Remote VPN users cannot reach OSPF Inter networks

Similar Questions

• Urgent issue: remote vpn users cannot reach server dmz

  Hi all

  I have an asa5510 firewall in which remote vpn client users can connect but they cannot ping or access the dmz (192.168.3.5) Server

  They also can't ping the out interface (192.168.2.10), below is the show run, please help.

  SH run

  ASA5510 (config) # sh run
  : Saved
  :
  : Serial number: JMX1243L2BE
  : Material: ASA5510, 256 MB RAM, Pentium 4 Celeron 1599 MHz processor
  :
  ASA 5,0000 Version 55
  !
  Majed hostname
  activate the encrypted password of UFWSxxKWdnx8am8f
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  DNS-guard
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  IP 192.168.2.10 255.255.255.0
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  192.168.1.10 IP address 255.255.255.0
  !
  interface Ethernet0/2
  nameif servers
  security-level 90
  192.168.3.10 IP address 255.255.255.0
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  boot system Disk0: / asa825-55 - k8.bin
  passive FTP mode
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  acl_outside to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
  acl_outside list extended access allow icmp 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
  acl_outside of access allowed any ip an extended list
  acl_outside list extended access permit icmp any one
  acl_inside list extended access allowed host ip 192.168.1.150 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host icmp 192.168.1.150 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host ip 192.168.1.200 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host icmp 192.168.1.200 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host ip 192.168.1.13 192.168.5.0 255.255.255.0
  acl_inside list extended access allowed host icmp 192.168.1.13 192.168.5.0 255.255.255.0
  acl_inside to access ip 192.168.1.0 scope list allow 255.255.255.0 host 192.168.3.5
  acl_inside list extended access allow icmp 192.168.1.0 255.255.255.0 host 192.168.3.5
  acl_inside list extended access deny ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
  acl_inside list extended access deny icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
  acl_inside of access allowed any ip an extended list
  acl_inside list extended access permit icmp any one
  acl_server of access allowed any ip an extended list
  acl_server list extended access permit icmp any one
  Local_LAN_Access list standard access allowed 10.0.0.0 255.0.0.0
  Local_LAN_Access list standard access allowed 172.16.0.0 255.240.0.0
  Local_LAN_Access list standard access allowed 192.168.0.0 255.255.0.0
  access-list nat0 extended ip 192.168.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0
  allow acl_servers to access extensive ip list a whole
  acl_servers list extended access allow icmp a whole
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 servers
  IP local pool 192.168.5.1 - 192.168.5.100 mask 255.255.255.0 vpnpool
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  interface of global (servers) 1
  NAT (inside) 0 access-list nat0
  NAT (inside) 1 192.168.1.4 255.255.255.255
  NAT (inside) 1 192.168.1.9 255.255.255.255
  NAT (inside) 1 192.168.1.27 255.255.255.255
  NAT (inside) 1 192.168.1.56 255.255.255.255
  NAT (inside) 1 192.168.1.150 255.255.255.255
  NAT (inside) 1 192.168.1.200 255.255.255.255
  NAT (inside) 1 192.168.2.5 255.255.255.255
  NAT (inside) 1 192.168.1.0 255.255.255.0
  NAT (inside) 1 192.168.1.96 192.168.1.96
  NAT (servers) - access list 0 nat0
  NAT (servers) 1 192.168.3.5 255.255.255.255
  static (inside, servers) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (servers, inside) 192.168.3.5 192.168.3.5 netmask 255.255.255.255
  Access-group acl_outside in interface outside
  Access-group acl_servers in the servers of the interface
  Route outside 0.0.0.0 0.0.0.0 192.168.2.15 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.3.5 255.255.255.255 servers
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic outside_dyn_map 10 the value transform-set ESP-3DES-SHA
  Crypto-map dynamic outside_dyn_map 10 set security-association life seconds288000
  Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
  Crypto-map dynamic outside_dyn_map 10 the value reverse-road
  map Outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map
  Outside_map interface card crypto outside
  ISAKMP crypto identity hostname
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 192.168.2.0 255.255.255.0 outside
  Telnet 192.168.1.0 255.255.255.0 inside
  Telnet 192.168.3.0 255.255.255.0 servers
  Telnet 192.168.38.0 255.255.255.0 servers
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal vpn group policy
  attributes of vpn group policy
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list Local_LAN_Access
  allow to NEM
  password encrypted qaedah Ipsf4W9G6cGueuSu user name
  password encrypted moneef FLlCyoJakDnWMxSQ user name
  chayma X7ESmrqNBIo5eQO9 username encrypted password
  sanaa2 zHa8FdVVTkIgfomY encrypted password username
  sanaa x5fVXsDxboIhq68A encrypted password username
  sanaa1 x5fVXsDxboIhq68A encrypted password username
  bajel encrypted DygNLmMkXoZQ3.DX privilege 15 password username
  daris BgGTY7d1Rfi8P2zH username encrypted password
  taiz Ip3HNgc.pYhYGaQT username encrypted password
  damt gz1OUfAq9Ro2NJoR encrypted privilege 15 password username
  aden MDmCEhcRe64OxrQv username encrypted password
  username hodaidah encrypted password of IYcjP/rqPitKHgyc
  username yareem encrypted password ctC9wXl2EwdhH2XY
  AMMD ZwYsE3.Hs2/vAChB username encrypted password
  haja Q25wF61GjmyJRkjS username encrypted password
  cisco 3USUcOPFUiMCO4Jk encrypted password username
  ibbmr CNnADp0CvQzcjBY5 username encrypted password
  IBBR oJNIDNCT0fBV3OSi encrypted password username
  ibbr 2Mx3uA4acAbE8UOp encrypted password username
  ibbr1 wiq4lRSHUb3geBaN encrypted password username
  password username: TORBA C0eUqr.qWxsD5WNj encrypted
  username, password shibam xJaTjWRZyXM34ou. encrypted
  ibbreef 2Mx3uA4acAbE8UOp encrypted password username
  username torbah encrypted password r3IGnotSy1cddNer
  thamar 1JatoqUxf3q9ivcu encrypted password username
  dhamar pJdo55.oSunKSvIO encrypted password username
  main jsQQRH/5GU772TkF encrypted password username
  main1 ef7y88xzPo6o9m1E encrypted password username
  password username Moussa encrypted OYXnAYHuV80bB0TH
  majed 7I3uhzgJNvIwi2qS encrypted password username
  lahj qOAZDON5RwD6GbnI encrypted password username
  vpn tunnel-group type remote access
  VPN tunnel-group general attributes
  address vpnpool pool
  Group Policy - by default-vpn
  Tunnel vpn ipsec-attributes group
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !

