eq ftp
outside-2 allowed extended access list tcp any any eq ftp - data
outside-2 extended access list permit tcp any any eq 3389
list of access outside-2 extended tcp refuse any any newspaper
2-outside access list extended deny ip any any newspaper
outside-2 extended access list deny udp any any newspaper
allow VPN CLIENTS to access extended list ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
allow VPN CLIENTS to access extended list ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
allow VPN CLIENTS to access extended list 192.168.123.0 ip 255.255.255.0 10.0.254.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0
VPNClient_splittunnel list standard access allowed 192.168.123.0 255.255.255.0
VPNClient_splittunnel of access note list UK VPN Client pool
Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0
VPN-Northwoods extended ip 172.17.2.0 access list allow 255.255.255.0 192.168.123.0 255.255.255.0
Note to outside_nat0_outbound to access list AD 01/05/13
access extensive list ip 10.0.254.0 outside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
mask 10.0.254.25 - 10.0.254.45 255.255.255.0 IP local pool VPNUserPool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (outside) 0-list of access outside_nat0_outbound
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 172.17.2.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp 172.17.2.200 smtp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 82 172.17.2.253 82 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 81 192.168.123.253 81 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface https 172.17.2.10 https netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 172.17.2.10 imap4 imap4 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 172.17.2.10 pop3 pop3 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface www 172.17.2.19 www netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 5963 172.17.2.108 5963 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp 172.17.2.7 ftp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp - data 172.17.2.7 ftp - data netmask 255.255.255.255
static (inside, outside) tcp 3389 172.17.2.29 interface 3389 netmask 255.255.255.255
Access-group 2-outside-inside in external interface
Route outside 0.0.0.0 0.0.0.0 74.213.51.129 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol AAA-server DCSI_Auth
AAA-server host 172.17.2.29 DCSI_Auth (inside)
key *.
AAA-server protocol nt AD
AAA-server AD (inside) host 172.16.1.211
AAA-server AD (inside) host 172.17.2.29
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-sha-hmac trans_set
Crypto ipsec transform-set VPN-Client-esp-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map DYN_MAP 20 the value reverse-road
Crypto-map dynamic outside_dyn_map 20 game of transformation-VPN-Client
address for correspondence outside_map 20 card crypto VPN - UK
card crypto outside_map 20 peers set site2
card crypto outside_map 20 transform-set trans_set
address for correspondence outside_map 30 card crypto VPN-Northwoods
card crypto outside_map 30 peers set othersite
trans_set outside_map 30 transform-set card crypto
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
lifetime 28800
Telnet timeout 5
SSH timeout 60
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Clients_vpn group strategy
attributes of strategy of group Clients_vpn
value of server DNS 10.0.1.30
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPNClient_splittunnel
domain.local value by default-field
the authentication of the user activation
tunnel-group VPNclient type remote access
tunnel-group VPNclient-global attributes
address pool VPNUserPool
authentication-server-group DCSI_Auth
strategy - by default-group Clients_vpn
tunnel-group VPNclient ipsec-attributes
pre-shared key *.
tunnel-group othersite type ipsec-l2l
othersite group tunnel ipsec-attributes
pre-shared key *.
tunnel-group site2 type ipsec-l2l
tunnel-group ipsec-attributes site2
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map p2p
game port tcp eq www
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
type of policy-map inspect im bine
parameters
msn - im yahoo im Protocol game
drop connection
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
type of policy-card inspect http P2P_HTTP
parameters
matches the query uri regex _default_gator
Journal of the drop connection
football match request uri regex _default_x-kazaa-network
Journal of the drop connection
Policy-map IM_P2P
class imblock
inspect the im bine
class P2P
inspect the http P2P_HTTP
!
global service-policy global_policy
IM_P2P service-policy inside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893
: end
Site2 Clients1 (172.18.2.0/24) (172.255.2.0/24)
ASA Version 8.2 (1)
!
names of
name 172.18.2.2 UKserver
!
interface Vlan1
nameif inside
security-level 100
IP 172.18.2.1 255.255.255.0
!
