Specify remote access interesting traffic?

This is probably a stupid question, but I can't make my vpn remote access traffic decryption. I use an ASA5510 and 5.0 cisco vpn client. I have no problem getting the next tunnel. But traffic 'decrypted' zero rest and increments "ecarte traffic" at all times.

Here is the ASA5510 encryption config:

OK, I guess that this site does not allow to paste text so I have attached the config.

I'm pretty sure that I can't pass the traffic because I was not able to understand how to specify interesting traffic for the vpn connection. Can someone please show me the syntax for this? It seems that it must be a sort of tunnel - group commands.

Am I the only one who thinks that the Cisco documentation is worth anything on it? The ASA configuration guide you give all that you need to configure a tunnel, but has absolutely nothing on the config required to actually pass traffic. This helps a lot.

Hello

If you see the traffic is encrypted by the VPN Client but no return traffic may not be a configuration that is not on the ASA host or destination do not have a good road to the VPN Client or something else.

To my knowledge, if you do not specify this tunnel on the VPN Client connection then EVERYTHING is going to be in the client endpoint VPN tunnel.

If you want to specify what to send to the VPN you are using configurations of the 'group policy '.

VPN-GROUP-POLICY group policy interns

attributes of VPN-GROUP-POLICY-group policy

Split-tunnel-policy tunnelall

OR

standard permit access list TUNNEL of SPLIT

VPN-GROUP-POLICY group policy interns

attributes of VPN-GROUP-POLICY-group policy

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value of SPLIT TUNNEL

  • Usually the ACL 'standard' which includes 'permit' statements for all of the network you want to tunnel to the VPN

"Group policy" is then set under configurations "tunnel-group.

It would probably be easier to check when to see the configurations on the ASA. If you are simply testing connectivity ICMP I recommend that you check that you have 'an icmp inspection' configured so that ICMP Echo-reply messages are automatically allowed by the ASA.

-Jouni

Tags: Cisco Security

Similar Questions

  • No remote access VPN traffic of Asa

    Hi all

    I set up a Vpn on ASA5510 remote access.

    When the client connect, receive the ip address of the pool (192.168.55.X) but generates no traffic.

    If I type ipconfig on the pc I have only IP and mask but no gateway is not assigned, is this normal?

    If I ping a host of pc to all hosts on the local network 192.168.0.X in the logs I have:

    "3 14 July 2012 16:15:50 305005 192.168.0.10 no group translation found for icmp src FASTWEB:192.168.55.1 dst (type 8, code 0) LAN:192.168.0.10 '

    NAT could be a problem but I do not understand how to do it.

    That's my piece of config:

    standard access list test_splitTunnelAcl allow Net_R_Dmz 255.255.255.224

    standard access list test_splitTunnelAcl allow Net_R_Server 255.255.255.0

    standard access list test_splitTunnelAcl allow Net_R_Client 255.255.255.0

    standard access list test_splitTunnelAcl allow Net_V_VoIP 255.255.255.0

    standard access list test_splitTunnelAcl allow Net_V_Lan 255.255.255.0

    test_splitTunnelAcl list standard access allowed 192.168.0.0 255.255.255.0

    permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R 255.255.255.0

    permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Network_V object-group

    permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Client 255.255.255.0

    permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Server 255.255.255.0

    permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Dmz 255.255.255.224

    Lan_nat0_outbound ip Net_VpnClient 255.255.255.0 allowed extended access list all

    Fastweb_access_in ip Net_R_Client 255.255.255.0 allowed extended access list all

    Fastweb_access_in ip Net_R_Server 255.255.255.0 allowed extended access list all

    Fastweb_access_in ip Net_R 255.255.255.0 allowed extended access list all

    Fastweb_access_in ip Net_VpnClient 255.255.255.240 allowed extended access list all

    permit access ip 192.168.0.0 scope list Lan_access_in 255.255.255.0 any

    mask 192.168.55.1 - 192.168.55.10 255.255.255.240 IP local pool Vpn_Pool

    Global (FASTWEB) 1 interface

    NAT (LAN) 0-list of access Lan_nat0_outbound

    NAT (LAN) 1 192.168.0.0 255.255.255.0

    Access-group Fastweb_access_in in interface FASTWEB

    Lan_access_in access to the LAN interface group

    Route FASTWEB 0.0.0.0 0.0.0.0 93.x.x.x 1

    internal group R10M strategy

    attributes of R10M group policy

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list test_splitTunnelAcl

    tunnel-group R10M type remote access

    attributes global-tunnel-group R10M

    address pool Vpn_Pool

    Group Policy - by default-R10M

    IPSec-attributes tunnel-group R10M

    pre-shared-key *.