  Hello brother Mohammed.

  "my asa5510 to work easy as Server & client vpn at the same time.?

  Yes, it can work as a client and a server at the same time.

  I have never seen anyone do it but many years of my understanding, I have no reason to think why it may be because the two configurations (client/server) are independent of each other.

  Your ASA function as server uses the "DefaultL2LGroup" or it uses standard group policy and tunnel-group are mapped to the remote clients ASA?

  Thank you

• Remote VPN users cannot access tunnel from site to site

  Cisco ASA5505.

  I have a tunnel of site-to-site set up from our office to our Amazon AWS VPC.  I'm not a network engineer and have spent way too much time just to get to this point.

  It works very well since within the office, but users remote VPN can not access the tunnel from site to site.  All other remote access looks very good.

  The current configuration is here: https://gist.github.com/pmac72/f483ea8c7c8c8c254626

  Any help or advice would be greatly appreciated.  It is probably super simple for someone who knows what they're doing to see the question.

  Hi Paul.

  Looking at your configuration:

  Remote access:

  internal RA_GROUP group policy
  RA_GROUP group policy attributes
  value of server DNS 8.8.8.8 8.8.4.4
  Protocol-tunnel-VPN IPSec
  value of Split-tunnel-network-list Split_Tunnel_List

  permit same-security-traffic intra-interface
   
  type tunnel-group RA_GROUP remote access
  attributes global-tunnel-group RA_GROUP
  address RA_VPN_POOL pool
  Group Policy - by default-RA_GROUP
  IPSec-attributes tunnel-group RA_GROUP
  pre-shared key *.
   
  local pool RA_VPN_POOL 10.0.0.10 - 255.255.255.0 IP 10.0.0.50 mask

  Site to site:

  card crypto outside_map 1 match address acl-amzn
  card crypto outside_map 1 set pfs
  peer set card crypto outside_map 1 AWS_TUNNEL_1_IP AWS_TUNNEL_2_IP
  card crypto outside_map 1 set of transformation transformation-amzn
   
   
  I recommend you to use a local IP address pool with a different IP address that deals with the inside interface uses, now you are missing NAT are removed from the IP local pool to the destination of the site to site:
   
  NAT_EXEMPT list of ip 10.0.0.0 access allow 255.255.255.0 172.17.0.0 255.255.0.0
   
  NAT (outside) 0-list of access NAT_EXEMPT
   
  Now, there's a dynamically a NAT exempt allowing traffic to go out and are not translated.
   
