The VPN Clients cannot Ping hosts

Similar Questions

• Cisco VPN Client cannot ping from LAN internal IP

  Hello

  I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.

  If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.

  Thanks in advance.

  : Saved

  :

  ASA Version 7.2 (2)

  !

  hostname ciscoasa5510

  domain.local domain name

  activate the password. 123456789 / encrypted

  names of

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  PPPoE client vpdn group ISP

  12.34.56.789 255.255.255.255 IP address pppoe setroute

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.10.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passwd encrypted 123456789

  passive FTP mode

  clock timezone GMT/UTC 0

  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

  DNS server-group DefaultDNS

  domain.local domain name

  permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

  access-list Split_Tunnel_List note the network of the company behind the ASA

  Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 522.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  internal domain_vpn group policy

  attributes of the strategy of group domain_vpn

  value of 212.23.3.100 DNS server 212.23.6.100

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Split_Tunnel_List

  username domain_ra_vpn password 123456789 encrypted

  username domain_ra_vpn attributes

  VPN-group-policy domain_vpn

  encrypted utilisateur.123456789 password username

  encrypted utilisateur.123456789 password username

  privilege of username user password encrypted passe.123456789 15

  encrypted utilisateur.123456789 password username

  the ssh LOCAL console AAA authentication

  AAA authentication enable LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 192.168.10.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 set pfs

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  card crypto outside_map 20 match address outside_20_cryptomap

  peer set card crypto outside_map 20 987.65.43.21

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  3600 seconds, duration of life card crypto outside_map 20 set - the security association

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 987.65.43.21 type ipsec-l2l

  IPSec-attributes tunnel-group 987.65.43.21

  pre-shared-key *.

  tunnel-group domain_vpn type ipsec-ra

  tunnel-group domain_vpn General-attributes

  address domain_vpn_pool pool

  Group Policy - by default-domain_vpn

  domain_vpn group of tunnel ipsec-attributes

  pre-shared-key *.

  Telnet 192.168.10.0 255.255.255.0 inside

  Telnet timeout 5

  Console timeout 0

  VPDN group ISP request dialout pppoe

  VPDN group ISP localname [email protected] / * /

  VPDN group ISP ppp authentication chap

  VPDN username [email protected] / * / password *.

  dhcpd dns 212.23.3.100 212.23.6.100

  dhcpd lease 691200

  dhcpd ping_timeout 500

  domain.local domain dhcpd

  !

  dhcpd address 192.168.10.10 - 192.168.10.200 inside

  dhcpd allow inside

  !

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:1234567890987654321

  : end

  Hello

  Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.

  This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.

  You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next

  Add this

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

  Hope this helps

  Let me know how it goes

  -Jouni

• The VPN Clients cannot access any internal address

  Without a doubt need help from an expert on this one...

  Attempting to define a client access on an ASA 5520 VPN that was used only as a

  Firewall so far. The ASA has been recently updated to Version 7.2 (4).

  Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot

  ping any address on internal networks, or even the inside interface of the ASA.

  (I hope) Relevant details:

  (1) the tunnel seems to be upward. Customers are the authenticated by the SAA and

  are able to connect.

  (2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it

  appears that the packets are décapsulés and decrypted, but NOT encapsulated or

  encrypted (see the output of "sh crypto ipsec his ' home).

  (3) by the other related posts, we've added commands associated with inversion of NAT (crypto

  ISAKMP nat-traversal 20

  crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our

  Configuration.

  (4) we tried encapsulation TCP and UDP encapsulation with experimental client

  profiles: same result in both cases.

  (5) if I (attempt) ping to an internal IP address of the connected customer, the

  real-time log entries ASA show the installation and dismantling of the ICMP requests to the

  the inner target customer.

  (6) the capture of packets to the internal address (one that we try to do a ping of the)

  VPN client) shows that the ICMP request has been received and answered. (See attachment

  shooting).

  (7) our goal is to create about 10 VPN client of different profiles, each with

  different combinations of access to the internal VLAN or DMZ VLAN. We do not have

  preferences for the type of encryption or method, as long as it is safe and it works: that

  said, do not hesitate to recommend a different approach altogether.

  We have tried everything we can think of, so any help or advice would be greatly

  Sanitized the ASA configuration is also attached.

  appreciated!

  Thank you!

  It should be the last step :)

  on 6509

  IP route 172.16.100.0 255.255.255.0 172.16.20.2

  and ASA

  no road inside 172.16.40.0 255.255.255.0 172.16.20.2

• ASA 5520: Remote VPN Clients cannot ping LAN, Internet

  I've set up a few of them in my time, but I am confused with this one.  Can I establish connect via VPN tunnel but I can't ping or go on the internet.  I searched the forum for similar and found a little issues, but none of the fixes seem to match.  I noticed a strange thing is when I run ipconfig/all of the vpn client, the IP address that has been leased over the Pool of the VPN is also the default gateway!