    Thank you.

    M.

    Hi Marco,.

    see this:

    Phase: 7

    Type: NAT

    Subtype:

    Result: ALLOW

    Config:

    NAT (LAN) 1 192.168.0.0 255.255.255.0

    LAN ip 192.168.0.0 match FASTWEB 255.255.255.0 any

    dynamic translation of hen 1 (93.x.x.x.x [Interface PAT])

    translate_hits = 267145, untranslate_hits = 18832

    Additional information:

    Definition of dynamic 192.168.0.10/0 to 93.x.x.x.x/18070 using subnet mask 255.255.255.255

    do not hit the exemption from the rule,

    Please add this to your nat 0 access-list:

    Lan_nat0_outbound line 1 scope ip allow any 192.168.55.0 255.255.255.0

    and let me know how it goes.

    Good luck.

    Mohammad.

  • Remote access server problem ASA5510

    Hello guys,.

    I have a problem with ASA5510 configured as a remote access server. We use the client VPN in Windows XP. Look at the requirements I see no problem, but when I try to connect to the server it doesn't open the negotiation of VPN. I had the problem like this before, but at least I saw the traffic hitting the ASA. Now, I don't see anything hitting the device. I enclose the current configuration of the SAA. The VPN client on my laptop is configured correctly. Thank you in advance!

    RVR

    Hello

    Happy to help and thanks for the note.

    This command is not required, but 90% of deployment I've seen has this configured command and is the default value for the SAA. In a Word, what this command is open to IKE and IPSEC ports and also does not check ACL entering ASA for IPSEC traffic.

    In case if you do not have this command enabled, you must configure inbound ACL to allow IKE, IPSEC and text clear remote access VPN traffic after IPSEC packets get decrypted on the SAA.

    Kind regards

    Arul

    * Rate pls if it helps *.

  • The remote access connection manager could not start. Error 2: cannot find the specified file.

    I've updated from vista to the most recent update.

    I have windows vista Home premium 32-bit.
    I want to get this matter resolved without having to reinstall as I have a few games installed it on this system.
    The modem is not the issue as other computers connect very well.
    Thanks for the help from Microsoft.
    Recently, I tried to connect to the internet but that was not possible, because no connection could be established. The remote access connection manager does not start 2 error: could not find the specified domain. the RasMan-dependent services are started, but Manager logins remote does not start.

    Hi Mundilfar,

    You can try the folliwng steps and see if it helps.

    Step 1:

    You can try to scan the file system [SFC] checker on the computer that will replace missing or corrupt files & check if the problem persists.

    For more information, you can consult the following link.

    How to use the System File Checker tool to fix the system files missing or corrupted on Windows Vista or Windows 7

    Step 2:

    If you are always faced with the question, then you can try to give permission for the Rasman registry key and see if it helps.

    Important: The following steps show you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs.

    For more information about how to back up and restore the registry, follow the steps from the link below:

    Back up the registry

    a. Click Start, type regedit in the search box and press ENTER.

    b. Locate the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan

    c. right click on the key and click Permissions.

    d. Select Advanced, click on owner tab, click your user name, and check the 'Replace owner of subcontainers and objects', click Apply - click OK.

    e. click the user or group name that you want to work with.

    f. check allow total control. Click apply and then click OK.

    g. restart the computer and check.

    Hope this information is useful.

  • Failed to start Remote Access Connection Manager Service. Get the 20 error: the system cannot find the specified device.

    This seems to have started with the last batch of updates of Windows 7 (including SP1).
    I can't connect using dial-up.  Get the message:
    Cannot load the Remote Access Connection Manager service
    Error 711: The operation could not complete because it could not start the remote access connection manager service
    in time.  Please try the operation again.

    When I try to start the Remote Access Connection Manager service manually, I get the message:
    Windows could not start the service on Local computer remote access connection manager.
    20 error: the system cannot find the specified device.

    My phone displays the modem works properly, and telephony and the Secure Socket Tunneling Protocol service started.

    I don't know what else might have changed.

    Hello Vince_867,

    Thanks for your post.  Take a look at this thread for a possible solution to your problem.