  I would like to know how it works!
   
  Please don't forget to rate and score as correct the helpful post!
   
  Kind regards
   
  David Castro,
   
   

• Routing of a VPN from Site to site to remote VPN users

  Hello

  We have a site and remote vpn site configured in the same interface in ASA 5520 (software version 8.3). When the remote vpn users try to connect to the computers located at the far end of the site to site VPN, their request has failed. I tried No.-Nat between remote vpn IP private to the private IP address of remote site, also said the same split tunneling. I can't find even the tracert, ping has also expired.

  Is there any solution to make this live thing.

  Shankar.

  There are a few things that need to be added to make it work:

  (1) on the SAA where remote vpn users connect to, you must add "permit same-security-traffic intra-interface"

  (2) you mention that you have added the LAN of remote site-to-site in the list of split tunnel, so that's good.

  (3) on the SAA ending the vpn for remote access, you must also add the following text:

  -Crypto ACL for the site to site VPN must include the following:

  permit ip access list

  (4) on the ASA site to remote site, you must add:

  -Crypto ACL for the site to site VPN must include the following:

  permit ip access list

  -No - Nat: ip access list allow

• ASA5510 VPN L2L cannot reach hosts on the other side

  Hello experts,

  I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.

  Add these two lines to the NAT 0 access list:

  inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251

  inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250

  Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.

  Test and validate results

  HTH

  Sangaré

  Pls rate helpful messages

• Remote vpn client can't access outside networks

  I configured a remote vpn ASA 5510 the wizard remote vpn. Users are able to get the vpn connection and access the internal network; but IMPOSSIBLE to

  access the outside network. (For the internal network, I want to talk about network behind the vpn to ASA, outside networks refers to society outside the ASA).

  In short, the external network of the company has default route to the ROUTER1 points. The ROUTER1 has road for access network and a default route to the internet. The ASA has a default route to the ROUTER1 points. the ROUTER1 also has a route to the address of the user remote vpn refers to the ASA.

  Hope it wise.

  But I don't know if my nat statement is correct. below is my statement of nat, is there something obvious lack? There is no translation network here, routable internet addresses.

  NAT (inside) 0-list of access inside_nat0_outbound

  public static 111.1.0.0 (Interior, exterior) 111.1.0.0 netmask 255.255.255.0

  public static 111.1.1.0 (Interior, exterior) 111.1.1.0 netmask 255.255.255.0

  public static 111.1.2.0 (Interior, exterior) 111.1.2.0 netmask 255.255.255.0

  networks outside the company (111.1.3.0/24; 111.1.4.0/24)

  |

  |

  the user remote vpn <-------------->internet <--------------------->ROUTER1 - ASA - Cat6509 - inside the network

  Any suggestion is appreciated.

  Thank you

  have you enabled "same-security-traffic intra-interface.

• Remote VPN users

  Hello

  I would just ask how many simultaneous remote client VPN users is allowed for a Cisco1841 router? Are there licenses required?

  Also, will there be a degradation of the performance of the router if there as 15 concurrent users active remote client and VPN L2L 2?

  Thank you!

  For IPSEC, I don't think that there are all the necessary licenses. For SSL, they (but it still works without the license, but unethical).

  Concerning

  Farrukh

• Please help, my iphone cannot reach the cellular network

  Please help me, my phone can not reach the cellular network since this morning (5 h). I have already contacted the network support and they said that there is nothing wrong with the network. the State on the screen 'search'... Please help me... I can't use my phone... Help, please

  You can try to reset your device. It will not destroy your data.

  Press and hold the sleep/wake button

  Press and hold the Home button

  Press and hold both buttons until the display turns off and on again with the Apple logo on the subject.

  Another way is to go to settings - general - reset - Reset all settings

• AnyConnect VPN users cannot access remote subnets?

  I googled this until blue in the face without result.  I don't understand why Cisco this so difficult?  When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices.  What should I do to allow my anyconnect vpn clients access to my remote sites?

