Specify remote access interesting traffic?
This is probably a stupid question, but I can't make my vpn remote access traffic decryption. I use an ASA5510 and 5.0 cisco vpn client. I have no problem getting the next tunnel. But traffic 'decrypted' zero rest and increments "ecarte traffic" at all times.
Here is the ASA5510 encryption config:
OK, I guess that this site does not allow to paste text so I have attached the config.
I'm pretty sure that I can't pass the traffic because I was not able to understand how to specify interesting traffic for the vpn connection. Can someone please show me the syntax for this? It seems that it must be a sort of tunnel - group commands.
Am I the only one who thinks that the Cisco documentation is worth anything on it? The ASA configuration guide you give all that you need to configure a tunnel, but has absolutely nothing on the config required to actually pass traffic. This helps a lot.
Hello
If you see the traffic is encrypted by the VPN Client but no return traffic may not be a configuration that is not on the ASA host or destination do not have a good road to the VPN Client or something else.
To my knowledge, if you do not specify this tunnel on the VPN Client connection then EVERYTHING is going to be in the client endpoint VPN tunnel.
If you want to specify what to send to the VPN you are using configurations of the 'group policy '.
VPN-GROUP-POLICY group policy interns
attributes of VPN-GROUP-POLICY-group policy
Split-tunnel-policy tunnelall
OR
standard permit access list TUNNEL of SPLIT
VPN-GROUP-POLICY group policy interns
attributes of VPN-GROUP-POLICY-group policy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value of SPLIT TUNNEL
- Usually the ACL 'standard' which includes 'permit' statements for all of the network you want to tunnel to the VPN
"Group policy" is then set under configurations "tunnel-group.
It would probably be easier to check when to see the configurations on the ASA. If you are simply testing connectivity ICMP I recommend that you check that you have 'an icmp inspection' configured so that ICMP Echo-reply messages are automatically allowed by the ASA.
-Jouni
Tags: Cisco Security
Similar Questions
-
No remote access VPN traffic of Asa
Hi all
I set up a Vpn on ASA5510 remote access.
When the client connect, receive the ip address of the pool (192.168.55.X) but generates no traffic.
If I type ipconfig on the pc I have only IP and mask but no gateway is not assigned, is this normal?
If I ping a host of pc to all hosts on the local network 192.168.0.X in the logs I have:
"3 14 July 2012 16:15:50 305005 192.168.0.10 no group translation found for icmp src FASTWEB:192.168.55.1 dst (type 8, code 0) LAN:192.168.0.10 '
NAT could be a problem but I do not understand how to do it.
That's my piece of config:
standard access list test_splitTunnelAcl allow Net_R_Dmz 255.255.255.224
standard access list test_splitTunnelAcl allow Net_R_Server 255.255.255.0
standard access list test_splitTunnelAcl allow Net_R_Client 255.255.255.0
standard access list test_splitTunnelAcl allow Net_V_VoIP 255.255.255.0
standard access list test_splitTunnelAcl allow Net_V_Lan 255.255.255.0
test_splitTunnelAcl list standard access allowed 192.168.0.0 255.255.255.0
permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R 255.255.255.0
permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Network_V object-group
permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Client 255.255.255.0
permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Server 255.255.255.0
permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Dmz 255.255.255.224
Lan_nat0_outbound ip Net_VpnClient 255.255.255.0 allowed extended access list all
Fastweb_access_in ip Net_R_Client 255.255.255.0 allowed extended access list all
Fastweb_access_in ip Net_R_Server 255.255.255.0 allowed extended access list all
Fastweb_access_in ip Net_R 255.255.255.0 allowed extended access list all
Fastweb_access_in ip Net_VpnClient 255.255.255.240 allowed extended access list all
permit access ip 192.168.0.0 scope list Lan_access_in 255.255.255.0 any
mask 192.168.55.1 - 192.168.55.10 255.255.255.240 IP local pool Vpn_Pool
Global (FASTWEB) 1 interface
NAT (LAN) 0-list of access Lan_nat0_outbound
NAT (LAN) 1 192.168.0.0 255.255.255.0
Access-group Fastweb_access_in in interface FASTWEB
Lan_access_in access to the LAN interface group
Route FASTWEB 0.0.0.0 0.0.0.0 93.x.x.x 1
internal group R10M strategy
attributes of R10M group policy
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list test_splitTunnelAcl
tunnel-group R10M type remote access
attributes global-tunnel-group R10M
address pool Vpn_Pool
Group Policy - by default-R10M
IPSec-attributes tunnel-group R10M
pre-shared-key *.