    See you soon

  • Remote access to the site to site VPN

    We currently have a VPN site-to-site set up on a direct line between our two data centers. Hosts on site one can speak to guests at site B, and talk to the hosts to site A to site B guests.

    I've recently implemented a site A. VPN VPN remote access clients can access all of the resources behind the ASA at A site without problem. However, strange things happen when they try to contact the site B.

    I have set up corresponding exemptions of NAT on each side of the connection. The remote site reported no abnormalities. When you attempt to connect to a remote VPN client to site B, the only errors that appear are on the SAA to site A. When a remote client attempts to connect to a host at site B, the following errors appear in the log:

    % ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

    I have the exemption following NAT set up on site A:

    access-list sheep; 3 items

    access-list 1 permit line sheep extended ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt = 0)

    allowed to Access-list sheep lengthened 2 ip line 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt = 0)

    allowed to Access-list sheep line 3 extended ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt = 0)

    I work on it for a few days now and hesitate to open a ticket of TAC. I've seen a few similar questions on the forums, but have found zero with a working solution. I tried to follow the technical notes on Cisco's Web site for a configuration similar to, but had no luck.

    Also, I enabled same-security-traffic on intra and inter-interface interface.

    Any help would be appreciated.

    HUB of the ASA, is this your topology? If so try below suggestions.

    Inside 10.1.1.0/16 Net

    Net 172.16.0.0/28 - net through Tunnel L2L 10.0.0.0/16 end DS3

    VPN RA Net 10.3.0.0/24

    To RA to access the L2L tunnel end hosting you will need to exempt sheep rule applied to the ds3 interface.

    based on the journal

    % ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

    Try this

    no scope list ip 10.3.0.0 access test allow 255.255.255.0 10.0.0.0 255.255.0.0

    test the ip 10.0.0.0 allowed extended access list 255.255.0.0 10.3.0.0 255.255.255.0

    test access list 0 Tan (ds3)

    on the end of the tunnel (spoke), to allow the network of RA from the FOCUS of the ASA in the interesting traffic.

    Let us know how it works

    Concerning

  • IPsec Site to Site and the question of the IPsec remote access

    Our remote access IPsec 3DES 168 bit encrption has the value

    If we want to allow a remote user to get out of a tunnel to another site must be so 3DES encryption for the Tunnel?

    This tunnel is currently defined by AES.

    If I understand your question the answer is this:

    The VPN client will connect to the ASA with any encryption method, he chose.

    If the VPN client then runs through a tunnel from Site to Site to another location, it uses the encryption method specified in the tunnel from Site to Site.

    This is because as the settings for the client VPN applies only when he puts an end VPN on the ASA.

    When the customer traffic, passes through a different tunnel, the settings for this tunnel applies.

    Hope I answered your question, if not please let me know.

    Federico.

  • VPN remote access - no network connectivity internal!

    Hi Experts,

    I understand that it is a very common problem when considering the implementations of IPSec VPN for remote access using Cisco VPN Client. But for the last six months, I have tried to configure remote VPN access to as many sites customer and gets stuck to the top with the same question!

    -The remote VPN Client connects, authenticates successfully to the local user database (to make things easier, I used the local user authentication), the tunnel is set up (I could see the exit of the isakmp #show her as a AM_ACTIVE ). So I think that the parameters of encryption and authentication for Phase 1 /Phase 2 should work because the tunnel is having successfully established

    -Now comes the question, no connectivity to the internal network. I tried all the possible solutions, that I could find online.

    1. the most common problem is NAT - Traversal not active

    -Compatible NAT - T with the time default keepalive of 20

    2. None of the configurations NAT to exempt remote VPN traffic

    -A ensured that Nat configurations not present in configuration and internal network 192.168.1.X VPN traffic networks VPN 192.168.5.X /192.168.10.X being exempted NAT

    3-Split tunnel configurations

    -Reconfigured Split tunnel access list configuration Standard access list expanded (although not required as a Standard access list is more than enouugh, if I'm not mistaken) to allow traffic selected from 192.168.1.X for 192.168.5.X/192.168.10.X that will create routes on Client that allows users to simultaneously access VPN resources and access Internet VPN client. The Tunnel from Split network group was added again to the group policy.

    4 enabled Perfect Forward Secrecy (PFS) /Disabled

    . It may be an extra charge, it has been disabled / enabled

    5. the road opposite Injection

    -Ensured that a temporary reverse route has been injected to the routing table by allowing the reverse Route Injection to insert automatically the temporary static routes to the remote tunnel using the command set reverse road networks

    A few more interesting things were noted:

    Encrypted and Bypassed packages found when a continuous ping started the ASA inside the interface.

