Split tunneling cannot access remote host

Similar Questions

• Access remote VPN, no split tunneling, internet access. Translation NAT problem

  Hi all, I'm new to the forum.  I have a Cisco ASA 5505 with confusing (to me) question NAT.

  Unique external IP (outside interface) with several translations of NAT static object to allow the redirection of port of various internal devices.  The configuration worked smoothly during the past years.

  Recently, I configured a without the split tunneling VPN remote access and access to the internet and noticed yesterday that my port forwarding has stopped working.

  I reviewed the new rules for the VPN NAT and found the culprit.

  I've been reviewing the rules again and again, and all I can think about and interpret it, I don't know how this rule affects the port forwarding on the device or how to fix.

  Here's the NAT rules, I have in place: ('inactive' rule is the culprit.  Once I have turn on this rule, the port forwarding hits a wall)

  NAT (inside, outside) static source any any static destination VPN_Subnet VPN_Subnet non-proxy-arp-search to itinerary
  NAT (outside, outside) static source VPN_Subnet VPN_Subnet VPN_Subnet VPN_Subnet non-proxy-arp-search of route static destination
  NAT (outside, outside) source VPN_Subnet dynamic interface inactive
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  network of the XXX_HTTP object
  NAT (inside, outside) interface static tcp www www service
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Any help would be appreciated.

  Try changing the nat rule to VPN_Subnet interface of nat (outside, outside) the after-service automatic dynamic source

  With respect,

  Safwan

• AnyConnect VPN users cannot access remote subnets?

  I googled this until blue in the face without result.  I don't understand why Cisco this so difficult?  When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices.  What should I do to allow my anyconnect vpn clients access to my remote sites?

  Cisco 5510 8.4

  Hello

  What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

  In addition to routing, you must have configured for each remote site and the VPN pool NAT0

  Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

  object-group network to REMOTE SITES

  object-network 10.10.10.0 255.255.255.0

  object-network 10.10.20.0 255.255.255.0

  object-network 10.10.30.0 255.255.255.0

  object-network 10.10.40.0 255.255.255.0

  network of the VPN-POOL object

  10.10.224.0 subnet 255.255.255.0

  NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

  The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

  Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

  My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

  Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

  -Jouni

• AnyConnectVPN users cannot access remote vpn site-to-site

  Hello-

  We have two 5510 s ASA one in 8.4 (4) and the other to 8.2 (5) in a site to site VPN configuration. All internal traffic is working smoothly.

  A: site/subnet 192.160.0.0 - local (8.4 (4)) Site/subnet b: 192.260.0.0 - distance (8.2 (5)) VPN users: 192.160.40.0 - assigned by ASA

  When you VPN into the network, all the hits of traffic A Site and everything on the subnet A is accessible.

  However, the site B is totally inaccessible to users of VPN. All computers on subnet B, the firewall itself, etc. is not reachable by ping or otherwise.

  There are also some NAT rules weird that I'm not happy with that were created after that I upgraded the Site to ASA to 8.4

  A resident of the site: external 192.160.x.x: 55.55.555.201(main)/202(mail)

  Site B (in addition to site to site) is external 192.260.x.x: 66.66.666.54 (all)

  I've pretty much just the basic rules of the NAT for VPN, Email, Internet and site to site.

  What I need to add for the VPN access to the network from site to site?

  Here is my config NAT:

  NAT (inside, outside) static source DOMAIN_LOCAL DOMAIN_LOCAL VPN_Network VPN_Network non-proxy-arp-search of route static destination

  NAT (inside, outside) static source DOMAIN_LOCAL DOMAIN_LOCAL DOMAIN_REMOTE DOMAIN_REMOTE non-proxy-arp-search of route static destination

  !

  network of the DMZ_Network object

  dynamic NAT interface (DMZ, outside)

  network of the DOMAIN_LOCAL object

  NAT dynamic interface (indoor, outdoor)

  network of the EXCHANGE_Exchange object

  NAT static Outside_Mail (any, any)

  network of the DOMAINCTRL_DHCP object

  NAT (inside, outside) interface static tcp ftp ftp service

  Thank you very much in advance and I hope that I've been pretty thorough.

  Let me know if you need anything that anyone else. Thank you!!

  Theo,

  You don't need the NAT rules outside (depending on your configuration).

  Basically, you need to add the pool VPN L2L traffic and network remote to the ACL of split tunneling (if configured), also the "permit same-security-traffic intra-interface".