Thank you.
M.
Hi Marco,.
see this:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (LAN) 1 192.168.0.0 255.255.255.0
LAN ip 192.168.0.0 match FASTWEB 255.255.255.0 any
dynamic translation of hen 1 (93.x.x.x.x [Interface PAT])
translate_hits = 267145, untranslate_hits = 18832
Additional information:
Definition of dynamic 192.168.0.10/0 to 93.x.x.x.x/18070 using subnet mask 255.255.255.255
do not hit the exemption from the rule,
Please add this to your nat 0 access-list:
Lan_nat0_outbound line 1 scope ip allow any 192.168.55.0 255.255.255.0
and let me know how it goes.
Good luck.
Mohammad.
-
Remote access server problem ASA5510
Hello guys,.
I have a problem with ASA5510 configured as a remote access server. We use the client VPN in Windows XP. Look at the requirements I see no problem, but when I try to connect to the server it doesn't open the negotiation of VPN. I had the problem like this before, but at least I saw the traffic hitting the ASA. Now, I don't see anything hitting the device. I enclose the current configuration of the SAA. The VPN client on my laptop is configured correctly. Thank you in advance!
RVR
Hello
Happy to help and thanks for the note.
This command is not required, but 90% of deployment I've seen has this configured command and is the default value for the SAA. In a Word, what this command is open to IKE and IPSEC ports and also does not check ACL entering ASA for IPSEC traffic.
In case if you do not have this command enabled, you must configure inbound ACL to allow IKE, IPSEC and text clear remote access VPN traffic after IPSEC packets get decrypted on the SAA.
Kind regards
Arul
* Rate pls if it helps *.
-
I've updated from vista to the most recent update.
I have windows vista Home premium 32-bit.I want to get this matter resolved without having to reinstall as I have a few games installed it on this system.The modem is not the issue as other computers connect very well.Thanks for the help from Microsoft.Recently, I tried to connect to the internet but that was not possible, because no connection could be established. The remote access connection manager does not start 2 error: could not find the specified domain. the RasMan-dependent services are started, but Manager logins remote does not start.Hi Mundilfar,
You can try the folliwng steps and see if it helps.
Step 1:
You can try to scan the file system [SFC] checker on the computer that will replace missing or corrupt files & check if the problem persists.
For more information, you can consult the following link.
Step 2:
If you are always faced with the question, then you can try to give permission for the Rasman registry key and see if it helps.
Important: The following steps show you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs.
For more information about how to back up and restore the registry, follow the steps from the link below:
a. Click Start, type regedit in the search box and press ENTER.
b. Locate the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
c. right click on the key and click Permissions.
d. Select Advanced, click on owner tab, click your user name, and check the 'Replace owner of subcontainers and objects', click Apply - click OK.
e. click the user or group name that you want to work with.
f. check allow total control. Click apply and then click OK.
g. restart the computer and check.
Hope this information is useful.
-
This seems to have started with the last batch of updates of Windows 7 (including SP1).
I can't connect using dial-up. Get the message:
Cannot load the Remote Access Connection Manager service
Error 711: The operation could not complete because it could not start the remote access connection manager service
in time. Please try the operation again.When I try to start the Remote Access Connection Manager service manually, I get the message:
Windows could not start the service on Local computer remote access connection manager.
20 error: the system cannot find the specified device.My phone displays the modem works properly, and telephony and the Secure Socket Tunneling Protocol service started.