    No decryption happens of the VPN Client, which means that there is no answer back from the network traffic statistics.

    Decryption and packages are found be increasing when I try to ping of the IP address to the customer (192.168.0.10) has published the SAA. But on the SAA, I'm not back any response and showing as? . So that would mean that there is communication of ASA to the customer via the VPN tunnel while no communication is happening from the internal network to the customer

    The entire configuration is shown below

    ASA Version 8.2 (1)
    !
    ciscoasa hostname
    activate the encrypted password of AS3P3A8i0l6.JxwD
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    address IP X.X.X.X 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    access-list extended SHEEP allowed ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
    ST1 list extended access permitted ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
    pager lines 24
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    IP local pool testpool 192.168.0.10 - 192.168.0.15
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0 access-list SHEEP
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA authentication enable LOCAL console
    AAA authentication http LOCAL console
    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 inside
    http 0.0.0.0 0.0.0.0 outdoors
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic dyn1 1jeu transform-set FirstSet
    Crypto-map dynamic dyn1 1jeu reverse-road
    dynamic mymap 1 dyn1 ipsec-isakmp crypto map
    mymap outside crypto map interface
    crypto ca server
    SMTP address [email protected] / * /
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 43200
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH 0.0.0.0 0.0.0.0 inside
    SSH timeout 5
    Console timeout 0
    dhcpd outside auto_config
    !
    dhcpd address 192.168.1.10 - 192.168.1.132 inside
    dhcpd dns 8.8.8.8 4.4.4.4 interface inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    internal RAVPN group policy
    RAVPN group policy attributes
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value ST1
    the address value testpool pools
    dk Z6zukyDvwVjP7o24 encrypted privilege 15 password username
    sv i1gRUVsEALixX3ei encrypted password username
    tunnel-group testgroup type remote access
    tunnel-group testgroup General attributes
    address testpool pool
    Group Policy - by default-RAVPN
    testgroup group tunnel ipsec-attributes
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:48f0863a70b8f382c7b71db0b88620fe
    : end

    ----

    Could you please help me identify where I'm going wrong. Its been a long time I have trying to figure out but nothing seems to work! ;-(

    Help, please!

    Thank you

    ANUP

    (1) pls replace the tunnel ACL ACL standard split as follows:

    no extended ST1 192.168.1.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0

    access-list allowed ST1 192.168.1.0 255.255.255.0

    (2) add icmp inspection:

    Policy-map global_policy

    class inspection_default

    inspect the icmp

    (3) Finally, I add the following so that you can test the ASA inside the interface:

    management-access inside

  • Failed to start remote access service

    Hello

    I get a vps and I install ca and iis and the remote access service

    I allow it as a vpn server

    When I try to run the remote access service there gives me an error

    The Routing and remote access is dependent on the Remote Access Connection Manager service, which could not start due to the following error:

    The dependency service or group was able to start.

    I reslove this problem to run these commands:

    netcfg u ms_sstp

    netcfg - c p-i ms_sstp.

    net start sstpsvc

    net start rasman

    now when I am tempted to throw there gives me this error:

    The Remote Access Connection Manager service terminated with the following error:

    The system cannot find the specified device.

    So what is the problem?

    Thank you.

    Hello

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Microsoft TechNet forum. You can follow the link to your question:

    http://social.technet.Microsoft.com/forums/en-us/categories

  • Static IP remote access for the media center

    I NMH410 work through a WRT610N router.   My ports are configured for static IP access.  Seems to just going through www.ciscomediahub.com does not work well for me.

    Can someone provide the 'exact' URL I would enter in order to access my media center?

    Documentation of assistance through Cisco shows: https://Wan_IP_Address but that doesn't seem to work.  The demand is just there and finally once outside.

    To everyone:

    Apparently, I discovered and corrected the problem that I had with 'Remote access' to my Media Hub.

    Somehow, there are two configurations of router that had to be done.  On two port forwarding configurations has been necessary and once allowed me to access the media center.

    It seems that my ISP has a 192.168.x.x address router that was different from the address of my router 192.168.x.x.  It is on the home router when I incoming and make changes to the information of port forwarding.  The fact that I was getting an error message indicating that I wasn't even reached my router alerted me to the fact that my ISP was blocking remote access.  In the end, that's where my problem was discovered.