  Please let me know.

  Thank you.

• Cannot access remote network by VPN Site to Site ASA

  Hello everyone

  First of all I must say that I have configured the VPN site-to site a million times before.  Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

  ASA local:
  hostname gyd - asa
  domain bct.az
  activate the encrypted password of XeY1QWHKPK75Y48j
  XeY1QWHKPK75Y48j encrypted passwd
  names of
  DNS-guard
  !
  interface GigabitEthernet0/0
  Shutdown
  nameif vpnswc
  security-level 0
  IP 10.254.17.41 255.255.255.248
  !
  interface GigabitEthernet0/1
  Vpn-turan-Baku description
  nameif outside Baku
  security-level 0
  IP 10.254.17.9 255.255.255.248
  !
  interface GigabitEthernet0/2
  Vpn-ganja description
  nameif outside-Ganja
  security-level 0
  IP 10.254.17.17 255.255.255.248
  !
  interface GigabitEthernet0/2.30
  Description remote access
  VLAN 30
  nameif remote access
  security-level 0
  IP 85.*. *. * 255.255.255.0
  !
  interface GigabitEthernet0/3
  Description BCT_Inside
  nameif inside-Bct
  security-level 100
  IP 10.40.50.65 255.255.255.252
  !
  interface Management0/0
  nameif management
  security-level 100
  IP 192.168.251.1 255.255.255.0
  management only
  !
  boot system Disk0: / asa823 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  name-server 192.168.1.3
  domain bct.az
  permit same-security-traffic intra-interface
  object-group network obj - 192.168.121.0
  object-group network obj - 10.40.60.0
  object-group network obj - 10.40.50.0
  object-group network obj - 192.168.0.0
  object-group network obj - 172.26.0.0
  object-group network obj - 10.254.17.0
  object-group network obj - 192.168.122.0
  object-group service obj-tcp-eq-22
  object-group network obj - 10.254.17.18
  object-group network obj - 10.254.17.10
  object-group network obj - 10.254.17.26
  access-list 110 scope ip allow a whole
  NAT list extended access permit tcp any host 10.254.17.10 eq ssh
  NAT list extended access permit tcp any host 10.254.17.26 eq ssh
  access-list extended ip allowed any one sheep
  icmp_inside list extended access permit icmp any one
  icmp_inside of access allowed any ip an extended list
  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
  RDP list extended access permit tcp any host 192.168.45.3 eq 3389
  rdp extended permitted any one ip access list
  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
  NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
  NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
  NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
  GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
  Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
  azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
  permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
  permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
  pager lines 24
  Enable logging
  emblem of logging
  recording of debug console
  recording of debug trap
  asdm of logging of information
  Interior-Bct 192.168.1.27 host connection
  flow-export destination inside-Bct 192.168.1.27 9996
  vpnswc MTU 1500
  outside Baku MTU 1500
  outside-Ganja MTU 1500
  MTU 1500 remote access
  Interior-Bct MTU 1500
  management of MTU 1500
  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
  IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any outside Baku
  ICMP allow access remotely
  ICMP allow any interior-Bct
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  global (outside-Baku) 1 interface
  global (outside-Ganja) interface 2
  3 overall (RAS) interface
  azans access-list NAT 3 (outside-Ganja)
  NAT (remote access) 0 access-list sheep-vpn-city
  NAT 3 list nat-vpn-internet access (remote access)
  NAT (inside-Bct) 0-list of access inside_nat0_outbound
  NAT (inside-Bct) 2-nat-ganja access list
  NAT (inside-Bct) 1 access list nat
  Access-group rdp on interface outside-Ganja
  !
  Router eigrp 2008
  No Auto-resume
  neighbor 10.254.17.10 interface outside Baku
  neighbor 10.40.50.66 Interior-Bct interface
  Network 10.40.50.64 255.255.255.252
  Network 10.250.25.0 255.255.255.0
  Network 10.254.17.8 255.255.255.248
  Network 10.254.17.16 255.255.255.248
  redistribute static
  !
  Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
  Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
  Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
  Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
  Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
  Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
  Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server protocol Ganymede GANYMEDE +.
  AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
  key *.
  AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
  key *.
  RADIUS protocol AAA-server TACACS1
  AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
  key *.
  AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
  key *.
  authentication AAA ssh console LOCAL GANYMEDE
  Console to enable AAA authentication RADIUS LOCAL
  Console Telnet AAA authentication RADIUS LOCAL
  AAA accounting ssh console GANYMEDE
  Console Telnet accounting AAA GANYMEDE
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 Interior-Bct
  http 192.168.139.0 255.255.255.0 Interior-Bct
  http 192.168.0.0 255.255.255.0 Interior-Bct
  Survey community SNMP-server host inside-Bct 192.168.1.27
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  Crypto ipsec transform-set newset aes - esp esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
  Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
  Crypto ipsec transform-set vpnclienttrans transport mode
  life crypto ipsec security association seconds 2147483646
  Crypto ipsec kilobytes of life security-association 2147483646
  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
  correspondence address card crypto mymap 10 110
  card crypto mymap 10 peers set 10.254.17.10
  card crypto mymap 10 transform-set RIGHT
  correspondence address card crypto mymap 20 110
  card crypto mymap 20 peers set 10.254.17.11
  mymap 20 transform-set myset2 crypto card
  card crypto mymap interface outside Baku
  correspondence address card crypto ganja 10 110
  10 ganja crypto map peer set 10.254.17.18
  card crypto ganja 10 transform-set RIGHT
  card crypto interface outside-Ganja ganja
  correspondence address card crypto vpntest 20 110
  peer set card crypto vpntest 20 10.250.25.1
  newset vpntest 20 transform-set card crypto
  card crypto vpntest interface vpnswc
  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
  card crypto interface for remote access vpnclientmap
  Crypto ca trustpoint ASDM_TrustPoint0
  registration auto
  name of the object CN = gyd - asa .az .bct
  sslvpnkeypair key pair
  Configure CRL
  map of crypto DefaultCertificateMap 10 ca certificate

