Site to site VPN works only on Cisco 881

Similar Questions

• Site to site VPN works not

  Hello

  I can't get my work vpn site-to-site. Not only that but I am unable to get an internet connection through my ASA. I need to use the IP address public for my local network provided by IPS = 99.143.97.186 - 190 = 255.255.255.248 subnet mask

  I followed this tutorial: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...

  can someone please take a look at my settings and help out me? Very much appreciated. Thank you.

  See the ciscoasa config (config) #.
  : Saved
  : Written by enable_15 at 01:12:15.869 UTC Thu Sep 4 2008
  !
  ASA Version 8.2 (5)
  !
  ciscoasa hostname
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 99.143.97.186 255.255.255.248
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 192.168.1.84 255.255.255.0
  !
  interface Vlan3
  No nameif
  no level of security
  no ip address
  !
  passive FTP mode
  access-list extended 100 permit ip 99.143.97.184 255.255.255.248 host 206.127.20.63
  99.143.97.184 IP Access-list extended sheep 255.255.255.248 allow host 206.127.20.63
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0 access-list sheep
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 206.127.20.63 255.255.255.255 192.168.1.254 1
  Route outside 206.127.21.3 255.255.255.255 192.168.1.254 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 99.143.97.184 255.255.255.248 inside
  http 99.143.97.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  correspondence address card crypto outside_map 20 100
  peer set card crypto outside_map 20 206.127.21.3
  card crypto outside_map 20 transform-set RIGHT
  outside_map interface card crypto outside
  Crypto ca trustpoint _SmartCallHome_ServerCA
  Configure CRL
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !
  dhcpd address 99.143.97.187 - 99.143.97.190 inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  tunnel-group 206.127.21.3 type ipsec-l2l
  IPSec-attributes tunnel-group 206.127.21.3
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  anonymous reporting remote call
  Cryptochecksum:0ab759de3926ddb63f79f18a8422409e

  ciscoasa (config) # show crypto isakmp his

  There is no isakmp sas

  ciscoasa (config) # show ip performance
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 99.143.97.186 255.255.255.248
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 192.168.1.84 255.255.255.0
  !

  You have an interface incorrect configuration: -.

  Add these lines and share how it rates:

  interface Vlan1
  no address ip 99.143.97.186 255.255.255.248
  IP 192.168.1.84 255.255.255.0

  interface Vlan2
  no address ip 192.168.1.84 255.255.255.0
  IP 99.143.97.186 255.255.255.248

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Site to Site VPN working without Crypto Card (ASA 8.2 (1))

  Hi all

  Find a strange situation on our firewall to ASA5540:

  We have a few Site to Site VPN and also activate on the ASA VPN cleint, all are working properly. But finding that a VPN from Site to Site is running without crypto map configuration. Is this possible?

  I tried to erase isa his and claire ipsec his then VPN came once again. Tested too, it's the ping requests to a remote site through the VPN.

  I saw there are config tunnel-group for VPN but saw no card crypto and ACL.

  How is the firewall knows what traffic should be encrypted for this VPN tunnel without crypto card?

  This is the bug?

  Thanks in advance,

  It can be an easy vpn configuration.

  Could you post output config operation remove any sensitive information.  This could help us answer your question more specifically.

• VPN works only on windows 7

  I have windows 7 professional 64 bit. I can't VPN works with the Iphone. I don't have another computer to try out it. Someone at - it a good guide?

  I think that the VPN is not configured on my win7. Any guide or help will be appreciated.

  OK... as test that I have connected to this free PPTP VPN service to make sure that my iPod touch VPN features work.

  http://www.bestfreevpn.com/iPhone-iPad-free-VPN/

  After configuring the server settings that I could with success to connect, check my iPod Touch IP had changed to the IP address assigned by their PPTP VPN server and I could surf the internet, check email, etc. etc.

  http://CID-25ab668da65c8fbe.photos.live.com/self.aspx/Windows%20images/iPodVPN-status-1.PNG

  http://CID-25ab668da65c8fbe.photos.live.com/self.aspx/Windows%20images/iPodVPN-status-2.PNG