  I have attached the config.  Help, please.

  Thank you!

  Exemption of NAT ACL has not yet been applied.

  NAT (inside) 0-list of access Inside_nat0_outbound

  In addition, you have not split tunnel, not sure you were using internet ASA for the vpn client internet browsing.

  You can also enable icmp inspection if you test in scathing:

  Policy-map global_policy
  class inspection_default

  inspect the icmp

  Hope that helps.

• Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

  Hello

  I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

  Config

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.0 (3)

  !

  ciscoasa hostname

  activate the 5QB4svsHoIHxXpF password / encrypted

  names of

  xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

  xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

  xxx.xxx.xxx.xxx name Mail_Server

  xxx.xxx.xxx.xxx IncomingIP name

  xxx.xxx.xxx.xxx SAP name

  xxx.xxx.xxx.xxx Web server name

  xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

  isa_server_outside name 192.168.2.2

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  address IP IncomingIP 255.255.255.248

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.253 255.255.255.0

  management only

  !

  passwd 123

  passive FTP mode

  clock timezone IS 2

  clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

  TCP_8081 tcp service object-group

  EQ port 8081 object

  DM_INLINE_TCP_1 tcp service object-group

  EQ port 3389 object

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  EQ smtp port object

  EQ Port pop3 object

  port-object eq 3200

  port-object eq 3300

  port-object eq 3600

  port-object eq 3299

  port-object eq 3390

  EQ port 50000 object

  port-object eq 3396

  port-object eq 3397

  port-object eq 3398

  port-object eq imap4

  EQ port 587 object

  port-object eq 993

  port-object eq 8000

  EQ port 8443 object

  port-object eq telnet

  port-object eq 3901

  purpose of group TCP_8081

  EQ port 1433 object

  port-object eq 3391

  port-object eq 3399

  EQ object of port 8080

  EQ port 3128 object

  port-object eq 3900

  port-object eq 3902

  port-object eq 7777

  port-object eq 3392

  port-object eq 3393

  port-object eq 3394

  Equalizer object port 3395

  port-object eq 92

  port-object eq 91

  port-object eq 3206

  port-object eq 8001

  EQ port 8181 object

  object-port 7778 eq

  port-object eq 8180

  port-object 22222 eq

  port-object eq 11001

  port-object eq 11002

  port-object eq 1555

  port-object eq 2223

  port-object eq 2224

  object-group service RDP - tcp

  EQ port 3389 object

  3901 tcp service object-group

  3901 description

  port-object eq 3901

  object-group service tcp 50000

  50000 description

  EQ port 50000 object

  Enable_Transparent_Tunneling_UDP udp service object-group

  port-object eq 4500

  access-list connection to SAP Note inside_access_in

  inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

  access-list inside_access_in note outgoing VPN - PPTP

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

  access-list inside_access_in note outgoing VPN - GRE

  inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

  Comment from inside_access_in-list of access VPN - GRE

  inside_access_in list extended access will permit a full

  access-list inside_access_in note outgoing VPN - Client IKE

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

  Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

  inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access udp allowed any any eq field

  Note to inside_access_in of outgoing DNS list access

  inside_access_in list extended access permit tcp any any eq field

  Note to inside_access_in to access list carried forward Ports

  inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

  access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

  outside_access_in of access allowed any ip an extended list

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access will permit a full

  outside_access_in list extended access allowed grateful if any host Mail_Server

  outside_access_in list extended access permit tcp any host Mail_Server eq pptp

  outside_access_in list extended access allow esp a whole

  outside_access_in ah allowed extended access list a whole

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

  list of access allowed standard VPN 192.168.2.0 255.255.255.0

  corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 603.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global (outside) 2 Mail_Server netmask 255.0.0.0

  Global 1 interface (outside)

  Global interface (2 inside)

  NAT (inside) 0-list of access corp_vpn

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

  public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

  static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

  static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

  static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

  static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

  static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

  static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

  static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

  public static 192.168.2.0 (inside, outside) - corp_vpn access list

  Access-group outside_access_in in interface outside

  inside_access_in access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.2.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp - esp-md5-hmac transet

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic dynmap 10 set pfs

  Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

  cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

  cryptomap interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  Telnet 192.168.2.0 255.255.255.0 inside

  Telnet 192.168.1.0 255.255.255.0 management

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

  dhcpd domain.local domain inside interface

  !

  a basic threat threat detection

  host of statistical threat detection

  Statistics-list of access threat detection

  Management Server TFTP 192.168.1.123.

  internal group mypolicy strategy

  mypolicy group policy attributes

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value VPN

  Pseudo vpdn password 123

  vpdn username attributes

  VPN-group-policy mypolicy

  type of remote access service

  type mypolicy tunnel-group remote access

  tunnel-group mypolicy General attributes

  address-pool

  strategy-group-by default mypolicy

  tunnel-group mypolicy ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the pptp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

  : end

  Thank you very much.