  crypto isakmp identity address
  ISAKMP crypto enable vpnswc
  ISAKMP crypto enable outside-Baku
  ISAKMP crypto enable outside-Ganja
  crypto ISAKMP enable remote access
  ISAKMP crypto enable Interior-Bct
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  Crypto isakmp nat-traversal 30
  No vpn-addr-assign aaa
  Telnet timeout 5
  SSH 192.168.0.0 255.255.255.0 Interior-Bct
  SSH timeout 35
  Console timeout 0
  priority queue outside Baku
  queue-limit 2046
  TX-ring-limit 254
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Server NTP 192.168.1.3
  SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
  SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
  SSL-trust ASDM_TrustPoint0 remote access point
  WebVPN
  turn on remote access
  SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
  enable SVC
  tunnel-group-list activate
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  internal group ssl policy
  attributes of group ssl policy
  banner welcome to SW value
  value of DNS-server 192.168.1.3
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  group-lock value SSL
  WebVPN
  value of the SPS URL-list
  internal vpn group policy
  attributes of vpn group policy
  value of DNS-server 192.168.1.3
  Protocol-tunnel-VPN IPSec l2tp ipsec
  disable the PFS
  BCT.AZ value by default-field
  ssl VPN-group-strategy
  WebVPN
  value of the SPS URL-list
  IPSec-attributes tunnel-group DefaultL2LGroup
  ISAKMP retry threshold 20 keepalive 5
  attributes global-tunnel-group DefaultRAGroup
  raccess address pool
  Group-RADIUS authentication server
  Group Policy - by default-vpn
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  IPSec-attributes tunnel-group DefaultWEBVPNGroup
  ISAKMP retry threshold 20 keepalive 5
  tunnel-group 10.254.17.10 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.10
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  type SSL tunnel-group remote access
  attributes global-group-tunnel SSL
  ssl address pool
  Authentication (remote access) LOCAL servers group
  Group Policy - by default-ssl
  certificate-use-set-name username
  Group-tunnel SSL webvpn-attributes
  enable SSL group-alias
  Group-url https://85. *. *. * / activate
  tunnel-group 10.254.17.18 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.18
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  tunnel-group 10.254.17.11 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.11
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  type tunnel-group DefaultSWITGroup remote access
  attributes global-tunnel-group DefaultSWITGroup
  raccess address pool
  Group-RADIUS authentication server
  Group Policy - by default-vpn
  IPSec-attributes tunnel-group DefaultSWITGroup
  pre-shared key *.
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  Review the ip options
  class flow_export_cl
  flow-export-type of event all the destination 192.168.1.27
  class class by default
  flow-export-type of event all the destination 192.168.1.27
  Policy-map Voicepolicy
  class voice
  priority
  The class data
  police release 80000000
  !
  global service-policy global_policy
  service-policy interface outside Baku Voicepolicy
  context of prompt hostname

  Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
  : end
  GYD - asa #.