  Cisco 5510 8.4

  Hello

  What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

  In addition to routing, you must have configured for each remote site and the VPN pool NAT0

  Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

  object-group network to REMOTE SITES

  object-network 10.10.10.0 255.255.255.0

  object-network 10.10.20.0 255.255.255.0

  object-network 10.10.30.0 255.255.255.0

  object-network 10.10.40.0 255.255.255.0

  network of the VPN-POOL object

  10.10.224.0 subnet 255.255.255.0

  NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

  The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

  Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

  My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

  Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

  -Jouni

• Cisco ASA 5505 VPN L2TP cannot access the internal network

  Hello

  I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

  Can you jhelp me to find the problem?

  I have Cisco ASA:

  within the network - 192.168.1.0

  VPN - 192.168.168.0 network

  I have the router to 192.168.1.2 and I cannot ping or access this router.

  Here is my config:

  ASA Version 8.4 (3)

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 198.X.X.A 255.255.255.248

  !

  passive FTP mode

  permit same-security-traffic intra-interface

  the net-all purpose network

  subnet 0.0.0.0 0.0.0.0

  network vpn_local object

  192.168.168.0 subnet 255.255.255.0

  network inside_nw object

  subnet 192.168.1.0 255.255.255.0

  outside_access_in list extended access permit icmp any any echo response

  outside_access_in list extended access deny ip any any newspaper

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT dynamic interface of net-all source (indoor, outdoor)

  NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

  NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

  !

  network vpn_local object

  dynamic NAT interface (outdoors, outdoor)

  network inside_nw object

  NAT dynamic interface (indoor, outdoor)

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  AAA authentication enable LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

  transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

  Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

  card crypto 20-isakmp ipsec vpn Dynamics dyno

  vpn outside crypto map interface

  Crypto isakmp nat-traversal 3600

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  management-access inside

  dhcpd address 192.168.1.5 - 192.168.1.132 inside

  dhcpd dns 75.75.75.75 76.76.76.76 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal sales_policy group policy

  attributes of the strategy of group sales_policy

  Server DNS 75.75.75.75 value 76.76.76.76

  Protocol-tunnel-VPN l2tp ipsec

  user name-

  user name-

  attributes global-tunnel-group DefaultRAGroup

  address sales_addresses pool

  Group Policy - by default-sales_policy

  IPSec-attributes tunnel-group DefaultRAGroup

  IKEv1 pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  ms-chap-v2 authentication

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

  : end

  Thanks for your help.

  You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  --

  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• ASA 5505 VPN established, cannot access inside the network

  Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.

  After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.

  Here is my config:

  ASA Version 8.2 (5)
  !
  hostname asa01
  domain kevinasa01.net
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  switchport access vlan 5
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address dhcp setroute
  !
  interface Vlan5
  No nameif
  security-level 50
  IP 172.16.1.1 255.255.255.0
  !
  passive FTP mode
  DNS server-group DefaultDNS
  domain kevinasa01.net
  permit same-security-traffic intra-interface
  Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
  inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
  inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
  sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
  access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
  access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
  pager lines 24
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (outside) 1 192.168.254.0 255.255.255.0
  NAT (inside) 0 access-list sheep - in
  NAT (inside) 1 192.168.1.0 255.255.255.0
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Access-group outside_access_in in interface outside
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd outside auto_config
  !
  dhcpd address 192.168.1.5 - 192.168.1.36 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal Remote_Kevin group strategy
  attributes of Group Policy Remote_Kevin
  value of server DNS 192.168.1.12 192.168.1.13
  VPN - connections 3
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
  kevinasa01.NET value by default-field
  username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
  username kevin attributes
  VPN-group-policy Remote_Kevin
  type tunnel-group Remote_Kevin remote access
  attributes global-tunnel-group Remote_Kevin
  address-pool
  Group Policy - by default-Remote_Kevin
  IPSec-attributes tunnel-group Remote_Kevin
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  inspect the icmp error
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
  : end

  Thank you

  Hello

  I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.

  I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.

  The acl must be:

  sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

  For nat (inside), you have 2 lines:

  NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
  NAT (inside) 1 0.0.0.0 0.0.0.0

  Why are you doing this nat (outside)?

  NAT (outside) 1 192.168.254.0 255.255.255.0

  Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)

  Thank you.

  PS: Please do not forget to rate and score as good response if this solves your problem.

• VPN users cannot access Tunnel

  Hi all

  I have a problem, I have 2 sites both with ASA 5520, they are both connected via a site to site VPN.

  It works very well all users in site A can access resources in site B and vice versa.

  The problem comes when a user connects to a remote user VPN site has they cannot access or anything in site B same ping if the FW them delivers an ip address in the range for the site.