interface Vlan2
nameif GuestWiFi
security-level 0
IP 192.168.2.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
IP address site2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2
switchport vlan trunk native 2
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
permit same-security-traffic intra-interface
Access extensive list ip 172.18.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0
Access extensive list ip 172.17.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0
Outside_2_Inside list extended access permit tcp any host otherhost eq smtp
Outside_2_Inside list extended access permit tcp any host otherhost eq pop3
Outside_2_Inside list extended access permit tcp any host otherhost eq imap4
Outside_2_Inside list extended access permit tcp any host otherhost eq www
Outside_2_Inside list extended access permit tcp any host otherhost eq https
Outside_2_Inside list extended access permit tcp any host otherhost eq ldap
Outside_2_Inside list extended access permit tcp any host otherhost eq ldaps
Outside_2_Inside list extended access permit tcp any host otherhost eq nntp
Outside_2_Inside list extended access permit tcp any host otherhost eq 135
Outside_2_Inside list extended access permit tcp any host otherhost eq 102
Outside_2_Inside list extended access permit tcp any host otherhost eq 390
Outside_2_Inside list extended access permit tcp any host otherhost eq 3268
Outside_2_Inside list extended access permit tcp any host otherhost eq 3269
Outside_2_Inside list extended access permit tcp any host otherhost eq 993
Outside_2_Inside list extended access permit tcp any host otherhost eq 995
Outside_2_Inside list extended access permit tcp any host otherhost eq 563
Outside_2_Inside list extended access permit tcp any host otherhost eq 465
Outside_2_Inside list extended access permit tcp any host otherhost eq 691
Outside_2_Inside list extended access permit tcp any host otherhost eq 6667
Outside_2_Inside list extended access permit tcp any host otherhost eq 994
Outside_2_Inside access list extended icmp permitted an echo
Outside_2_Inside list extended access permit icmp any any echo response
Outside_2_Inside list extended access permit tcp any host site2 eq smtp
Outside_2_Inside list extended access permit tcp any host site2 eq pop3
Outside_2_Inside list extended access permit tcp any host site2 eq imap4
Outside_2_Inside list extended access permit tcp any host site2 eq www
Outside_2_Inside list extended access permit tcp any host site2 eq https
Outside_2_Inside list extended access permit tcp any host site2 eq ldap
Outside_2_Inside list extended access permit tcp any host site2 eq ldaps
Outside_2_Inside list extended access permit tcp any host site2 eq nntp
Outside_2_Inside list extended access permit tcp any host site2 eq 135
Outside_2_Inside list extended access permit tcp any host site2 eq 102
Outside_2_Inside list extended access permit tcp any host site2 eq 390
Outside_2_Inside list extended access permit tcp any host site2 eq 3268
Outside_2_Inside list extended access permit tcp any host site2 eq 3269
Outside_2_Inside list extended access permit tcp any host site2 eq 993
Outside_2_Inside list extended access permit tcp any host site2 eq 995
Outside_2_Inside list extended access permit tcp any host site2 eq 563
Outside_2_Inside list extended access permit tcp any host site2 eq 465
Outside_2_Inside list extended access permit tcp any host site2 eq 691
Outside_2_Inside list extended access permit tcp any host site2 eq 6667
Outside_2_Inside list extended access permit tcp any host site2 eq 994
Outside_2_Inside list extended access permit tcp any SIP EQ host site2
Outside_2_Inside list extended access permit tcp any range of 8000-8005 host site2
Outside_2_Inside list extended access permit udp any range of 8000-8005 host site2
Outside_2_Inside list extended access udp allowed any SIP EQ host site2
Outside_2_Inside tcp extended access list deny any any newspaper
Outside_2_Inside list extended access deny udp any any newspaper
VPN - USA 172.255.2.0 ip extended access list allow 255.255.255.0 172.17.2.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.255.2.0 255.255.255.0
access extensive list ip 172.255.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0
Comment by Split_Tunnel_List-list of access networks to allow via VPN
Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 10.0.254.0 255.255.255.0
pager lines 20
Enable logging
monitor debug logging
debug logging in buffered memory
asdm of logging of information