I don't know what else might have changed.
Hello Vince_867,
Thanks for your post. Take a look at this thread for a possible solution to your problem.
See you soon
-
Remote access to the site to site VPN
We currently have a VPN site-to-site set up on a direct line between our two data centers. Hosts on site one can speak to guests at site B, and talk to the hosts to site A to site B guests.
I've recently implemented a site A. VPN VPN remote access clients can access all of the resources behind the ASA at A site without problem. However, strange things happen when they try to contact the site B.
I have set up corresponding exemptions of NAT on each side of the connection. The remote site reported no abnormalities. When you attempt to connect to a remote VPN client to site B, the only errors that appear are on the SAA to site A. When a remote client attempts to connect to a host at site B, the following errors appear in the log:
% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
I have the exemption following NAT set up on site A:
access-list sheep; 3 items
access-list 1 permit line sheep extended ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt = 0)
allowed to Access-list sheep lengthened 2 ip line 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt = 0)
allowed to Access-list sheep line 3 extended ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt = 0)
I work on it for a few days now and hesitate to open a ticket of TAC. I've seen a few similar questions on the forums, but have found zero with a working solution. I tried to follow the technical notes on Cisco's Web site for a configuration similar to, but had no luck.
Also, I enabled same-security-traffic on intra and inter-interface interface.
Any help would be appreciated.
HUB of the ASA, is this your topology? If so try below suggestions.
Inside 10.1.1.0/16 Net
Net 172.16.0.0/28 - net through Tunnel L2L 10.0.0.0/16 end DS3
VPN RA Net 10.3.0.0/24
To RA to access the L2L tunnel end hosting you will need to exempt sheep rule applied to the ds3 interface.
based on the journal
% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
Try this
no scope list ip 10.3.0.0 access test allow 255.255.255.0 10.0.0.0 255.255.0.0
test the ip 10.0.0.0 allowed extended access list 255.255.0.0 10.3.0.0 255.255.255.0
test access list 0 Tan (ds3)
on the end of the tunnel (spoke), to allow the network of RA from the FOCUS of the ASA in the interesting traffic.
Let us know how it works
Concerning
-
IPsec Site to Site and the question of the IPsec remote access
Our remote access IPsec 3DES 168 bit encrption has the value
If we want to allow a remote user to get out of a tunnel to another site must be so 3DES encryption for the Tunnel?
This tunnel is currently defined by AES.
If I understand your question the answer is this:
The VPN client will connect to the ASA with any encryption method, he chose.
If the VPN client then runs through a tunnel from Site to Site to another location, it uses the encryption method specified in the tunnel from Site to Site.
This is because as the settings for the client VPN applies only when he puts an end VPN on the ASA.
When the customer traffic, passes through a different tunnel, the settings for this tunnel applies.
Hope I answered your question, if not please let me know.
Federico.
-
VPN remote access - no network connectivity internal!
Hi Experts,
I understand that it is a very common problem when considering the implementations of IPSec VPN for remote access using Cisco VPN Client. But for the last six months, I have tried to configure remote VPN access to as many sites customer and gets stuck to the top with the same question!
-The remote VPN Client connects, authenticates successfully to the local user database (to make things easier, I used the local user authentication), the tunnel is set up (I could see the exit of the isakmp #show her as a AM_ACTIVE ). So I think that the parameters of encryption and authentication for Phase 1 /Phase 2 should work because the tunnel is having successfully established
-Now comes the question, no connectivity to the internal network. I tried all the possible solutions, that I could find online.
1. the most common problem is NAT - Traversal not active
-Compatible NAT - T with the time default keepalive of 20
2. None of the configurations NAT to exempt remote VPN traffic
-A ensured that Nat configurations not present in configuration and internal network 192.168.1.X VPN traffic networks VPN 192.168.5.X /192.168.10.X being exempted NAT
3-Split tunnel configurations
-Reconfigured Split tunnel access list configuration Standard access list expanded (although not required as a Standard access list is more than enouugh, if I'm not mistaken) to allow traffic selected from 192.168.1.X for 192.168.5.X/192.168.10.X that will create routes on Client that allows users to simultaneously access VPN resources and access Internet VPN client. The Tunnel from Split network group was added again to the group policy.
