The VPN Clients cannot Ping hosts
I'll include a post my config. I have clients that connect through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the main network for the office.
I can connect to the VPN, and I received a correct address assignment. I belive tunneling can be configured correctly in the aspect that I can always connect to the internet then on the VPN, but I can't ping all hosts on the 192.168.1.0 network. In the journal of the ASDM debugging, I see pings to the ASA, but no response is received on the client.
6 | February 21, 2013 | 21:54:26 | 180.0.0.1 | 53508 | 192.168.1.1 | 0 | Built of ICMP incoming connections for faddr gaddr laddr 192.168.1.1/0 (christopher) 192.168.1.1/0 180.0.0.1/53508 |
Any help would be greatly appreciated, I'm currently presuring my CCNP so I would get a deeper understanding of how to resolve these issues.
-Chris
hostname RegencyRE - ASA
domain regencyrealestate.info
activate 2/VA7dRFkv6fjd1X of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 180.0.0.0 Regency
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
link to the description of REGENCYSERVER
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
link to the description of RegencyRE-AP
!
interface Vlan1
nameif inside
security-level 100
192.168.1.120 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 208.67.220.220
name-server 208.67.222.222
domain regencyrealestate.info
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 Regency 255.255.255.224
RegencyRE_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask Regency 180.0.0.1 - 180.0.0.20 255.255.255.0 IP local pool
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM 255.255.255.0 inside Regency location
ASDM location 192.168.0.0 255.255.0.0 inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 12.186.110.2 1
Route inside 192.0.0.0 255.0.0.0 192.168.1.102 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
http server enable 8443
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 15
SSH version 2
Console timeout 0
dhcprelay Server 192.168.1.102 inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 69.25.96.13 prefer external source
NTP server 216.171.124.36 prefer external source
WebVPN
internal RegencyRE group strategy
attributes of Group Policy RegencyRE
value of server DNS 208.67.220.220 208.67.222.222
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RegencyRE_splitTunnelAcl
username password encrypted adriana privilege 0
christopher encrypted privilege 15 password username
irene encrypted password privilege 0 username
type tunnel-group RegencyRE remote access
attributes global-tunnel-group RegencyRE
Regency address pool
Group Policy - by default-RegencyRE
IPSec-attributes tunnel-group RegencyRE
pre-shared key R3 & eNcY1.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d
: end
Hello
-be sure that the destination host 192.168.1.x has a route towards 180.0.0.0 by the ASA gateway.
-Configure the following figure:
capture capin interface inside match icmp 192.168.1.x host 180.0.0.x
capture ASP asp type - drop all
then make a continuous ping and get 'show capin cap' and 'asp cap.
-then check the ping, the 'encrypted' counter is increasing in the VPN client statistics
I would like to know about it, hope this helps
----
Mashal
Tags: Cisco Security
Similar Questions
-
Cisco VPN Client cannot ping from LAN internal IP
Hello
I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.
If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.
Thanks in advance.
: Saved
:
ASA Version 7.2 (2)
!
hostname ciscoasa5510
domain.local domain name
activate the password. 123456789 / encrypted
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group ISP
12.34.56.789 255.255.255.255 IP address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passwd encrypted 123456789
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS server-group DefaultDNS
domain.local domain name
permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
access-list Split_Tunnel_List note the network of the company behind the ASA
Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
internal domain_vpn group policy
attributes of the strategy of group domain_vpn
value of 212.23.3.100 DNS server 212.23.6.100
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
username domain_ra_vpn password 123456789 encrypted
username domain_ra_vpn attributes
VPN-group-policy domain_vpn
encrypted utilisateur.123456789 password username
encrypted utilisateur.123456789 password username
privilege of username user password encrypted passe.123456789 15
encrypted utilisateur.123456789 password username
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card crypto outside_map 20 match address outside_20_cryptomap
peer set card crypto outside_map 20 987.65.43.21
outside_map crypto 20 card value transform-set ESP-3DES-SHA
3600 seconds, duration of life card crypto outside_map 20 set - the security association
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
tunnel-group 987.65.43.21 type ipsec-l2l
IPSec-attributes tunnel-group 987.65.43.21
pre-shared-key *.
tunnel-group domain_vpn type ipsec-ra
tunnel-group domain_vpn General-attributes
address domain_vpn_pool pool
Group Policy - by default-domain_vpn
domain_vpn group of tunnel ipsec-attributes
pre-shared-key *.
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 5
Console timeout 0
VPDN group ISP request dialout pppoe
VPDN group ISP localname [email protected] / * /
VPDN group ISP ppp authentication chap
VPDN username [email protected] / * / password *.
dhcpd dns 212.23.3.100 212.23.6.100
dhcpd lease 691200
dhcpd ping_timeout 500
domain.local domain dhcpd
!
dhcpd address 192.168.10.10 - 192.168.10.200 inside
dhcpd allow inside
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:1234567890987654321
: end
Hello
Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.
This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.
You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next
Add this
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Hope this helps
Let me know how it goes
-Jouni
-
The VPN Clients cannot access any internal address
Without a doubt need help from an expert on this one...