Debugging trace record
Within 1500 MTU
MTU 1500 GuestWiFi
Outside 1500 MTU
IP pool local ClientVPN 172.255.2.100 - 172.255.2.124
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 172.18.2.0 255.255.255.0
NAT (GuestWiFi) 2 192.168.2.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp smtp UKserver netmask 255.255.255.255
public static tcp (indoor, outdoor) UKserver netmask 255.255.255.255 pop3 pop3 interface
public static tcp (indoor, outdoor) interface imap4 imap4 netmask 255.255.255.255 UKserver
public static tcp (indoor, outdoor) interface www UKserver www netmask 255.255.255.255
public static tcp (indoor, outdoor) https UKserver netmask 255.255.255.255 https interface
public static tcp (indoor, outdoor) interface ldap UKserver ldap netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ldaps ldaps netmask 255.255.255.255 UKserver
public static tcp (indoor, outdoor) interface nntp nntp netmask 255.255.255.255 UKserver
public static 135 135 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 102 102 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 390 390 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 3268 3268 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 3269 3269 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static UKserver netmask 255.255.255.255 993 993 interface tcp (indoor, outdoor)
public static UKserver 995 netmask 255.255.255.255 995 interface tcp (indoor, outdoor)
public static 563 563 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 465 465 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 691 691 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 6667 UKserver 6667 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 994 994 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
Access-group Outside_2_Inside in interface outside
Route outside 0.0.0.0 0.0.0.0 87.224.93.53 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Ray of AAA-server vpn Protocol
AAA-server vpn (inside) host UKserver
key DCSI_vpn_Key07
the ssh LOCAL console AAA authentication
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-sha-hmac trans_set
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 transform-set trans_set
Crypto dynamic-map DYN_MAP 20 the value reverse-road
address for correspondence outside_map 20 card crypto VPN - USA
card crypto outside_map 20 peers set othersite2 site1
card crypto outside_map 20 transform-set trans_set
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
lifetime 28800
Telnet timeout 5
SSH timeout 25
Console timeout 0
dhcpd dns 8.8.8.8 UKserver
!
dhcpd address 172.18.2.100 - 172.18.2.149 inside
dhcpd allow inside
!
dhcpd address 192.168.2.50 - 192.168.2.74 GuestWiFi
enable GuestWiFi dhcpd
!
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
WebVPN
internal USER_VPN group policy
USER_VPN group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
the authentication of the user activation
tunnel-group othersite2 type ipsec-l2l
othersite2 group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group USER_VPN remote access
attributes global-tunnel-group USER_VPN
address pool ClientVPN
Authentication-server group (external vpn)
Group Policy - by default-USER_VPN
IPSec-attributes tunnel-group USER_VPN
pre-shared-key *.
tunnel-group site1 type ipsec-l2l
tunnel-group ipsec-attributes site1
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:d000c75c8864547dfabaf3652d81be71
: end
Hello
The output seems to say that traffic is indeed transmitted to connect VPN L2L
Can you PING from hosts on the network 172.18.2.0/24 to the hosts on the network 172.17.2.0/24?
Have you tried several different target hosts on the network you are trying to ping while might exclude us actual devices are not just meeting the specifications these PINGs?
-Jouni
-
Remote user cannot access the internet
Hello
I have a problem with my remote vpn users. They can't access internet after they establish the vpn connection. I read on the split tunnel and I think that its set up right, but his does not.
Please if you have time take a look. I have attached my asa 5505 configuration
Best regards.
your split tunneling is configured correctly, but group policy in which will done this configuration is not applied to the tunnel-group:
tunnel-group monitoring_vpn_group General-attributes
Group Policy - by default-monitoring_vpn_policy
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Why my VPN clients cannot access network drives and resources?
I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!