  Hello

  You probably need

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  inspect the icmp error

  Your Tunnel of Split and NAT0 configurations seem to.

  -Jouni

• Comments cannot ping host

  Hi all:

  I have a strange problem of networking that VMware technical support has not been able to help.

  Summary of the problem: comments cannot ping host unless the host is a ping command, while the guest is ping to the host

  Details of the problem: I have intalled VMware Workstation 6.5.2 on the host Windows Vista Edition Home Premium (SP1). I installed several guests, including Ubuntu 8.04, openSUSE 11, Win XP and Win 2000. All guests use "bridged" network. The host has a static IP address. All guests have DHCP. All these people have the same problem - they cannot ping the host. It simply returns "Destination unreachable". However, if I run a ping from the host (it didn't ping the same customer, any ip address on the network) while the guest is ping to the host, and then will cross ping of the guest. For the next two minutes, the guest will be able to ping the host without any problem (without 'help' of the host). Then the guest will again be able ping on the host and you will have to repeat the same process. Quite strange, isn't? Another problem, I can access the internet from the hosts and guests can ping each other. (I can't access the printer connected to the host. However if the guest can ping on the host, then it can also access the printer as well.) I tried everything but still can't find the root cause of the problem. Here is a list of the things I've tried:

  1. tried VMware Workstation 6.5.2 on a Windows XP computer on the same network (equipped with a wireless card intel) and did NOT have this problem.

  2. firewalls, antivirus software, VPN clients, etc. were all off. It did not help.

  3. the problem disappears if I use the wired Ethernet connection

  4. the current wireless adapter is a D-Link, but I also tried with a Linksys Wireless card and had the same problem

  5. the same problem exists also for VMware 6.5.1

  6. I have installed the software VirtuaBox VM from Sun and installed the same comments from Ubuntu on the same host. The problem goes away!

  7. I also tried the "NAT" networking and had the same problem.

  8. I also tried DHCP for host and had the same problem.

  I've tried everything I can think of and nothing seemed to help. I have filed a request for assistance with VMware tech and traded a few emails with the support guy but have not heard from him for a few days. I would really appreciate if someone can offer a few ideas to help solve this problem. I'm not a networking guru, but I'm a software engineer, so you can talk to me in technical terms.

  Thank you in advance.

  Yes! as noted above, it is the arp tables.

  my router is assigned the same IP address for the host computer and the guest, so as soon as you ping from your host prompt, the mac and ip is back in the arp (invites) tables and from there he will communicate via newly assigned ARP table. You can check this scathing the hostname and it will be the same ip address as your guest (in my case)

  I then googled arp vmware and discovered that it is familir with chipset broadcom and vmware behavior.

  ARP - a displays the tables,

  ARP s 00-00-00-00-00-00 192.168.x.xxx - assign the IP address to a MAC address.

  I hope this helps.

• Cannot ping via the VPN client host when static NAT translations are used

  Hello, I have a SRI 3825 configured for Cisco VPN client access.

  There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

  Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

  For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

  Any help would be appreciated.

  Concerning

  !

  session of crypto consignment

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group vpnclient

  key S3Cu4Ke!

  DNS 192.168.1.1 192.168.1.2

  domain domain.com

  pool dhcppool

  ACL 198

  Save-password

  PFS

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

  !

  Crypto-map dynamic dynmap 10

  86400 seconds, life of security association set

  game of transformation-3DES-SECURE

  market arriere-route

  !

  card crypto client cryptomap of authentication list drauthen

  card crypto isakmp authorization list drauthor cryptomap

  client configuration address card crypto cryptomap answer

  map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

  !

  interface GigabitEthernet0/0

  NAT outside IP

  IP 1.2.3.4 255.255.255.240

  cryptomap card crypto

  !

  interface GigabitEthernet0/1

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  !

  IP local pool dhcppool 192.168.2.50 192.168.2.100

  !

  Note access-list 198 * Split Tunnel encrypted traffic *.
  access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  !
  Note access-list 199 * NAT0 ACL *.
  access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 199 permit ip 192.168.1.0 0.0.0.255 any

  !

  Sheep allowed 10 route map
  corresponds to the IP 199

  !
  IP nat inside source map route sheep interface GigabitEthernet0/0 overload

  !

  IP nat inside source static 192.168.1.1 1.2.3.5
  IP nat inside source static 192.168.1.2 1.2.3.6

  The problem seems to be that static NAT take your nat exemption.

  The solution would be:

  IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
  IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

  HTH

  Herbert

• Win 7 VPN client cannot access remote resources beyond the VPN server

  I have a Win 7 laptop with work and customer Win 7 VPN set up, and through it that I can access everything allowed resources on the remote network.

  I built a new computer, set up the Win 7 client with the exact same parameters everywhere, connected to the VPN with success, but can not access any of the resources on the remote network that I can on my laptop.