4 enabled Perfect Forward Secrecy (PFS) /Disabled
. It may be an extra charge, it has been disabled / enabled
5. the road opposite Injection
-Ensured that a temporary reverse route has been injected to the routing table by allowing the reverse Route Injection to insert automatically the temporary static routes to the remote tunnel using the command set reverse road networks
A few more interesting things were noted:
Encrypted and Bypassed packages found when a continuous ping started the ASA inside the interface.
No decryption happens of the VPN Client, which means that there is no answer back from the network traffic statistics.
Decryption and packages are found be increasing when I try to ping of the IP address to the customer (192.168.0.10) has published the SAA. But on the SAA, I'm not back any response and showing as? . So that would mean that there is communication of ASA to the customer via the VPN tunnel while no communication is happening from the internal network to the customer
The entire configuration is shown below
ASA Version 8.2 (1)
!
ciscoasa hostname
activate the encrypted password of AS3P3A8i0l6.JxwD
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
access-list extended SHEEP allowed ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
ST1 list extended access permitted ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
IP local pool testpool 192.168.0.10 - 192.168.0.15
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
Crypto-map dynamic dyn1 1jeu reverse-road
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
crypto ca server
SMTP address [email protected] / * /
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.10 - 192.168.1.132 inside
dhcpd dns 8.8.8.8 4.4.4.4 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal RAVPN group policy
RAVPN group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value ST1
the address value testpool pools
dk Z6zukyDvwVjP7o24 encrypted privilege 15 password username
sv i1gRUVsEALixX3ei encrypted password username
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
address testpool pool
Group Policy - by default-RAVPN
testgroup group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:48f0863a70b8f382c7b71db0b88620fe
: end----
Could you please help me identify where I'm going wrong. Its been a long time I have trying to figure out but nothing seems to work! ;-(
Help, please!
Thank you
ANUP
(1) pls replace the tunnel ACL ACL standard split as follows:
no extended ST1 192.168.1.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0
access-list allowed ST1 192.168.1.0 255.255.255.0
(2) add icmp inspection:
Policy-map global_policy
class inspection_default
inspect the icmp
(3) Finally, I add the following so that you can test the ASA inside the interface:
management-access inside
-
Failed to start remote access service
HelloI get a vps and I install ca and iis and the remote access service
I allow it as a vpn server
When I try to run the remote access service there gives me an error
The Routing and remote access is dependent on the Remote Access Connection Manager service, which could not start due to the following error:
The dependency service or group was able to start.
I reslove this problem to run these commands:
netcfg u ms_sstp
netcfg - c p-i ms_sstp.
net start sstpsvc
net start rasman
now when I am tempted to throw there gives me this error:
The Remote Access Connection Manager service terminated with the following error:
The system cannot find the specified device.
So what is the problem?
Thank you.
Hello
Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Microsoft TechNet forum. You can follow the link to your question:
-
Static IP remote access for the media center
I NMH410 work through a WRT610N router. My ports are configured for static IP access. Seems to just going through www.ciscomediahub.com does not work well for me.
Can someone provide the 'exact' URL I would enter in order to access my media center?
Documentation of assistance through Cisco shows: https://Wan_IP_Address but that doesn't seem to work. The demand is just there and finally once outside.
To everyone:
Apparently, I discovered and corrected the problem that I had with 'Remote access' to my Media Hub.
Somehow, there are two configurations of router that had to be done. On two port forwarding configurations has been necessary and once allowed me to access the media center.
It seems that my ISP has a 192.168.x.x address router that was different from the address of my router 192.168.x.x. It is on the home router when I incoming and make changes to the information of port forwarding. The fact that I was getting an error message indicating that I wasn't even reached my router alerted me to the fact that my ISP was blocking remote access. In the end, that's where my problem was discovered.