: Saved
:
ASA Version 8.2 (5)
!
ciscoasa hostname
Cisco domain name
activate the password xxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxx
names of
name 68.191.xxx.xxx outdoors
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.201.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address outside 255.255.255.0
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
192.168.201.1 server name
Cisco domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group network obj - 192.168.201.0
FREE access-list extended ip 192.168.201.0 NAT allow 255.255.255.0 192.168.201.0 255.255.255.0
NAT-FREE 192.168.202.0 permits all ip extended access list 255.255.255.0
FREE access-list extended ip 192.168.202.0 NAT allow 255.255.255.0 any
Extended access list-NAT-FREE enabled a whole icmp
allow any scope to an entire ip access list
allow any scope to the object-group TCPUDP an entire access list
allow any scope to an entire icmp access list
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access allow TCPUDP of object-group a
inside_access_in list extended access permit icmp any one
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access allow TCPUDP of object-group a
outside_access_in list extended access permit icmp any one
Standard access list DefaultRAGroup_splitTunnelAcl allow 192.168.201.0 255.255.255.0
access extensive list ip 192.168.202.0 inside_nat0_outbound allow 255.255.255.0 192.168.201.0 255.255.255.0
inside_nat0_outbound list extended access permit icmp any one
inside_nat0_outbound_1 of access allowed any ip an extended list
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
mask 192.168.202.1 - 192.168.202.50 255.255.255.0 IP local pool KunduVPN
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.201.0 255.255.255.0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route inside 0.0.0.0 0.0.0.0 192.168.201.1 1
Route inside 0.0.0.0 255.255.255.255 outdoor 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.201.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs xxx
Proxy-loc-transmitter
Configure CRL
XXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Cisco by default field value
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
WebVPN
SVC request enable
internal KunduVPN group strategy
attributes of Group Policy KunduVPN
WINS server no
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Cisco by default field value
username xxxx
username xxxxx
VPN-group-policy DfltGrpPolicy
attributes global-tunnel-group DefaultRAGroup
address VPNIP pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
type tunnel-group KunduVPN remote access
attributes global-tunnel-group KunduVPN
address (inside) VPNIP pool
address pool KunduVPN
authentication-server-group (inside) LOCAL
Group Policy - by default-KunduVPN
tunnel-group KunduVPN webvpn-attributes
enable KunduVPN group-alias
allow group-url https://68.191.xxx.xxx/KunduVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc
: end
don't allow no asdm history
Hello
What is the IP address of the hosts/servers LAN Gateway?
If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.
For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.
- Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
- Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
- Host/server LAN sees the connection from a network other than the LAN (192.168.202.0/24) and therefore to forward traffic to the default gateway that would likely be the wireless router.
- Wireless router has no route to the network 192.168.202.0/24 (VPN Pool) and therefore uses its default route to the external network to forward traffic.
- Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP
So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network 192.168.202.0/24 to the 192.168.201.200 gateway IP address (which is the SAA)
I would like to know if the installation is as described above.
-Jouni
-
The VPN Clients cannot access any internal address
Without a doubt need help from an expert on this one...
Attempting to define a client access on an ASA 5520 VPN that was used only as a
Firewall so far. The ASA has been recently updated to Version 7.2 (4).
Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot
ping any address on internal networks, or even the inside interface of the ASA.
(I hope) Relevant details:
(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and
are able to connect.
(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it
appears that the packets are décapsulés and decrypted, but NOT encapsulated or
encrypted (see the output of "sh crypto ipsec his ' home).
(3) by the other related posts, we've added commands associated with inversion of NAT (crypto
ISAKMP nat-traversal 20
crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our
Configuration.
(4) we tried encapsulation TCP and UDP encapsulation with experimental client
profiles: same result in both cases.
(5) if I (attempt) ping to an internal IP address of the connected customer, the
real-time log entries ASA show the installation and dismantling of the ICMP requests to the
the inner target customer.
(6) the capture of packets to the internal address (one that we try to do a ping of the)
VPN client) shows that the ICMP request has been received and answered. (See attachment
shooting).
(7) our goal is to create about 10 VPN client of different profiles, each with
different combinations of access to the internal VLAN or DMZ VLAN. We do not have
preferences for the type of encryption or method, as long as it is safe and it works: that
said, do not hesitate to recommend a different approach altogether.
We have tried everything we can think of, so any help or advice would be greatly
Sanitized the ASA configuration is also attached.
appreciated!
Thank you!
It should be the last step :)
on 6509
IP route 172.16.100.0 255.255.255.0 172.16.20.2
and ASA
no road inside 172.16.40.0 255.255.255.0 172.16.20.2
-
Original title: I have two users on Vista. We get to the top with windows can not access the specified device path.etc. The other has no problem
The second user cannot access the internet. Can't access window appears. The other user is not problems.