  Win 7 64 bit SP 1

  I did research online and suggestions have already had reason of my new set up.  In addition, I have a second computer that I've set up the VPN client, and I'm having the same problem.  VPN connects successfully, but is unable to access the resources.

  Tested with firewall off the coast.

  Troubleshooting Diagnostic reports: your computer seems to be configured correctly, distance resources detected, but not answered do not.

  I created another VPN client on the new computer to another remote network and everything works perfectly.

  Remember the old VPN connection to the remote network that does not work on the new computer works perfectly on Win 7 64 bit laptop computer.

  So, what do I find also different between identical configurations "should be" where we work and two new machines is not?

  It must be something stupid.

  Hello

  This question is more suited for a TechNet audience. I suggest you send the query to the Microsoft TechNet forum. See the link below to do so:
  https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking

  Please let us know if you have more queries on Windows.

• Routing problem between the VPN Client and the router's Ethernet device

  Hello

  I have a Cisco 1721 in a test environment.

  A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).

  The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.

  The configuration was inspired form the sample Configuration

  "Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"

  and the output of the ConfigMaker configuration.

  Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem

  side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).

  Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive

  (customer has a correct route and return ICMP packets to the router).

  The question now is:

  How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?

  conf of the router is attached - hope that's not too...

  Thanks & cordially

  Thomas Schmidt

  -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

  !

  version 12.2

  horodateurs service debug uptime

  Log service timestamps uptime

  encryption password service

  !

  !

  host name * moderator edit *.

  !

  enable secret 5 * moderator edit *.

  !

  !

  AAA new-model

  AAA authentication login userauthen local

  AAA authorization groupauthor LAN

  !

  ! only for the test...

  !

  username cisco password 0 * moderator edit *.

  !

  IP subnet zero

  !

  audit of IP notify Journal

  Max-events of po verification IP 100

  !

  crypto ISAKMP policy 3

  3des encryption

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group 3000client

  key cisco123

  pool ippool

  !

  ! We do not want to divide the tunnel

  ! ACL 108

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  !

  map clientmap client to authenticate crypto list userauthen

  card crypto clientmap isakmp authorization list groupauthor

  client configuration address map clientmap crypto answer

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  !

  interface Ethernet0

  no downtime

  Description connected to VPN

  IP 192.168.1.1 255.255.255.0

  full-duplex

  IP access-group 101 in

  IP access-group 101 out

  KeepAlive 10

  No cdp enable

  !

  interface Ethernet1

  no downtime

  address 192.168.3.1 IP 255.255.255.0

  IP access-group 101 in

  IP access-group 101 out

  full-duplex

  KeepAlive 10

  No cdp enable

  !

  interface FastEthernet0

  no downtime

  Description connected to the Internet

  IP 172.16.12.20 255.255.224.0

  automatic speed

  KeepAlive 10

  No cdp enable

  !

  ! This access group is also only for test cases!

  !

  no access list 101

  access list 101 ip allow a whole

  !

  local pool IP 192.168.10.1 ippool 192.168.10.10

  IP classless

  IP route 0.0.0.0 0.0.0.0 172.16.12.20

  enable IP pim Bennett

  !

  Line con 0

  exec-timeout 0 0

  password 7 * edit from moderator *.

  line to 0

  line vty 0 4

  !

  end

  ^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-

  Thomas,

  Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.

  Kurtis Durrett

• The VPN Clients need access to the subnet on another router

  Hello

  We have a pix 515e PIX Version 8.0 (2)

  We have two subnet 10.1.x.x/16 and 10.2.x.x/16

  The firewall is on 10.1.x.x and vpn clients can access this subnet.

  The firewall can ping 10.2.x.y where x is a server in the other subnet.

  On the 10.2.x.x customers out the firewall.

  The problem is that vpn clients cannot access the server of 10.2.x.y even if the pix can ping 10.2.x.y and the road for him.

  What I need to check that the vpn rules are correct in the pix 515e?

  I think it is a rule of exemption nat or something like that not exactly sure.

  Everything would be a great help.

  Thank you

  Hello

  For clients VPN access to these subnets, check the following:

  1 NAT exemption include these subnets (if not using NAT)... it's the NAT0 ACL command

  2. these subnets is included in the split tunneling

  3. these subnets have a route to the PIX to send traffic to the VPN client pool.

  4. There are no ACLs not applied to the inside interface of the PIX deny this communication.

  Federico.

• ASA problem inside the VPN client routing

  Hello

  I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.