  This screen, on the http://www.whatismyip.com site, verified for me as all my iPod Touch traffic was routed through the VPN tunnel to their server and back again. The reported public IP address is different from what I see of my Win 7 laptop at the same time even if the laptop and iPod Touch are vascular on the same local LAN here.

  http://CID-25ab668da65c8fbe.photos.live.com/self.aspx/Windows%20images/iPodVPN-whatismyip.PNG

  http://theillustratednetwork.MVPs.org/LAN/CurrentHomeLAN.PNG

  So getting back to your original problem, that I don't really know what is happening with Win 7, at least on my machine and its function of PPTP VPN server integrated. I'm not home now so I have no way to test this functionality with a Windows VPN client.

  However, the key is that the PPTP VPN functionality in my iPod Touch works as I expect on your iPhone. It boils down to a problem with the server.

  I suggest test you your iPhone against this free VPN server to make sure in your own mind that his work and then figure out what you want to do next. What exactly do you want to do with VPN, if you can get this to work on Win 7 PC server, IE. access to the files, remote and secure web surfing, etc.?

  Please NOTE: The free VPN service changes their password access every 12 to 24 hours and idle sessions for more than 4 hours are disconnected automatically. See the note at the bottom of their homepage.

  http://www.bestfreevpn.com/free-VPN/

  MS - MVP Windows Expert - consumer
  "When all else fails try what the captain suggested before you started...". »

• multi-site VPN with just the cisco vpn client

  Hello everyone

  Please I need your help.

  We have a headquarters office and up to 60 is BranchOffice, we want to create VPN network between its. so let's deploy 2 router cisco esy vpn server with HA (HSRP) at the Headquarters Office and all branches have Connection ADSL and they will use just the cisco vpn client to connect to the Headquarters Office.

  My question is: is it possible to do it just with the client vpn cisco without purchased for any exercise bracnh a cisco router to create an ipsec tunnel because it is so expensive?

  It depends on if the routers to offices can handle NAT with several internal VPN clients to 1 IP address. Most of the new material should be fine. Keep in mind the maximum limit of the VPN client, with 60 agencies and 5 people each of whom you are above the limit.

  Michael

  Please note all useful posts

• Cisco IPSec VPN works only one way.

  I'm hitting my head against the wall for more than 2 weeks now. I can't get this figured out.

  We have 2 locations and a server with an Internet service provider. Currently, we are connecting to our Internet service provider via a vpn ipsec to our headquarters. later, we will add the 1 direction.

  The problem is the following. My vpn is in place, I can ping my local ip address, my IP of the tunnel, the remote tunnel interface, the vlan remote or the gateway, but I can't ping anything you wanted. The branch to the ISP I ping the router in the Internet service provider's domain controller and the server very well. but I can't ping or talk about anything either at the Office on the side of the IAF. and so I can not communicate with any host on the LAN. Can someone please help me with this?

  Can I unload the configs of the two routers here someone watching?

  Thanks in advance.

  Exemption from the NAT on the end server must include the following reject order:

  NAT extended IP access list

  5 deny ip 10.1.20.0 0.0.0.255 10.178.164.128 0.0.0.127

  Disable the ip nat translation before testing again.

• S2S VPN works only in one direction

  I am very new to cisco devices, but we have recently acquired a catalyst 2911 device for our co - lo cabinet and I will try to get a vpn connection from site to site between installation and my network of offices as well as a remote access VPN for me to use in case I need to fix something then that apart from Labour Bureau.

  Gateway to the Office is 66.119.163.2 and the device is a TZ210 with his network is 192.168.1.0/24

  Co bridge is 204.244.50.254 and the device is 2911 ASR with its LAN network in 10.0.10.0/24

  The VPN S2S connection is in place between the two locations and 2911 device and servers LAN can ping and RDP for office machines.  Office network can only ping the IP Address of the LAN interface on the 2911 that is 10.0.10.1 but not the servers on the network.  the VPN site-to-site was created with the wizard CCP.

  How can I allow the network 192.168.1.0/24 see 10.0.10.1/24 network and why I only see now the gateway?