Attempting to define a client access on an ASA 5520 VPN that was used only as a
Firewall so far. The ASA has been recently updated to Version 7.2 (4).
Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot
ping any address on internal networks, or even the inside interface of the ASA.
(I hope) Relevant details:
(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and
are able to connect.
(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it
appears that the packets are décapsulés and decrypted, but NOT encapsulated or
encrypted (see the output of "sh crypto ipsec his ' home).
(3) by the other related posts, we've added commands associated with inversion of NAT (crypto
ISAKMP nat-traversal 20
crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our
Configuration.
(4) we tried encapsulation TCP and UDP encapsulation with experimental client
profiles: same result in both cases.
(5) if I (attempt) ping to an internal IP address of the connected customer, the
real-time log entries ASA show the installation and dismantling of the ICMP requests to the
the inner target customer.
(6) the capture of packets to the internal address (one that we try to do a ping of the)
VPN client) shows that the ICMP request has been received and answered. (See attachment
shooting).
(7) our goal is to create about 10 VPN client of different profiles, each with
different combinations of access to the internal VLAN or DMZ VLAN. We do not have
preferences for the type of encryption or method, as long as it is safe and it works: that
said, do not hesitate to recommend a different approach altogether.
We have tried everything we can think of, so any help or advice would be greatly
Sanitized the ASA configuration is also attached.
appreciated!
Thank you!
It should be the last step :)
on 6509
IP route 172.16.100.0 255.255.255.0 172.16.20.2
and ASA
no road inside 172.16.40.0 255.255.255.0 172.16.20.2
-
ASA 5520: Remote VPN Clients cannot ping LAN, Internet
I've set up a few of them in my time, but I am confused with this one. Can I establish connect via VPN tunnel but I can't ping or go on the internet. I searched the forum for similar and found a little issues, but none of the fixes seem to match. I noticed a strange thing is when I run ipconfig/all of the vpn client, the IP address that has been leased over the Pool of the VPN is also the default gateway!
I have attached the config. Help, please.
Thank you!
Exemption of NAT ACL has not yet been applied.
NAT (inside) 0-list of access Inside_nat0_outbound
In addition, you have not split tunnel, not sure you were using internet ASA for the vpn client internet browsing.
You can also enable icmp inspection if you test in scathing:
Policy-map global_policy
class inspection_defaultinspect the icmp
Hope that helps.
-
Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!
Hello
I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.
Config
ciscoasa # sh run
: Saved
:
ASA Version 8.0 (3)
!
ciscoasa hostname
activate the 5QB4svsHoIHxXpF password / encrypted
names of
xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name
xxx.xxx.xxx.xxx ISA_Server_second_external_IP name
xxx.xxx.xxx.xxx name Mail_Server
xxx.xxx.xxx.xxx IncomingIP name
xxx.xxx.xxx.xxx SAP name
xxx.xxx.xxx.xxx Web server name
xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name
isa_server_outside name 192.168.2.2
!
interface Ethernet0/0
nameif outside
security-level 0
address IP IncomingIP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.253 255.255.255.0
management only
!
passwd 123
passive FTP mode
clock timezone IS 2
clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00
TCP_8081 tcp service object-group
EQ port 8081 object
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq ftp
port-object eq www
EQ object of the https port
EQ smtp port object
EQ Port pop3 object
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
EQ port 50000 object
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
EQ port 587 object
port-object eq 993
port-object eq 8000
EQ port 8443 object
port-object eq telnet
port-object eq 3901
purpose of group TCP_8081
EQ port 1433 object
port-object eq 3391
port-object eq 3399
EQ object of port 8080
EQ port 3128 object
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
Equalizer object port 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
EQ port 8181 object
object-port 7778 eq
port-object eq 8180
port-object 22222 eq
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP - tcp
EQ port 3389 object
3901 tcp service object-group
3901 description
port-object eq 3901
object-group service tcp 50000
50000 description
EQ port 50000 object
Enable_Transparent_Tunneling_UDP udp service object-group
port-object eq 4500
access-list connection to SAP Note inside_access_in
inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in note outgoing VPN - PPTP
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in note outgoing VPN - GRE
inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any
Comment from inside_access_in-list of access VPN - GRE
inside_access_in list extended access will permit a full
access-list inside_access_in note outgoing VPN - Client IKE
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq
Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access udp allowed any any eq field
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access permit tcp any any eq field
Note to inside_access_in to access list carried forward Ports
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
outside_access_in list extended access allowed grateful if any host Mail_Server
outside_access_in list extended access permit tcp any host Mail_Server eq pptp
outside_access_in list extended access allow esp a whole
outside_access_in ah allowed extended access list a whole
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group
list of access allowed standard VPN 192.168.2.0 255.255.255.0
corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 603.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 2 Mail_Server netmask 255.0.0.0
Global 1 interface (outside)
Global interface (2 inside)
NAT (inside) 0-list of access corp_vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside
public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet
static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server
static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside
static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp
static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside
public static 192.168.2.0 (inside, outside) - corp_vpn access list
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac transet
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet
cryptomap 10 card crypto ipsec-isakmp dynamic dynmap
cryptomap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.2.0 255.255.255.0 inside
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain.local domain inside interface
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
Management Server TFTP 192.168.1.123.
internal group mypolicy strategy
mypolicy group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN
Pseudo vpdn password 123
vpdn username attributes
VPN-group-policy mypolicy
type of remote access service
type mypolicy tunnel-group remote access
tunnel-group mypolicy General attributes
address-pool
strategy-group-by default mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.