  Here are a few relevant config:

  network object obj - 192.168.245.0

  192.168.245.0 subnet 255.255.255.0

  192.168.245.1 - 192.168.245.50 vpn IP local pool

  NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary

  Out of Packet trace:

  Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33

  Phase: 1

  Type: ACCESS-LIST

  Subtype:

  Result: ALLOW

  Config:

  Implicit rule

  Additional information:

  MAC access list

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 192.168.245.33 255.255.255.255 outside

  Phase: 3

  Type: ACCESS-LIST

  Subtype: Journal

  Result: ALLOW

  Config:

  Access-group acl-Interior interface inside

  access list acl-Interior extended icmp permitted an echo

  Additional information:

  Phase: 4

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 5

  Type: INSPECT

  Subtype: np - inspect

  Result: ALLOW

  Config:

  Additional information:

  Phase: 6

  Type:

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 7

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (inside, outside) static source any any destination static obj - 192.168.245.0

  obj - 192.168.245.0 no-proxy-arp-search to itinerary

  Additional information:

  Definition of static 0/x.x.x.x-x.x.x.x/0

  Phase: 8

  Type: VPN

  Subtype: encrypt

  Result: ALLOW

  Config:

  Additional information:

  Phase: 9

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 277723432 id, package sent to the next module

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.

  Check if the firewall is enabled on your host from the client ravpn and blocking your pings.

• WAG320N - LAN clients cannot ping clients WLAN.

  Hi all

  I wonder if you can help. I currently have a router WAG320N, which seems to work out for a small problem.

  However, the problem I am facing is that my LAN clients cannot ping my clients wireless and vice versa.

  I googled this problem which has recommended that the AP isolation is off which is was by default.

  Any other ideas?

  Thanking in advance.

  Sprite

  As you are not able to ping customers wireless to wireline customers. Turn on the isolation of the AP.

  See if that helps you.

• The VPN client VPN connection behind other PIX PIX

  I have the following problem:

  I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

  So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

  I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

  Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

  If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

  305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

  194.x.x.x is our customer s address IP PIX

  I understand that somewhere access list is missing, but I can not understand.

  Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

  Can you please help me?

  Thank you in advan

  The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

  I've cut and pasted here for you to read, I think that the problem mentioned below:

  Question:

  Hi Glenn,.

  Following is possible?

  I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

  The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

  My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

  Thank you very much for any help provided in advance.

  Response from Glenn:

  First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

  fixup protocol esp-ike

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

  If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

  ISAKMP nat-traversal

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

  NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

  ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

  A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

  NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

  Hope that helps.

• Connection to the VPN Client 5.0.07 returns error 443 (activity included)

  I got the Cisco VPN Client to work on my windows 8.1 box, but my windows 10 box gives me some issues.

  I am trying to connect to a Cisco VPN using Cisco VPN Client 5.0.07.0290. 10 Windows.  The first Cisco VPN would not install and I discovered that I had to install Citrix DNE before installing Cisco VPN. I did it and now the Cisco VPN client installs fine.

  Now, I get an error 443 with the following log information when I try to connect:

  ---

  Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\
   
  1 20:31:03.517 23/07/15 Sev = WARNING/2 CVPND/0xA3400017
  Download key failed.
   
  2 20:31:03.517 23/07/15 Sev = WARNING/3 IKE/0xE3000002
  Function download_key_entry failed with the error code of 0 x 00000000(ISAWIN:346)
   
  3 20:31:03.518 23/07/15 Sev = WARNING/3 IKE/0xE3000050
  Failed to load IPsec keys
   
  4 20:31:03.518 23/07/15 Sev = WARNING/2 IKE/0xE30000A7
  SW unexpected error during the processing of negotiator fast Mode:(Navigator:2263)
   
  5 20:31:03.533 23/07/15 Sev = WARNING/2 IPSEC/0xE3700003
  Function CniMemRealloc() failed with the error code of 0 x 00000000 (IPSecDrvBSafeMem:152)
  ---
   
  in the event logs, I see the following error message:

  Service Service VPN from Cisco Systems, Inc. is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

  ----
  Things I've tried:
   
  I took the SSL certificate to my computer that works (windows 8.1) and installed on my machine Windows 10 and ensured that it was valid. I then imported it in the Cisco client. It did not work.
   
  I checked the registry to ensure there was incorrect data in the DisplayName value, and that works.
   
  Any thoughts on what I might try next?

  Hello Onimallar,

  I had this same problem with my Windows 64-bit 10.  But on my 32-bit Windows 10 VM the Client VPN Cisco worked OK.  So I looked into the differences.  It seems that Setup 64-bit VPN client cannot change the network settings to add the network client 'DNE light filter' required for the properties of the network adapter.

  I tried the Citrix DNE update, and while that helped Cisco VPN Client install successfully on my 64-bit machine, it would not establish a connection.

  Using the differences, I removed the two of the DNE Updater and Cisco VPN Client, and then installed 64-bit Dell SonicWall VPN Client, as this has been installed in my VM 32 bits (the 32-bit version).  This added the workstation network DNE filter of my 64-bit machine.  I reinstalled the Cisco VPN Client successfully and was able to connect to a remote site with success.

  It worked for me.