    Translate:

    If you have problems to access your media "at a distance" pole through its IP address (and not by the cisco media center), make sure that you configure the ports of the router specified by your Internet provider address, as well as the ports of the router that you have on your network home.

    I have forwarded port 443 on the two addresses of router port, and I can now access my media hub remotely.  Now if I can't play videos remotely, I'll be set.  This leads to another problem that I'll send it in another thread.

    Thanks for the help and suggestions of each.

  • Problems with Windows 7 Pro Remote Access

    I'm on a Windows 7 Pro machine, but it is connected to a working network.

    I'm trying to access Windows 7 Pro machine to my parents at home.

    I went through These Instructions.  We have created a password for one of the user accounts.  I checked the name of the computer (there is no listed area).  We confirmed that remote access has been enabled and allow remote access has been verified in the firewall settings.

    However, when I start "Remote Desktop connection" on my computer and put their computer name in the box, I get a message that it cannot find the computer.  Then, the message indicates that the computer cannot belong to "the network specified."  But there is no specified network, and I see no where to do it.

    In addition, it is possible that my work security settings prevent me from remote accessing another computer?

    Last question: if I used the Fusion of the virtual machine on my Mac, with Windows 7, I can remote access to another computer?

    Real technique.  The problem boils down to the IP address.  Your computer probably has an IP of 192.168.1.8 or something like that.  But the router any fact domestic in the world.  So when you want to connect to the remote computer, you must use the IP public face (which the internet service provider home assigns to your router/home, not that of your router assigns to your computer).  But then, you're always short because now you have at home, but you have to tell the House what PC actually send this letter too.  It's like an envelope with an address half. Port forwarding it tells the final step which PC should receive the message.

    But yes I agree they could at least put a link or an explanation.

  • ODA IP ASA when you browse the web via remote access vpn

    Hi all

    I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing.

    The firmware version of the ASA is 9.1 (6)

    Thanks in advance

    Hello

    What you want to achieve is calles u-turn.

    You must enable the feature allowed same-security-traffic intra-interface

    For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post):

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Thank you

    PS: Please do not forget to rate and score as good response if this solves your problem

  • Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

    Hello

    I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

    When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

    However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

    VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

    Please help me I need to find a solution as soon as POSSIBLE!

    Thank you in advance.

    Hello

    Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

    No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

    NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

    After re-configured this way, make sure that this command is also available:

    Sysopt connection permit VPN

    This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

    Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

    XXXX--> server IP

    AAAA--> VPN IP of the user

    Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

    Thank you

    David Castro,

  • Configuring remote access VPN

    Hi all

    I need help with remote access vpn configuration. I want to some remote users who have access to the internet on their system to connect and access an application server in my seat social cisco vpn client user. I use Cisco 881. I am unable to use the SDM configuration because it seems that SDM is not supported by the router so I'm using command line. I'd appreciate any help I can get. Thank you.

    This is the configuration I have:

    VPNROUT #sho run
    Building configuration...