Translate:
If you have problems to access your media "at a distance" pole through its IP address (and not by the cisco media center), make sure that you configure the ports of the router specified by your Internet provider address, as well as the ports of the router that you have on your network home.
I have forwarded port 443 on the two addresses of router port, and I can now access my media hub remotely. Now if I can't play videos remotely, I'll be set. This leads to another problem that I'll send it in another thread.
Thanks for the help and suggestions of each.
-
Problems with Windows 7 Pro Remote Access
I'm on a Windows 7 Pro machine, but it is connected to a working network.
I'm trying to access Windows 7 Pro machine to my parents at home.
I went through These Instructions. We have created a password for one of the user accounts. I checked the name of the computer (there is no listed area). We confirmed that remote access has been enabled and allow remote access has been verified in the firewall settings.
However, when I start "Remote Desktop connection" on my computer and put their computer name in the box, I get a message that it cannot find the computer. Then, the message indicates that the computer cannot belong to "the network specified." But there is no specified network, and I see no where to do it.
In addition, it is possible that my work security settings prevent me from remote accessing another computer?
Last question: if I used the Fusion of the virtual machine on my Mac, with Windows 7, I can remote access to another computer?
Real technique. The problem boils down to the IP address. Your computer probably has an IP of 192.168.1.8 or something like that. But the router any fact domestic in the world. So when you want to connect to the remote computer, you must use the IP public face (which the internet service provider home assigns to your router/home, not that of your router assigns to your computer). But then, you're always short because now you have at home, but you have to tell the House what PC actually send this letter too. It's like an envelope with an address half. Port forwarding it tells the final step which PC should receive the message.
But yes I agree they could at least put a link or an explanation.
-
ODA IP ASA when you browse the web via remote access vpn
Hi all
I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing.
The firmware version of the ASA is 9.1 (6)
Thanks in advance
Hello
What you want to achieve is calles u-turn.
You must enable the feature allowed same-security-traffic intra-interface
For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post):
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
Hello
I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.
When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.
However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!
VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)
Please help me I need to find a solution as soon as POSSIBLE!
Thank you in advance.
Hello
Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:
No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination
NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination
After re-configured this way, make sure that this command is also available:
Sysopt connection permit VPN
This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,
Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY
XXXX--> server IP
AAAA--> VPN IP of the user
Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!
Thank you
David Castro,
-
Hi all
I need help with remote access vpn configuration. I want to some remote users who have access to the internet on their system to connect and access an application server in my seat social cisco vpn client user. I use Cisco 881. I am unable to use the SDM configuration because it seems that SDM is not supported by the router so I'm using command line. I'd appreciate any help I can get. Thank you.
This is the configuration I have:
VPNROUT #sho run
Building configuration...Current configuration: 6832 bytes
!
! Last configuration change at 10:50:45 UTC Saturday, May 30, 2015, by thomas
version 15.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname VPNROUT
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login userauthen1 local
AAA authorization groupauthor1 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-1632305899
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1632305899
revocation checking no
rsakeypair TP-self-signed-1632305899
!
!
TP-self-signed-1632305899 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31363332 33303538 6174652D 3939301E 170 3134 30313233 31323132
33325A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36333233 65642D
30353839 3930819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100BC0C 341CD79B A38572CE 1F0F9A91 F96B133C A889B564 E8352034 1CF5EE4B
B505616B 6014041B EC498C0A F6C5CD2B F5BF62DA BD6E1C44 0C7B9089 1FD0C6E5
299CEB40 28CD3F3B ADE3468A B07AAA9F AC42F0A7 4087172A 33C4013D 9A50884D
5778727E 53A4940E 6E622460 560C F597DD53 3B 261584 E45E8776 A848B73D 5252
92 50203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 D
551 2304 18301680 14E85AD0 DEF133D8 E09516FD 0AA5FDAD E10EAB1A FA301D06
03551D0E E85AD0DE 04160414 F133D8E0 9516FD0A A5FDADE1 0EAB1AFA 300 D 0609
2A 864886 818100A 5 05050003 5B23ED5B 9A380E1F 467ABB03 BAB1070B F70D0101
7A 218377 73089DC1 D32DA585 C5FD7ECE 0D000F96 7F3AB6CC 71509E8F 3F1C55AE
E37536A3 1008FBF9 A29329D5 6F76DDC0 AA1C70AE 958AAE5D 32388BE4 2C1C6839
0369 D 533 027B612C 8D199C35 C008FE00 F7E1DF62 9C73E603 85C3240A 63611D 93
854A61E2 794F8EF5 DA535DCC B209DA
quit smoking
!