  You can download the SonicWall VPN Client from:

  https://support.software.Dell.com/SonicWALL-Global-VPN-client/Windows%20...

• Terminating the VPN client on 871W

  Hello

  I tried to install EasyVPN on a cisco 871W by SDM. The goal is to finish the VPN client with authentication with an external RADIUS/advertising (on a local subnet). I implemented the IAS on a win2003 Server advertising and checked the accounts.

  SDM was missing the 'crypto map' piece of config. After you add this in the CLI it still didn't work. Thus, EasyVPN is not as easy at is sounds...

  Could someone with some knowledge of VPN and IPsec and so forth please look at this config? Maybe it gives me an idea of what I did wrong (which, without a doubt, must be the case).

  Thank you

  Erik

  ==

  AAA new-model
  !
  AAA rad_eap radius server group
  auth-port 1645 10.128.7.5 Server acct-port 1646
  !
  AAA rad_mac radius server group
  !
  AAA rad_acct radius server group
  !
  AAA rad_admin radius server group
  !
  AAA server Ganymede group + tac_admin
  !
  AAA rad_pmip radius server group
  !
  RADIUS server AAA dummy group
  !
  AAA authentication login default local
  AAA authentication login eap_methods group rad_eap
  AAA authentication login mac_methods local
  AAA authentication login sdm_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization ipmobile default group rad_pmip
  AAA authorization sdm_vpn_group_ml_1 LAN
  AAA accounting network acct_methods
  action-type market / stop
  Group rad_acct
  !
  !
  !
  AAA - the id of the joint session
  clock timezone MET 1
  clock to DST DST PUTS recurring last Sun Mar 02:00 last Sun Oct 02:00
  !
  Crypto pki trustpoint TP-self-signed-1278336536
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1278336536
  revocation checking no
  rsakeypair TP-self-signed-1278336536
  !
  !
  TP-self-signed-1278336536 crypto pki certificate chain
  certificate self-signed 01
  3082024A 308201B 3 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31323738 33333635 6174652D 3336301E 170 3039 31303237 32313237
  32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32373833 65642D
  33363533 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  81008B 56 5902F5DF FCE1A56E 3A63350E 45956514 1767EF73 FEC6CD16 7E982A82
  B0AF8546 ABB3D35A B7C3A7E3 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC 37A 02103
  4EFC398B 0C8B6BE5 AD3E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E
  32E6B3B7 861F87FA 222197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C
  BF8F0203 010001A 3 72307030 130101 1 FF040530 030101FF 301D 0603 0F060355
  551 1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355
  1 230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D 0603
  551D0E04 16041484 C9111E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A
  010104 05000381 8693B 599 70EC1F1A D2995276 F3E4AF9D 81002F4A 0D 864886F7
  17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3
  AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4
  E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E38BC3 342C3AC9
  2BEF6821 E4C50277 493AD5B6 2AFE
  quit smoking
  dot11 syslog
  !
  IP source-route
  !
  !
  DHCP excluded-address IP 10.128.1.250 10.128.1.254
  DHCP excluded-address IP 10.128.150.250 10.128.150.254
  DHCP excluded-address IP 10.128.7.0 10.128.7.100
  DHCP excluded-address IP 10.128.7.250 10.128.7.254
  !
  pool IP dhcp VLAN30-COMMENTS
  import all
  Network 10.128.1.0 255.255.255.0
  router by default - 10.128.1.254
  10.128.7.5 DNS server
  -10.128.7.5 NetBIOS name server
  aaa.com domain name
  4 rental
  !
  IP dhcp VLAN20-STAFF pool
  import all
  Network 10.128.150.0 255.255.255.0
  router by default - 10.128.150.254
  10.128.7.5 DNS server
  -10.128.7.5 NetBIOS name server
  aaa.com domain name
  4 rental
  !
  IP dhcp SERVERS VLAN10 pool
  import all
  Network 10.128.7.0 255.255.255.0
  router by default - 10.128.7.254
  10.128.7.5 DNS server
  -10.128.7.5 NetBIOS name server
  aaa.com domain name
  4 rental
  !
  !
  IP cef
  no ip domain search
  IP domain name aaa.com
  inspect the tcp IP MYFW name
  inspect the IP udp MYFW name
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  VPDN enable
  !
  !
  !
  username privilege 15 secret 5 xxxx xxxx
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  ISAKMP crypto client configuration group vpn