  ASA remote:
  ASA Version 8.2 (3)
  !
  ciscoasa hostname
  activate the encrypted password of XeY1QWHKPK75Y48j
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  DNS-guard
  !
  interface Ethernet0/0
  nameif inside
  security-level 100
  IP 192.168.80.14 255.255.255.0
  !
  interface Ethernet0/1
  nameif outside
  security-level 0
  IP 10.254.17.11 255.255.255.248
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  nameif management
  security-level 100
  no ip address
  management only
  !
  boot system Disk0: / asa823 - k8.bin
  passive FTP mode
  access-list 110 scope ip allow a whole
  192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  management of MTU 1500
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all outside
  ICMP allow any inside
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside) 0 access-list sheep
  Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.80.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  Crypto ipsec transform-set newset aes - esp esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
  life crypto ipsec security association seconds 2147483646
  Crypto ipsec kilobytes of life security-association 2147483646
  correspondence address card crypto mymap 10 110
  card crypto mymap 10 peers set 10.254.17.9
  mymap 10 transform-set myset2 crypto card
  mymap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN

  tunnel-group 10.254.17.9 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.9
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname

  Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
  : end
  ciscoasa # $

  Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

  Would appreciate any help. Thank you in advance...

  If the tunnel is up (phase 1), but no traffic passing the best test is the following:

  Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

  inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

  The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

  Test on both directions.

  Please post the results.

  Federico.

• SOLVED: PC Windows 7 cannot access remote shares or the

  Head, meet wall. Wall, meet the leader.

  I have a W7/64 PC that cannot access network shares. He has been installed from the original CD (simple installation) but never worked. Resettlement is not a preferred option because the client already has tons of data and applications on it.

  Other machines can access the local shares of this PC, but it can access any remote shares (on any other PC W7) or his own - in short customer service around file sharing does not work properly, although this machine can see all available actions... She just can't access. Other PC can access machines that cannot do this. Ping works fine in all cases.

  "Remote machines appear in the list of"Network"in Windows Explorer, but trying to access them produces an error: the specified network provider name is invalid.

  No software anti-virus or firewall is currently installed or running.

  Troubleshooting output (the local computer is named GARRYDMK-PC):

  -[snip]-

  Trying to NET USE shares on the local computer:

  View C:\Windows\System32>net
  Server name remark
  --------------------------------------------------------
  \\SERVER
  \\DEREK-PC
  \\GARRYDMK-PC
  \\RECEPTION
  \\WAYNE-PC
  The command completed successfully.

  View C:\Windows\System32>NET \\garrydmk-pc
  Shared resources to the \\garrydmk-pc

  Share name Type used as comment
  --------------------------------------------------------
  Canon iP4200 print Canon iP4200
  Romeo & Juliet disc
  Shared disk
  Users drive
  VIDEO_TS disc
  The command completed successfully.

  C:\Windows\System32>net use g: \\garrydmk-pc\Shared
  The workstation service has not been started.

  More help is available by typing NET HELPMSG 2138.

  C:\Windows\System32>net start workstation
  The requested service has already been started.

  More help is available by typing NET HELPMSG 2182.

  C:\Windows\System32>net view \\server
  Shared resources to \\server

  Share name Type used as comment

  ------------------------------------------------------
  Disc of company Documents
  COMPUTERS-software disk
  The command completed successfully.

  C:\Windows\System32>net use g: \\\server\Company Documents.
  The workstation service has not been started.

  More help is available by typing NET HELPMSG 2138.

  -[/snip]-

  I'm trying to access here to all actions are available to all other machines of W7 in the network. (All machines are W7 boxes).

  Note how the workstation service is said not having started, but in fact has already started summer (which I checked in the list of services). In short, this does not appear be related to a service does not...

  I went through all the standard movements as posted on the Interwebs, including the verification of services, local policies, home groups, convenience stores, and which do not. Note that I tried to start the workstation service via a DOS box as an administrator; If I'm not I get a "system error 5 has occurred" and and "access denied".

  In short, I am completely puzzled. I start the troubleshooting of this PC, but now I want to just pull it. Please help before something bad happens... :-)

  Any suggestions would be greatly appreciated!

  FvW

  Hello

  The question you posted would be better suited to the TechNet community. Please visit the link below to find a community that will provide the support you want.

  http://social.technet.Microsoft.com/forums/en-us/category/w7itpro

  Hope this information is useful.