!
!
no record of conflict ip dhcp
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 172.20.0.1 172.20.0.50
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp pool 1
network 172.20.0.0 255.255.240.0
domain meogl.net
router by default - 172.20.0.1
172.20.0.4 DNS server 41.79.4.11 4.2.2.2 8.8.8.8
8 rental
!
!
!
no ip domain search
IP domain name meogl.net
name of the IP-server 172.20.0.4
name of the IP-server 41.79.4.11
IP-server names 4.2.2.2
8.8.8.8 IP name-server
IP cef
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ1804C3SL
!
!
username secret privilege 15 thomas 4 JXSizd1r/hMqPpGz94vKBb5somtpZLy03k50rJvHO6c
username privilege 15 secret 4 mowe hlfv/rdDRCAeTUzRXbOIfdaKhJCl1onoGdaQeaQsAnw
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group moweclients
XXXXXXX key
DNS 172.20.0.4
meogl.net field
pool mowepool
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac moweset
tunnel mode
!
!
!
Dynmap crypto dynamic-map 1
Set transform-set moweset
market arriere-route
!
!
card crypto client mowemap of authentication list userauthen1
card crypto isakmp authorization list groupauthor1 mowemap
client configuration address card crypto mowemap answer
mowemap 1 card crypto ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
IP 172.30.30.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 100
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
IP 41.7.8.13 255.255.255.252
NAT outside IP
IP virtual-reassembly in
intellectual property policy map route VPN-CLIENT
Shutdown
automatic duplex
automatic speed
mowemap card crypto
!
interface Vlan1
Description $ETH_LAN$
IP 10.10.10.1 255.255.255.248
IP tcp adjust-mss 1452
!
interface Vlan100
IP 172.20.0.1 255.255.240.0
IP nat inside
IP virtual-reassembly in
!
local pool IP 192.168.1.1 mowepool 192.168.1.100
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source overload map route interface FastEthernet4 LAT
IP route 0.0.0.0 0.0.0.0 41.7.8.12
!
access-list 23 allow 10.10.10.0 0.0.0.7
access-list 23 allow 172.20.0.0 0.0.15.255
access-list 100 permit ip 172.20.0.0 0.0.15.255 everything
access-list 144 allow ip 192.168.1.0 0.0.0.255 any
not run cdp
!
LAT route map permit 1
corresponds to the IP 100
IP 41.7.8.12 jump according to the value
!
route VPN-CLIENT map permit 1
corresponds to the IP 144
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
!
endPlease the configuration above, give me the desired output.
Thank you.
Hello Thomas,.
I'm glad to hear that you have found useful in the example configuration.
I checked your configuration and everything seems ok with him, especially the statements of nat.
ip local pool mowepool 192.168.1.1 192.168.1.100 access-list 100 deny ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255 access-list 100 permit ip 172.20.0.0 0.0.15.255 any route-map LAT permit 1 match ip address 100 ip nat inside source route-map LAT interface FastEthernet4 overload interface Vlan100 ip address 172.20.0.1 255.255.240.0 ip nat inside ip virtual-reassembly in
Try to generate ICMP traffic behind your 100 VLANS to the client VPN in order to answer the following questions:
-The router receives this traffic between VLAN100 unit?
-The router is encrypt this traffic, after receiving the ICMP packet?