  key xxxx
  pool SDM_POOL_1
  netmask 255.255.255.0
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  crypto dynamic-map SDM_DYNMAP_1 1
  market arriere-route
  !
  !
  card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
  map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
  client configuration address map SDM_CMAP_1 crypto answer
  map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
  !
  Crypto ctcp port 10000
  Archives
  The config log
  hidekeys
  !
  !
  !
  Bridge IRB
  !
  !
  interface Loopback0
  10.128.201.1 the IP 255.255.255.255
  map SDM_CMAP_1 crypto
  !
  interface FastEthernet0
  switchport access vlan 10
  !
  interface FastEthernet1
  switchport access vlan 20
  !
  interface FastEthernet2
  switchport access vlan 10
  !
  interface FastEthernet3
  switchport access vlan 30
  !
  interface FastEthernet4
  no ip address
  Speed 100
  full-duplex
  PPPoE enable global group
  PPPoE-client dial-pool-number 1
  No cdp enable
  !
  interface Dot11Radio0
  no ip address
  Shutdown
  No dot11 extensions aironet
  !
  interface Vlan1
  address IP AAA. BBB. CCC.177 255.255.255.240
  no ip redirection
  no ip proxy-arp
  NAT outside IP
  no ip virtual-reassembly
  No autostate
  Hold-queue 100 on
  !
  interface Vlan10
  SERVER description
  no ip address
  IP nat inside
  no ip virtual-reassembly
  No autostate
  Bridge-group 10
  Bridge-group of 10 disabled spanning
  !
  interface Vlan20
  Description of the STAFF
  no ip address
  IP nat inside
  no ip virtual-reassembly
  No autostate
  Bridge-group 20
  Bridge-group 20 covering people with reduced mobility
  !
  Vlan30 interface
  Description COMMENTS
  no ip address
  IP nat inside
  no ip virtual-reassembly
  No autostate
  Bridge-group 30
  Bridge-group 30 covering people with reduced mobility
  !
  interface Dialer1
  MTU 1492
  IP unnumbered Vlan1
  no ip redirection
  no ip proxy-arp
  NAT outside IP
  inspect the MYFW over IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 1
  PPP authentication pap callin
  PPP pap sent-name of user password 7 xxxx xxxxx
  !
  interface BVI10
  Description the server network bridge
  IP 10.128.7.254 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  !
  interface BVI20
  Description personal network bridge
  IP 10.128.150.254 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  !
  interface BVI30
  Bridge network invited description
  IP 10.128.1.254 255.255.255.0
  IP access-group Guest-ACL in
  IP nat inside
  IP virtual-reassembly
  !
  pool of local SDM_POOL_1 192.168.2.1 IP 192.168.2.100
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 Dialer1
  IP http server
  access-class 2 IP http
  local IP http authentication
  IP http secure server
  IP http secure ciphersuite 3des-ede-cbc-sha
  IP http secure-client-auth
  IP http timeout policy slowed down 60 life 86400 request 10000
  !
  !
  overload of IP nat inside source list 101 interface Vlan1
  IP nat inside source static tcp 10.128.7.1 25 AAA. BBB. Expandable 25 CCC.178
  IP nat inside source static tcp 10.128.7.1 80 AAA. BBB. CCC.178 extensible 80
  IP nat inside source static tcp 10.128.7.1 443 AAA. BBB. CCC.178 extensible 443
  IP nat inside source static tcp 10.128.7.1 8333 AAA. BBB. CCC.178 extensible 8333
  IP nat inside source static tcp 10.128.7.2 25 AAA. BBB. Expandable 25 CCC.179
  IP nat inside source static tcp 10.128.7.2 80 AAA. BBB. CCC.179 extensible 80
  IP nat inside source static tcp 10.128.7.2 443 AAA. BBB. CCC.179 extensible 443
  IP nat inside source static tcp 10.128.7.2 8333 AAA. BBB. CCC.179 extensible 8333
  IP nat inside source static tcp 10.128.7.3 25 AAA. BBB. Expandable 25 CCC.180
  IP nat inside source static tcp 10.128.7.3 80 AAA. BBB. CCC.180 extensible 80
  IP nat inside source static tcp 10.128.7.3 443 AAA. BBB. CCC.180 extensible 443
  IP nat inside source static tcp 10.128.7.3 8333 AAA. BBB. CCC.180 extensible 8333
  IP nat inside source static tcp 10.128.7.4 25 AAA. BBB. Expandable 25 CCC.181
  IP nat inside source static tcp 10.128.7.4 80 AAA. BBB. CCC.181 extensible 80
  IP nat inside source static tcp 10.128.7.4 443 AAA. BBB. CCC.181 extensible 443
  IP nat inside source static tcp 10.128.7.4 8333 AAA. BBB. CCC.181 extensible 8333
  IP nat inside source static tcp 10.128.7.5 25 AAA. BBB. Expandable 25 CCC.182