Hi Rickravel,
1. what type of account you use?
2. This only happens when you access Internet?
3. when the problem started?
4. you remember to make changes to the computer before this problem?
Step 1:
You can start in safe mode with network and see if the problem occurs in the account.
You can see the following link to start in safe mode with network.
Start your computer in safe mode
Note: Restart the computer to boot into normal mode.
Step 2:
If you use Internet explorer, then you can try to disable add ons and check if it helps:
Run Internet explorer with no Add - ons. Steps to open Internet with no mode of modules:
a. click on start
(b) in the search box, type in Internet explore
c. Select Internet (no add-on mode)
If you were able to access the Web site without any problems, then the module may cause the error.
You can read the following article and try the steps to activate the modules individually determine which Add - ons may be the cause of the problem.
How the modules of the browser affect my computer?
Hope this information is useful.
-
Can not connect - when entering a password message "the service user profile service has no logon. Failed to load profile \User' cannot access start menu to apply the options.
Hello
1st thing to try is the system in safe mode restore to before the problem
http://www.windowsvistauserguide.com/system_restore.htm
Windows Vista
Using the F8 method:
- Restart your computer.
- When the computer starts, you will see your computer hardware are listed. When you see this information begins to tap theF8 key repeatedly until you are presented with theBoot Options Advanced Windows Vista.
- Select the Safe Mode option with the arrow keys.
- Then press enter on your keyboard to start mode without failure of Vista.
- To start Windows, you'll be a typical logon screen. Connect to your computer and Vista goes into safe mode.
- Do whatever tasks you need and when you are done, reboot to return to normal mode.
If that does not solve it read more
read the tutorial below
When you log on a Windows Vista-based or a Windows 7 computer by using a temporary profile, you receive the following error message:
The user profile Service has not logon. User profile cannot be loaded.http://support.Microsoft.com/kb/947215#letmefixit
Your user profile was not loaded correctly! You have been logged on with a temporary profile.
http://support.Microsoft.com/kb/947242
If you tried to log on to Windows and received an error message telling you that your user profile is damaged, you can try to fix it. You will need to create a new profile and then copy the files from the existing to the new profile. You must have at least three user accounts on the computer to perform these operations, including the new account that you created.
http://Windows.Microsoft.com/en-us/Windows-Vista/fix-a-corrupted-user-profile
-
Cannot access a Web site using Java Script
Cannot access a Web site using Java Script. I'm not sure what it blocks I use Win 7, Avast free, AntimalwareBytes.
I get a pop up window with
Name: mcs
Location: http://myspeedtest02.windstream.net
say "application blocked by security settings, blocking the untrusted application.
I don't know what it blocks, but suspect it is related to the security of Windows.
I think that the Java Applet is blocked, but I would like to run this test of speed from my ISP. I tried to access the website of Google Chrome and IE, with the same result. Nobody knows what this block and how to unlock it?This is actually not JavaScript, it's Java. Despite the name, they are really very very different.
Java itself can be dangerous, especially if it is not a trusted application. It is my sincere recommendation that you do not continue.
If you want anyway, you can go into your control panel, open the Java settings and set it to allow untrusted applications.
Maybe you are looking for
-
See previous page
-
My cat jumped up on top of the keyboard and rotated screen, how to fix this?
My cat jumped up on top of my keyboard and the screen rotates. I searched but I can't know that defeat so the screen is in the normal position again.
-
After doing the opposite of Kaspersky to erase the previous program security and after re-booting... I've been locked out of my computer... can't type keyboard so can not enter my password... Please help...
-
WINDOWS/svmsinf.dll rundll error message
I have two rundll errors: C:\WINDOWS\svmsinf.dll and C:\WINDOWS\emibegukop.dll. How to fix them or get rid of them? Thank you.
-
Error installing microsoft windows install 4.5
I try to install Sony Ericsson Media Manager on my laptop, I have loaded down the file to the Sony Web site, as the installation progresses the above error is displayed and the installation will stop. I was on the windows Web site and down load the s