    Current configuration: 6832 bytes
    !
    ! Last configuration change at 10:50:45 UTC Saturday, May 30, 2015, by thomas
    version 15.2
    no service button
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    hostname VPNROUT
    !
    boot-start-marker
    boot-end-marker
    !
    !
    logging buffered 51200 warnings
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    AAA authentication login userauthen1 local
    AAA authorization groupauthor1 LAN
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    iomem 10 memory size
    !
    Crypto pki trustpoint TP-self-signed-1632305899
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 1632305899
    revocation checking no
    rsakeypair TP-self-signed-1632305899
    !
    !
    TP-self-signed-1632305899 crypto pki certificate chain
    certificate self-signed 01
    3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 31363332 33303538 6174652D 3939301E 170 3134 30313233 31323132
    33325A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36333233 65642D
    30353839 3930819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    8100BC0C 341CD79B A38572CE 1F0F9A91 F96B133C A889B564 E8352034 1CF5EE4B
    B505616B 6014041B EC498C0A F6C5CD2B F5BF62DA BD6E1C44 0C7B9089 1FD0C6E5
    299CEB40 28CD3F3B ADE3468A B07AAA9F AC42F0A7 4087172A 33C4013D 9A50884D
    5778727E 53A4940E 6E622460 560C F597DD53 3B 261584 E45E8776 A848B73D 5252
    92 50203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 D
    551 2304 18301680 14E85AD0 DEF133D8 E09516FD 0AA5FDAD E10EAB1A FA301D06
    03551D0E E85AD0DE 04160414 F133D8E0 9516FD0A A5FDADE1 0EAB1AFA 300 D 0609
    2A 864886 818100A 5 05050003 5B23ED5B 9A380E1F 467ABB03 BAB1070B F70D0101
    7A 218377 73089DC1 D32DA585 C5FD7ECE 0D000F96 7F3AB6CC 71509E8F 3F1C55AE
    E37536A3 1008FBF9 A29329D5 6F76DDC0 AA1C70AE 958AAE5D 32388BE4 2C1C6839
    0369 D 533 027B612C 8D199C35 C008FE00 F7E1DF62 9C73E603 85C3240A 63611D 93
    854A61E2 794F8EF5 DA535DCC B209DA
    quit smoking
    !
    !
    !
    no record of conflict ip dhcp
    DHCP excluded-address IP 10.10.10.1
    DHCP excluded-address IP 172.20.0.1 172.20.0.50
    !
    DHCP IP CCP-pool
    import all
    Network 10.10.10.0 255.255.255.248
    default router 10.10.10.1
    Rental 2 0
    !
    IP dhcp pool 1
    network 172.20.0.0 255.255.240.0
    domain meogl.net
    router by default - 172.20.0.1
    172.20.0.4 DNS server 41.79.4.11 4.2.2.2 8.8.8.8
    8 rental
    !
    !
    !
    no ip domain search
    IP domain name meogl.net
    name of the IP-server 172.20.0.4
    name of the IP-server 41.79.4.11
    IP-server names 4.2.2.2
    8.8.8.8 IP name-server
    IP cef
    No ipv6 cef
    !
    !
    license udi pid CISCO881-K9 sn FCZ1804C3SL
    !
    !
    username secret privilege 15 thomas 4 JXSizd1r/hMqPpGz94vKBb5somtpZLy03k50rJvHO6c
    username privilege 15 secret 4 mowe hlfv/rdDRCAeTUzRXbOIfdaKhJCl1onoGdaQeaQsAnw
    !
    !
    !
    !
    !
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    ISAKMP crypto client configuration group moweclients
    XXXXXXX key
    DNS 172.20.0.4
    meogl.net field
    pool mowepool
    !
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac moweset
    tunnel mode
    !
    !
    !
    Dynmap crypto dynamic-map 1
    Set transform-set moweset
    market arriere-route
    !
    !
    card crypto client mowemap of authentication list userauthen1
    card crypto isakmp authorization list groupauthor1 mowemap
    client configuration address card crypto mowemap answer
    mowemap 1 card crypto ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    !
    interface Loopback0
    IP 172.30.30.1 255.255.255.0
    IP nat inside
    IP virtual-reassembly in
    !
    interface FastEthernet0
    no ip address
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    switchport access vlan 100
    no ip address
    !
    interface FastEthernet3
    no ip address
    !
    interface FastEthernet4
    IP 41.7.8.13 255.255.255.252
    NAT outside IP
    IP virtual-reassembly in
    intellectual property policy map route VPN-CLIENT
    Shutdown
    automatic duplex
    automatic speed
    mowemap card crypto
    !
    interface Vlan1
    Description $ETH_LAN$
    IP 10.10.10.1 255.255.255.248
    IP tcp adjust-mss 1452
    !
    interface Vlan100
    IP 172.20.0.1 255.255.240.0
    IP nat inside
    IP virtual-reassembly in
    !
    local pool IP 192.168.1.1 mowepool 192.168.1.100
    IP forward-Protocol ND
    IP http server
    23 class IP http access
    local IP http authentication
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    IP nat inside source overload map route interface FastEthernet4 LAT
    IP route 0.0.0.0 0.0.0.0 41.7.8.12
    !
    access-list 23 allow 10.10.10.0 0.0.0.7
    access-list 23 allow 172.20.0.0 0.0.15.255
    access-list 100 permit ip 172.20.0.0 0.0.15.255 everything
    access-list 144 allow ip 192.168.1.0 0.0.0.255 any
    not run cdp
    !
    LAT route map permit 1
    corresponds to the IP 100
    IP 41.7.8.12 jump according to the value
    !
    route VPN-CLIENT map permit 1
    corresponds to the IP 144
    !
    Line con 0
    no activation of the modem
    line to 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    !
    !
    end

    Please the configuration above, give me the desired output.