  If need be I can post my file running-config with the redacted pre-shared keys.

  You need only the first line of the ACL 125, well pls wanted to remove the 2nd line:

  1. access-list 125 allow ip 10.0.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  2. access-list 125 allow ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.255

  Also change the action of 'pass' to 'inspect' for the following

  class type inspect sdm-cls-VPNOutsideToInside-3

  Pass

  Hope that solves this problem.

• VPN works only on Windows XP using VMware Player

  Hi all

  I have a windows 7 64-bit OS on my laptop. Unfortunately, having only 32-bit cisco VPN client. So, I installed VMware player and windows XP virtual machine. I have internet access on the virtual machine. but when I try to VPN, I get the message "connection SecureVPN over locally by the Client. Reason 412: the remote peer is not responding. "I turned my firewall off and tried again, done some windows updates, restart... nothing seems to work and do the same message. Can someone shed some light on this subject and help up the VPN.

  THX

  Shy

  Maybe a MTU of network card setting must be adjusted.  The installation of the Cisco VPN Client manipulates program usually change the MTU when installing, but sometimes this is not...

  Check out my post on this topic for more details: http://communities.vmware.com/thread/160401

• ASA550 VPN works do not, Cisco beginner needs help!

  Hi people,

  I have to spend at Cisco Juniper, and I can't get a VPN. I tried hollow CLI and ADSM, and in both cases, I don't see any incoming ipsec packets on the other end (Juniper SSG) when I ping a remote host on the other network.

  Here is the config:

  !
  ASA Version 9.0 (1)
  !
  gw hostname
  activate 7qkORHwefwefwefwefyAiVSEQH4Q encrypted password
  7qkORHywefwefwefwefSEQH4Q encrypted passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 172.16.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address dhcp setroute
  !
  passive FTP mode
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  network of the SDC_Beheer object
  10.104.0.0 subnet 255.255.0.0
  access extensive list ip 172.16.1.0 outside_cryptomap allow 255.255.255.0 object SDC_Beheer
  access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 object SDC_Beheer
  inside_access_in of access allowed any ip an extended list
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  inside_access_in access to the interface inside group
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  Enable http server
  http 172.16.1.0 255.255.255.0 inside
  Server SNMP location Bergen op Zoom
  Server SNMP contact Joris Kemperman
  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Crypto ipsec transform-set esp - esp-sha-hmac DESSHA1 ikev1
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_cryptomap
  peer set card crypto outside_map 1 5.200.1.5
  card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  outside_map interface card crypto outside
  trustpool crypto ca policy
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH 172.16.0.0 255.255.0.0 inside
  SSH timeout 60
  Console timeout 0

  dhcpd dns 8.8.8.8
  dhcpd lease 3800
  dhcpd field lindebaan73.local
  dhcpd outside auto_config
  !
  dhcpd address 172.16.1.30 - 172.16.1.157 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  internal GroupPolicy_5.200.1.5 group strategy
  attributes of Group Policy GroupPolicy_5.200.1.5
  Ikev1 VPN-tunnel-Protocol
  joris AewHowjZEPeq.vge encrypted privilege 15 password username
  tunnel-group 5.200.1.5 type ipsec-l2l
  tunnel-group 5.200.1.5 General-attributes
  Group - default policy - GroupPolicy_5.200.1.5
  IPSec-attributes tunnel-group 5.200.1.5
  IKEv1 pre-shared-key D1nges!
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:2498ca347e17bcfa3a8a5ad9968e606c
  : end

  ______________

  I think its either a NAT problem (ASA no tunnel traffic but simply translated and passed to the next router) or access list number.

  It already took me a lot of time to spend on what goes wrong.

  Anyone here who can help me?

  Hello

  You need to do no. NAT for the subnet you want to go through the tunnel.

  Thus, to create a group of objects to destination as source allows src1 and dest 1

  NAT (inside, outside) source static/dyn src1 CBC 1 destination dest1 dest1.

  For more information:

  https://supportforums.Cisco.com/document/44566/ASA-83-NAT-exemption-exam...

  Kind regards

  Kanwal

  Note: Please check if they are useful.