• On ASA 5505 VPN cannot access remote (LAN)

  I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.

  Tyler

  Just remove the line of nat (outside) and ACL outside_nat0_outbound.

  And talk about these statements:

  IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).

  2, crypto isakmp nat traversal 10 or 20

  3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.

  4, create the other ACL (ST) with different name and source and destination like no nat ACL.

  5, then type nat (inside) 0 access-list sheep

  6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).

  Concerning

• Cannot access remote through Windows Live Messenger

  During the years I helped my mother by remote access through Windows Live Messenger, but in recent days the small program that usually appears which shows two computers, try to connect are missing and I get the error message cannot display the page. If anyone has had the same problem and how solved you this problem?

  Submit all Live queries on the forum right here:

  Windows Live Solution Center
  http://windowslivehelp.com/

• VPN clients cannot access remote sites - PIX, routing problem?

  I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

  Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

  Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

  Very good and works very well.

  When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

  However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

  On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

  Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

  (Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

  with pix v6, no traffic is allowed to redirect to the same interface.

  for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

  with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• Cannot access remote network via VPN

  Hello

  I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
  There is also a public oriented Web server in the office which must be accessible.

  I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

  I'm quite puzzled as to why it does not work. Please could someone help.

  The results of tests and the router configuration are listed below. Please let me know if you need additional information.

  Thank you and best regards,
  Simon

  1. routing on the router table
  Router #sh ip route
  Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
  xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
  C XXX.yyy.zzz.192 is directly connected, Vlan10
  GGG.hhh.125.0/32 is divided into subnets, subnets 1
  C GGG.HHH.125.34 is directly connected, Dialer0
  172.16.0.0/32 is divided into subnets, subnets 1
  S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
  S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

  2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
  > ping 172.16.100.1
  Ping 172.16.100.1 with 32 bytes of data:
  Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

  3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
  > ping 172.16.100.10
  Ping 172.16.100.10 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  4. ping the router to the successful local server
  router #ping 172.16.100.10
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

  5 see the version
  Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
  ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
  the availability of router is 1 hour, 9 minutes
  System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
  Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
  10 FastEthernet interfaces
  1 ISDN basic rate interface
  Configuration register is 0 x 2102

  6. router Config
  AAA authentication login default local
  connection of local AAA VPN authentication.
  AAA authorization exec default local
  local authorization AAA VPN network
  !
  !
  AAA - the id of the joint session
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  Configuration group customer isakmp crypto ASI_Group
  key mykey
  DNS aaa.bbb.cccc.ddd
  domain mydomain.com
  pool VPN_Pool
  ACL VPN_ACL
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
  !
  crypto dynamic-map 10 DYNMAP
  game of transformation-TS1
  market arriere-route
  !
  !
  list of authentication of VPN client VPN crypto card
  card crypto VPN VPN isakmp authorization list
  crypto map VPN client configuration address respond
  card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
  !
  !
  !
  IP cef
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  username admin privilege 15 password mypassword
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface FastEthernet0
  WAN description
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  automatic duplex
  automatic speed
  PPPoE enable global group
  PPPoE-client dial-pool-number 1
  !
  interface FastEthernet2
  Description Public_LAN_Interface
  switchport access vlan 10
  full duplex
  Speed 100
  !
  FastEthernet6 interface
  Description Private_LAN_Interface
  switchport access vlan 100
  full duplex
  Speed 100
  !
  interface Vlan1
  no ip address
  !
  interface Vlan10
  Public description
  IP address xxx.yyy.zzz.193 255.255.255.248
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Vlan100
  172.16.100.1 IP address 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Dialer0
  IP unnumbered Vlan10
  no ip unreachable
  IP mtu 1452
  IP virtual-reassembly
  encapsulation ppp
  no ip mroute-cache
  Dialer pool 1
  Dialer-Group 1
  Authentication callin PPP chap Protocol
  PPP chap hostname myhostname
  PPP chap password mychappassword
  PPP ipcp dns request accept
  failure to track PPP ipcp
  PPP ipcp address accept
  VPN crypto card
  !
  IP pool local VPN_Pool 172.16.100.50 172.16.100.60
  !
  !
  no ip address of the http server
  no ip http secure server
  !
  VPN_ACL extended IP access list
  IP 172.16.100.0 allow 0.0.0.255 any
  !
  Dialer-list 1 ip protocol allow
  not run cdp
  !
  !