    Thank you.

    Hello Thomas,.

    I'm glad to hear that you have found useful in the example configuration.

    I checked your configuration and everything seems ok with him, especially the statements of nat.

     ip local pool mowepool 192.168.1.1 192.168.1.100 access-list 100 deny ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255 access-list 100 permit ip 172.20.0.0 0.0.15.255 any route-map LAT permit 1 match ip address 100 ip nat inside source route-map LAT interface FastEthernet4 overload interface Vlan100 ip address 172.20.0.1 255.255.240.0 ip nat inside ip virtual-reassembly in

    Try to generate ICMP traffic behind your 100 VLANS to the client VPN in order to answer the following questions:

    -The router receives this traffic between VLAN100 unit?

    -The router is encrypt this traffic, after receiving the ICMP packet?

    #show crypto ipsec router its can help you with this question. Look for the program/decaps counters.

    -The same, but the other way around (from VPN client to device behind VLAN100) try to locate the problem.

    The following document explains more this crypto commands and debugs if necessary.

    http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation-IKE-protocols/5409-IPSec-debug-00.html#iosdbgs

  • Remote access VPN users unable to see local lan or internet

    We implement an ASA5510. Now our users can connect to the vpn but cannot access the internal Lan or internet.

    Here is the config. Any help or idea would be greatly appreciated. Thank you

    Cryptochecksum: dd11079f e4fe7597 4a8657ba 1e7b287f

    : Saved
    : Written by enable_15 at 11:04:57.005 UTC Wednesday, April 22, 2015
    !
    ASA Version 9.0 (3)
    !
    CP-ASA-TOR1 hostname
    activate m.EmhnDT1BILmiAY encrypted password
    names of
    local pool CPRAVPN 10.10.60.1 - 10.10.60.40 255.255.255.0 IP mask
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    IP 63.250.109.211 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    10.10.10.254 IP address 255.255.255.0
    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    passive FTP mode
    the local object of net network
    10.10.10.0 subnet 255.255.255.0
    net remote object network
    10.10.1.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_10.10.10.0_24 object
    10.10.10.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_10.10.60.0_26 object
    255.255.255.192 subnet 10.10.60.0
    Outside_1_cryptomap to access extended list ip 10.10.10.0 allow 255.255.255.0 net object / distance
    CPRemoteVPN_splitTunnelAcl list standard access allowed 10.10.10.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    management of MTU 1500
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm-731 - 101.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) local static source net net-local destination static net distance net-distance
    NAT (inside, outside) static source NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 non-proxy-arp-search of route static destination
    !
    NAT (inside, outside) source after-service dynamic automatic one interface
    Route outside 0.0.0.0 0.0.0.0 63.250.109.209 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    Enable http server
    http 192.168.1.0 255.255.255.0 management
    http 10.10.10.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 corresponds to the address Outside_1_cryptomap
    card crypto Outside_map 1 set pfs Group1
    card crypto Outside_map 1 set peer 209.171.34.91
    card crypto Outside_map 1 set transform-set ESP-3DES-SHA ikev1
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal CPRemoteVPN group strategy
    attributes of Group Policy CPRemoteVPN
    Server DNS 10.10.10.12 value
    L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
    value of Split-tunnel-network-list CPRemoteVPN_splitTunnelAcl
    carepath.local value by default-field
    Split-dns value carepath.ca
    activate dns split-tunnel-all
    no method of MSIE-proxy-proxy
    the address value CPRAVPN pools
    roys jjiV7E.dmZNdBlFQ encrypted password privilege 0 username
    roys username attributes
    VPN-group-policy CPRemoteVPN
    tunnel-group 209.171.34.91 type ipsec-l2l
    IPSec-attributes tunnel-group 209.171.34.91
    IKEv1 pre-shared-key *.
    type tunnel-group CPRemoteVPN remote access
    attributes global-tunnel-group CPRemoteVPN
    address CPRAVPN pool
    Group Policy - by default-CPRemoteVPN
    IPSec-attributes tunnel-group CPRemoteVPN
    IKEv1 pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:dd11079fe4fe75974a8657ba1e7b287f

    : end

    Hello

    A couple of things set this:

    -crypto isakmp nat-traversal 20

    -management-access inside

    Can you run a packet tracer and attach it here, to see what are the phases that crosses the package.

    David Castro,

    Concerning

Maybe you are looking for