• A Site VPN PIX501 and CISCO router

  Hello Experts,

  I have an at home test lab, I set up a site to site vpn using a router Cisco PIX501 and CISCO2691, for configurations, I have just a few links on the internet, because my background on VPN configuration is not too good, for the configuration of routers, I followed this link:

  www.Firewall.CX/Cisco-Technical-Knowledgebase/Cisco-Routers/867-Cisco-ro...

  and for configuring pIX I just use the VPN Wizard of pix. All confgurations but ping failed. Hope you can help me with this, don't know what to do here (troubleshooting).

  Joint here is the configuration of my router, topology, as well as the pix configuration. Hope you can help me with this. Thanks in advance.

  Hi Mark,

  I went in the Config of the ASA

  I see that the dispensation of Nat is stil missing there

  Please add the following

  access-list allowed sheep ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

  inside NAT) 0 access-list sheep

  Then try it should work

  Thank you

  REDA

• SSL vpn site to site vpn

  I have a couple of site to site VPN working properly on an ASA 5515. Don't know what is on the other side, as I haven't seen them. I configured a SSL vpn for remote users who must be able to access resources on remote sites. I got access to the network of site without any problems and and have added the range of IP addresses for remote users to links from site to site, but I am unable to connect. Anyone who has this performance, it would be greatly appreciated if you can help.

  Hi mbluemel,

  You need to configure the remote side to allow traffic from the remote side for SSL VPN users.
  This list of documents the measures taken to achieve this: -.

  http://www.petenetlive.com/kb/article/0000040.htm

  For more information: -.
  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group

  Hello

  Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest

  "January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".

  The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.

  I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.

  If anyone can help it would be really appreciated.

  Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?

  Thanks in advance for any help.

  dynamic-access-policy-registration

  DfltAccessPolicy

  WebVPN

  list of URLS no

  SVC request no svc default

  RADIUS protocol AAA-server VPNAUTH

  AAA-server VPNAUTH *. *. *

  interval before new attempt-5

  timeout 3

  key *.

  AAA authentication enable LOCAL console

  AAA authentication http LOCAL console

  LOCAL AAA authentication serial console

  the ssh LOCAL console AAA authentication

  AAA authentication LOCAL telnet console

  LOCAL AAA authorization command

  attributes of Group Policy DfltGrpPolicy

  value of DNS server! !. !. !

  VPN-idle-timeout no

  VPN-tunnel-Protocol webvpn

  enable IP-comp

  enable IPSec-udp

  field default value mondomaine.fr

  the address value vpnpool pools

  WebVPN

  enable http proxy

  SVC Dungeon - install any

  SVC keepalive 60

  SVC generate a new method ssl key

  SVC request no svc default

  disable ActiveX-relays

  disable file entry

  exploration of the disable files

  disable the input URL

  tunnel-group DefaultRAGroup webvpn-attributes

  message of rejection-RADIUS-

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  attributes global-tunnel-group DefaultWEBVPNGroup

  address vpnpool pool

  authentication-server-group VPNAUTH

  tunnel-group DefaultWEBVPNGroup webvpn-attributes

  message of rejection-RADIUS-

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared-key *.

  Wayne

  Do "sh run all tunnel-group" you should see the strategy of group associated with it.

  for example:

  tunnel-group 1.1.1.1 type ipsec-l2l

  tunnel-group 1.1.1.1 General attributes

  no accounting server group

  Group Policy - by default-DfltGrpPolicy

  tunnel-group 1.1.1.1 ipsec-attributes

  pre-shared-key *.

  by the peer-id-validate req

  no chain

  no point of trust

  ISAKMP retry threshold 10 keepalive 2

  Let me know if it helps.

  See you soon,.