  Simon,

  Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

  Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

  Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

  IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

  Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

  I hope this helps.

  Luis Raga

• Cannot access remote VPN site-to-site VPN

  Internal network: 192.168.0.0/16

  The remote VPN Clients: 192.168.0.100 - 192.168.0.254

  Remote (L2L) network: 10.10.10.0/26

  Remote VPN Clients are able to access the internal network without problem, but are unable to access the remote 10.10.10.0. Is it possible to debug this? "packet - trace" show no problem...

  Hi Ben,

  Please create a no. - nat on the external interface, because your customers to vpn-remote and remote-L2L tunnels are located on outside interface (i.e. from the outside).  You should treat your outside network identical to your inside network, as you would create a no. - nat for your inside networks.

  The ACL you create for the no - nat outside must be in both directions as below.

  permit access ip 192.168.0.0 scope list outside_nat0 255.255.255.0 10.10.10.0 255.255.255.192

  outside_nat0 to access extended list ip 10.10.10.0 allow 255.255.255.192 192.168.0.0 255.255.255.0

  NAT (outside) 0-list of access outside_nat0

  permit same-security-traffic intra-interface

  Pls let me know, if this is useful.

  Thank you

  Rizwan James

• Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

  Hello

  I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

  When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

  However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

  VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

  Please help me I need to find a solution as soon as POSSIBLE!

  Thank you in advance.

  Hello

  Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

  No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  After re-configured this way, make sure that this command is also available:

  Sysopt connection permit VPN

  This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

  Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

  XXXX--> server IP

  AAAA--> VPN IP of the user

  Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

  Thank you

  David Castro,

• Win 7 VPN client cannot access remote resources beyond the VPN server

  I have a Win 7 laptop with work and customer Win 7 VPN set up, and through it that I can access everything allowed resources on the remote network.

  I built a new computer, set up the Win 7 client with the exact same parameters everywhere, connected to the VPN with success, but can not access any of the resources on the remote network that I can on my laptop.

  Win 7 64 bit SP 1

  I did research online and suggestions have already had reason of my new set up.  In addition, I have a second computer that I've set up the VPN client, and I'm having the same problem.  VPN connects successfully, but is unable to access the resources.

  Tested with firewall off the coast.

  Troubleshooting Diagnostic reports: your computer seems to be configured correctly, distance resources detected, but not answered do not.

  I created another VPN client on the new computer to another remote network and everything works perfectly.

  Remember the old VPN connection to the remote network that does not work on the new computer works perfectly on Win 7 64 bit laptop computer.

  So, what do I find also different between identical configurations "should be" where we work and two new machines is not?

  It must be something stupid.

  Hello

  This question is more suited for a TechNet audience. I suggest you send the query to the Microsoft TechNet forum. See the link below to do so:
  https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking

  Please let us know if you have more queries on Windows.

• Cannot access [\\vmware-host\shared files], no drive z: on W10 visitors in W10 hosts running Workstation 12 Pro

  The title says it all: I have guests Windows Pro 10 tree on a host Windows 10 Pro running VMware Workstation 12 Pro, and I can not access shared folders of the host within the VM settings (\\vmware-host\shared records), or the mapped Z: drive.

  Shared folders on the host computer using the normal windows, sharing mechanism are perfectly accessible from the guests. Shared folders on the guests using the normal windows, sharing mechanism are perfectly accessible from the host. Only those shared in the virtual computer settings are not available,

  I tried to remove and then re-add files, to temporarily disable and sharing, but also re - install VMware tools, with no chance of return. The device worked fine until my clients running Windows 7 and 8.1.

  I know there are questions like that all over the forum, but I have found no working solution for workstation Pro (and Windows 10).

  Someone at - it ideas?

  There was another thread a few days on the same subject, where it has been fixed by completely uninstall VMware Tools, by restarting the OS invited and reinstall the tools (Important: not only do a "repair" install).  Have you tried full uninstall-reboot-reinstall of tools?

  See you soon,.

  --

  Darius

• Cannot access the host guests

  Hello!

  I have a setup of VMWare Workstation 10:

  Host: Windows 7

  Client: Windows Server 2008

  From the host, I cannot ping the prompt, but the guest can ping the host.  I can also use SQL Server Management Studio on my host to connect to my guest.

  It worked under VMWare 9.  No idea what could have happened here?

  Thank you

  Matt

  He fixed, reset default network and the routing table have been updated (also had to reload the guests.

  Thanks for your advice!