  IP nat inside source static tcp 10.128.7.5 80 AAA. BBB. CCC.182 extensible 80
  IP nat inside source static tcp 10.128.7.5 443 AAA. BBB. CCC.182 extensible 443
  IP nat inside source static tcp 10.128.7.5 8333 AAA. BBB. CCC.182 extensible 8333
  IP nat inside source static tcp 10.128.7.6 25 AAA. BBB. Expandable 25 CCC.183
  IP nat inside source static tcp 10.128.7.6 80 AAA. BBB. CCC.183 extensible 80
  IP nat inside source static tcp 10.128.7.6 443 AAA. BBB. CCC.183 extensible 443
  IP nat inside source static tcp 10.128.7.6 8333 AAA. BBB. CCC.183 extensible 8333
  IP nat inside source static tcp 10.128.7.7 25 AAA. BBB. Expandable 25 CCC.184
  IP nat inside source static tcp 10.128.7.7 80 AAA. BBB. CCC.184 extensible 80
  IP nat inside source static tcp 10.128.7.7 443 AAA. BBB. CCC.184 extensible 443
  IP nat inside source static tcp 10.128.7.7 8333 AAA. BBB. CCC.184 extensible 8333
  IP nat inside source static tcp 10.128.7.8 25 AAA. BBB. Expandable 25 CCC.185
  IP nat inside source static tcp 10.128.7.8 80 AAA. BBB. CCC.185 extensible 80
  IP nat inside source static tcp 10.128.7.8 443 AAA. BBB. CCC.185 extensible 443
  IP nat inside source static tcp 10.128.7.8 8333 AAA. BBB. CCC.185 extensible 8333
  IP nat inside source static tcp 10.128.7.9 25 AAA. BBB. Expandable 25 CCC.186
  IP nat inside source static tcp 10.128.7.9 80 AAA. BBB. CCC.186 extensible 80
  IP nat inside source static tcp 10.128.7.9 443 AAA. BBB. CCC.186 extensible 443
  IP nat inside source static tcp 10.128.7.9 8333 AAA. BBB. CCC.186 extensible 8333
  IP nat inside source static tcp 10.128.7.10 25 AAA. BBB. Expandable 25 CCC.187
  IP nat inside source static tcp 10.128.7.10 80 AAA. BBB. CCC.187 extensible 80
  IP nat inside source static tcp 10.128.7.10 443 AAA. BBB. CCC.187 extensible 443
  IP nat inside source static tcp 10.128.7.10 8333 AAA. BBB. CCC.187 extensible 8333
  IP nat inside source static tcp 10.128.7.11 25 AAA. BBB. Expandable 25 CCC.188
  IP nat inside source static tcp 10.128.7.11 80 AAA. BBB. CCC.188 extensible 80
  IP nat inside source static tcp 10.128.7.11 443 AAA. BBB. CCC.188 extensible 443
  IP nat inside source static tcp 10.128.7.11 8333 AAA. BBB. CCC.188 extensible 8333
  IP nat inside source static tcp 10.128.7.12 25 AAA. BBB. Expandable 25 CCC.189
  IP nat inside source static tcp 10.128.7.12 80 AAA. BBB. CCC.189 extensible 80
  IP nat inside source static tcp 10.128.7.12 443 AAA. BBB. CCC.189 extensible 443
  IP nat inside source static tcp 10.128.7.12 8333 AAA. BBB. CCC.189 extensible 8333
  !
  Guest-ACL extended IP access list
  deny ip any 10.128.7.0 0.0.0.255
  deny ip any 10.128.150.0 0.0.0.255
  allow an ip
  IP Internet traffic inbound-ACL extended access list
  allow udp any eq bootps any eq bootpc
  permit any any icmp echo
  permit any any icmp echo response
  permit icmp any any traceroute
  allow a gre
  allow an esp
  !
  access-list 1 permit 10.128.7.0 0.0.0.255
  access-list 1 permit 10.128.150.0 0.0.0.255
  access-list 1 permit 10.128.1.0 0.0.0.255
  access-list 2 allow 10.0.0.0 0.255.255.255
  access-list 2 refuse any
  access-list 101 permit ip 10.128.7.0 0.0.0.255 any
  access-list 101 permit ip 10.128.150.0 0.0.0.255 any
  access-list 101 permit ip 10.128.1.0 0.0.0.255 any
  Dialer-list 1 ip Protocol 1
  !
  !
  !
  !
  format of server RADIUS attribute 32 include-in-access-req hour
  RADIUS-server host 10.128.7.5 auth-port 1645 acct-port 1646 borders 7 xxxxx
  RADIUS vsa server send accounting
  !
  control plan
  !
  IP route 10 bridge
  IP road bridge 20
  IP road bridge 30
  Banner motd ^.
  Unauthorized access prohibited. *
  All access attempts are logged! ***************

  ^
  !
  Line con 0
  password 7 xxxx
  no activation of the modem
  line to 0
  line vty 0 4
  access-class 2
  privilege level 15
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  AAA.BBB.CCC.ddd NTP server
  end

  Erik,

  The address pool you are talking about is to assign to the customer or the public router interface?  If you want to set up your vpn client software point a full domain name instead of an IP address that you can do it too long you can ensure the use of the name is resolved by a DNS SERVER.

  The range of addresses that you can be asigned to your Dialer interface will depend on your ISP.

  -Butterfly