  Im sure there is something simple that I missed.

  Thank you

  If the VPN Client pool is in the same subnet as the site of A LAN, then you are probably missing just the following:

  (1) check if you have divided political tunnel, and site-B LAN is included in the ACL split tunnel.

  (2) configure 'same-security-traffic permit intra-interface' on the site A ASA.

  If the above has been configured, please share configuration the two ASA to further check where it is.

• The VPN user cannot browse the internet

  I recently found myself working with ASA 5505 and implementation so that remote users can connect through the VPN. In this part, I managed to cope. Users can connect and authenticate you. Once this link has been established that they can no longer browse the web. I would like to make sure they use the remote instead of the local web. I think I'm close, but I am pretty stuck. Any help would be greatly appreciated.

  ASA Version 7.2 (4)
  !
  Ex host name
  domain Ex
  activate the encrypted password
  encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address dhcp setroute
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !

  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  domain Ex
  permit same-security-traffic intra-interface
  inside_nat0_outbound list of allowed ip extended access any 192.168.2.0 255.255.255.248
  pager lines 24
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  mask 192.168.2.2 - IP 255.255.255.248 192.168.2.7 local pool RemoteDHCP
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 524.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 1 192.168.2.0 255.255.255.248
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  the ssh LOCAL console AAA authentication
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto-map dynamic outside_dyn_map 20 set pfs
  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-AES-256-SHA
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH 192.168.1.0 255.255.255.0 inside
  SSH timeout 5
  SSH version 2
  Console timeout 0
  dhcpd dns 209.18.x.x 209.18.x.x
  dhcpd outside auto_config
  !
  dhcpd address 192.168.1.2 - 192.168.1.33 inside
  dhcpd allow inside
  !

  internal strategy of Group-1
  attributes of the strategy of Group-1
  Server DNS value 209.18.x.x 209.18.x.x
  Protocol-tunnel-VPN IPSec
  value by default-field Ex
  privilege of 15 encrypted password username
  tunnel-group 1 type ipsec-ra
  General-attributes tunnel-group 1
  address pool RemoteDHCP
  strategy-group-by default 1
  IPSec-attributes tunnel-group 1
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  context of prompt hostname

  Hello

  Yes, you are right. The customer does not receive anything. Please add this "crypto isakmp nat - t" command and then connect the client. Make sure you reconnect the client after adding this command if the client is connected at the time of the addition of the command.

  If this does not work, send me the output of "sh cry ipsec his."

  Mitesh

• Star - vpn clients cannot reach hub of rays

  I have two remote sites with exsisting site to site vpn conections.  I have no problem if I VPN in a particular site, reaching the services on this site.

  I can't reach services on other sites.

  my VPN address pool is 192.168.20.X 24-the hub

  the rays are 192.168.30.X/24 and 192.168.40.X/24 the respective shelves.

  My internal IP is 172.16.X.X/21

  each site is located on a different subnet in this range

  So, if I VPN in the VPN IP hub is 192.168.20.X/24 I can reach services to 172.16.8.X/21, but can not reach a hub at 172.16.56.X/21

  I am sure that this can be a routing problem, I tried to add static routes, but not joy.

  All sites are of ASA 5510

  The configuration you will need is:

  ASA local:

  L2L ip 192.168.40.0 access list allow 255.255.255.0 172.16.8.0 255.255.248.0

  list of allowed shared access ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

  permit same-security-traffic intra-interface

  ASA remote:

  L2L 172.16.8.0 ip access list allow 255.255.248.0 192.168.40.0 255.255.255.0

  access-list ip 172.16.8.0 sheep allow 255.255.248.0 192.168.40.0 255.255.255.0

  The ACLS names reflect where to configure.

  In addition, if there is a NAT rule that is configured on the external interface of the ASA, you should ignore NAT for this traffic.

  Let me know how it goes.

  Federico.

• VPN users cannot access all resources

  User is able to connect, get's assigned an IP, we can see them connected
  
      via ASDM, they can't access anything in our network.
  
      

  Hello

  Check the following:

  When you try to send the traffic check the output of "sh cry ips her" to make sure packages encrypted/decrypted by slices.

  If it isn't...

  May be that NAT - T is not configured.

  Check the configuration of:

  ISAKMP crypto nat - t

  SH run all sysopt--> should show sysopt connection permit VPN

  Test:

  Add the command

  management-access inside

  And try to PING IP address of the VPN client ASA inside.

  We will consider here...

  Federico.