  Gilbert

• fall of site to site vpn icmp packets

  Hello

  I test site to site vpn between ASA and cisco router with GNS3, topology is base the tunnel is up but the question when the remote host ping from both sides it is drops icmp, see router command and ASA do not include droppings. Here is a sample output from ping when I try to remote client ping. any help is appreciated :)

  Instant topology is attached, also configs

  Thank you

  84 bytes from 10.20.20.5 icmp_seq = 59 ttl = 63 times = 79,004 ms
  10.20.20.5 icmp_seq = timeout 60
  84 bytes from 10.20.20.5 icmp_seq = 61 = ttl 63 times = 70,004 ms
  10.20.20.5 icmp_seq = timeout 62
  84 bytes from 10.20.20.5 icmp_seq = ttl 63 time = 63 = 59,004 ms
  10.20.20.5 icmp_seq = 64 timeout
  84 bytes from 10.20.20.5 icmp_seq = 65 = ttl 63 times = 50,003 ms
  10.20.20.5 icmp_seq = timeout 66
  84 bytes from 10.20.20.5 icmp_seq = 67 ttl = 63 times = 59,003 ms
  10.20.20.5 icmp_seq = timeout 68
  84 bytes from 10.20.20.5 icmp_seq = 69 = ttl 63 times = 50,003 ms
  10.20.20.5 icmp_seq = timeout 70
  84 bytes from 10.20.20.5 icmp_seq = 71 ttl = 63 times = 58,003 ms
  10.20.20.5 icmp_seq = timeout 72
  84 bytes from 10.20.20.5 icmp_seq = 73 = ttl 63 times = 50,003 ms
  10.20.20.5 icmp_seq = timeout 74
  84 bytes from 10.20.20.5 icmp_seq = 75 ttl = 63 times = 69,004 ms
  10.20.20.5 icmp_seq = timeout 76
  84 bytes from 10.20.20.5 icmp_seq = 77 ttl = 63 times = 237,013 ms
  10.20.20.5 icmp_seq = timeout 78

  R1 ipsec crypto #sh her

  Interface: FastEthernet0/0
  Tag crypto map: map, local addr 100.100.100.2

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (10.20.20.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.20.10.0/255.255.255.0/0/0)
  current_peer 100.100.100.1 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
  decaps #pkts: 28, #pkts decrypt: 28, #pkts check: 28
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  ciscoasa # sh crypto isakmp stats

  Global statistics IKEv1
  The active Tunnels: 1
  Previous Tunnels: 1
  In bytes: 1384
  In the packages: 12
  In packs of fall: 0
  In Notifys: 8
  In the constituencies of P2: 0
  In P2 invalid Exchange: 0
  In P2 Exchange rejects: 0
  Requests for removal in his P2: 0
  Bytes: 1576
  Packet: 13
  Fall packages: 0
  NOTIFYs out: 16
  Exchanges of P2: 1
  The Invalides Exchange P2: 0
  Exchange of P2 rejects: 0
  Requests to remove on P2 Sa: 0
  Tunnels of the initiator: 1
  Initiator fails: 0
  Answering machine fails: 0
  Ability system breaks down: 0
  AUTH failed: 0
  Decrypt failed: 0
  Valid hash fails: 0
  No failure his: 0

  Hello

  On router R1, you gave the default route as output interface. Instead of using the output interface replace the IP address of the next hop. It will solve the issue of the reduction of ping.

  IP route 0.0.0.0 0.0.0.0 FastEthernet0/0

  IP route 0.0.0.0 0.0.0.0 100.100.100.1

  HTH

  "Please note the useful messages and mark the correct answer if it solves the problem."

• Keep Site to Site VPN Tunnel active for monitoring

  Hi all

  I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

  My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer.  currently the timers of default on SA is configured

  Help, please...

  Thank you

  Mikael

  TARGET_GP group policy attributes

  VPN-idle-timeout no

• Site to site VPN - cannot see host

  Hi all

  Site to site VPN is established by Cisco 887 (PPPoE) on the two site. The tunnel is UP.

  Personnel (192.168.5.33) PC I can ping to 60.a.a.54.

  But I cannot ping the inside interface (192.168.0.1).

  I need to access the server site B (192.169.0.150).

  How can I Access/ping to the server PC (192.168.5.33) staff (192.169.0.150)

  Please see the attachment for the tree and conf for ASA 5510 Site has and B Site

  Maybe I'm wrong, but I don't see a purpose for a tunnel between your routers c887. Instead, you need a tunnel between your routers asa.