#show crypto ipsec router its can help you with this question. Look for the program/decaps counters.
-The same, but the other way around (from VPN client to device behind VLAN100) try to locate the problem.
The following document explains more this crypto commands and debugs if necessary.
-
Remote access VPN users unable to see local lan or internet
We implement an ASA5510. Now our users can connect to the vpn but cannot access the internal Lan or internet.
Here is the config. Any help or idea would be greatly appreciated. Thank you
Cryptochecksum: dd11079f e4fe7597 4a8657ba 1e7b287f
: Saved
: Written by enable_15 at 11:04:57.005 UTC Wednesday, April 22, 2015
!
ASA Version 9.0 (3)
!
CP-ASA-TOR1 hostname
activate m.EmhnDT1BILmiAY encrypted password
names of
local pool CPRAVPN 10.10.60.1 - 10.10.60.40 255.255.255.0 IP mask
!
interface Ethernet0/0
nameif outside
security-level 0
IP 63.250.109.211 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
10.10.10.254 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
passive FTP mode
the local object of net network
10.10.10.0 subnet 255.255.255.0
net remote object network
10.10.1.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.10.0_24 object
10.10.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.60.0_26 object
255.255.255.192 subnet 10.10.60.0
Outside_1_cryptomap to access extended list ip 10.10.10.0 allow 255.255.255.0 net object / distance
CPRemoteVPN_splitTunnelAcl list standard access allowed 10.10.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-731 - 101.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) local static source net net-local destination static net distance net-distance
NAT (inside, outside) static source NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 non-proxy-arp-search of route static destination
!
NAT (inside, outside) source after-service dynamic automatic one interface
Route outside 0.0.0.0 0.0.0.0 63.250.109.209 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 corresponds to the address Outside_1_cryptomap
card crypto Outside_map 1 set pfs Group1
card crypto Outside_map 1 set peer 209.171.34.91
card crypto Outside_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal CPRemoteVPN group strategy
attributes of Group Policy CPRemoteVPN
Server DNS 10.10.10.12 value
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
value of Split-tunnel-network-list CPRemoteVPN_splitTunnelAcl
carepath.local value by default-field
Split-dns value carepath.ca
activate dns split-tunnel-all
no method of MSIE-proxy-proxy
the address value CPRAVPN pools
roys jjiV7E.dmZNdBlFQ encrypted password privilege 0 username
roys username attributes
VPN-group-policy CPRemoteVPN
tunnel-group 209.171.34.91 type ipsec-l2l
IPSec-attributes tunnel-group 209.171.34.91
IKEv1 pre-shared-key *.
type tunnel-group CPRemoteVPN remote access
attributes global-tunnel-group CPRemoteVPN
address CPRAVPN pool
Group Policy - by default-CPRemoteVPN
IPSec-attributes tunnel-group CPRemoteVPN
IKEv1 pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:dd11079fe4fe75974a8657ba1e7b287f: end
Hello
A couple of things set this:
-crypto isakmp nat-traversal 20
-management-access inside
Can you run a packet tracer and attach it here, to see what are the phases that crosses the package.
David Castro,
Concerning
Maybe you are looking for
-
I have trouble with the beta of Fire Fox, it blocks all the time when I try to read web pages of news. When I loaded the web page and click on the article and I charge after about 10 to 20 s second fire later fox crashes.it started after the update.
-
This happened only once. This has happened Each time Firefox opened == I got ZONEALARM security update and had to accept their toolbar I tried to remove and it hurt. (Should have considered your first aid section). I managed to delete Zonealarm toolb
-
Hoiw many pages can create a spiral Photo album
How many pages can I create in a spiral album in iPhoto
-
Need driver sound Windows Vista for Tecra M4
Hello! I installed Windows Vista news on my Tecra M4, but I can't find the Sound Driver. Site Web de Toshiba isn't its Driver for Windows Vista. Please help me
-
part number HP 8600 output tray
My on my 8600 (749n) printer output tray is broken. What is the spare part number?