Hello
You probably need
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp error
Your Tunnel of Split and NAT0 configurations seem to.
-Jouni
-
Hi all:
I have a strange problem of networking that VMware technical support has not been able to help.
Summary of the problem: comments cannot ping host unless the host is a ping command, while the guest is ping to the host
Details of the problem: I have intalled VMware Workstation 6.5.2 on the host Windows Vista Edition Home Premium (SP1). I installed several guests, including Ubuntu 8.04, openSUSE 11, Win XP and Win 2000. All guests use "bridged" network. The host has a static IP address. All guests have DHCP. All these people have the same problem - they cannot ping the host. It simply returns "Destination unreachable". However, if I run a ping from the host (it didn't ping the same customer, any ip address on the network) while the guest is ping to the host, and then will cross ping of the guest. For the next two minutes, the guest will be able to ping the host without any problem (without 'help' of the host). Then the guest will again be able ping on the host and you will have to repeat the same process. Quite strange, isn't? Another problem, I can access the internet from the hosts and guests can ping each other. (I can't access the printer connected to the host. However if the guest can ping on the host, then it can also access the printer as well.) I tried everything but still can't find the root cause of the problem. Here is a list of the things I've tried:
1. tried VMware Workstation 6.5.2 on a Windows XP computer on the same network (equipped with a wireless card intel) and did NOT have this problem.
2. firewalls, antivirus software, VPN clients, etc. were all off. It did not help.
3. the problem disappears if I use the wired Ethernet connection
4. the current wireless adapter is a D-Link, but I also tried with a Linksys Wireless card and had the same problem
5. the same problem exists also for VMware 6.5.1
6. I have installed the software VirtuaBox VM from Sun and installed the same comments from Ubuntu on the same host. The problem goes away!
7. I also tried the "NAT" networking and had the same problem.
8. I also tried DHCP for host and had the same problem.
I've tried everything I can think of and nothing seemed to help. I have filed a request for assistance with VMware tech and traded a few emails with the support guy but have not heard from him for a few days. I would really appreciate if someone can offer a few ideas to help solve this problem. I'm not a networking guru, but I'm a software engineer, so you can talk to me in technical terms.
Thank you in advance.
Yes! as noted above, it is the arp tables.
my router is assigned the same IP address for the host computer and the guest, so as soon as you ping from your host prompt, the mac and ip is back in the arp (invites) tables and from there he will communicate via newly assigned ARP table. You can check this scathing the hostname and it will be the same ip address as your guest (in my case)
I then googled arp vmware and discovered that it is familir with chipset broadcom and vmware behavior.
ARP - a displays the tables,
ARP s 00-00-00-00-00-00 192.168.x.xxx - assign the IP address to a MAC address.
I hope this helps.
-
Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any!
Sheep allowed 10 route map
corresponds to the IP 199!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map routeHTH
Herbert
-
Win 7 VPN client cannot access remote resources beyond the VPN server
I have a Win 7 laptop with work and customer Win 7 VPN set up, and through it that I can access everything allowed resources on the remote network.
I built a new computer, set up the Win 7 client with the exact same parameters everywhere, connected to the VPN with success, but can not access any of the resources on the remote network that I can on my laptop.
Win 7 64 bit SP 1
I did research online and suggestions have already had reason of my new set up. In addition, I have a second computer that I've set up the VPN client, and I'm having the same problem. VPN connects successfully, but is unable to access the resources.
Tested with firewall off the coast.
Troubleshooting Diagnostic reports: your computer seems to be configured correctly, distance resources detected, but not answered do not.
I created another VPN client on the new computer to another remote network and everything works perfectly.
Remember the old VPN connection to the remote network that does not work on the new computer works perfectly on Win 7 64 bit laptop computer.
So, what do I find also different between identical configurations "should be" where we work and two new machines is not?
It must be something stupid.
Hello
This question is more suited for a TechNet audience. I suggest you send the query to the Microsoft TechNet forum. See the link below to do so:
https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworkingPlease let us know if you have more queries on Windows.
-
Routing problem between the VPN Client and the router's Ethernet device
Hello
I have a Cisco 1721 in a test environment.
A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).
The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.
The configuration was inspired form the sample Configuration
"Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"
and the output of the ConfigMaker configuration.
Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem
side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).
Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive
(customer has a correct route and return ICMP packets to the router).
The question now is:
How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?
conf of the router is attached - hope that's not too...
Thanks & cordially
Thomas Schmidt
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
!
host name * moderator edit *.
!
enable secret 5 * moderator edit *.
!
!
AAA new-model
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
! only for the test...
!
username cisco password 0 * moderator edit *.
!
IP subnet zero
!
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
3des encryption
preshared authentication
Group 2
!
ISAKMP crypto client configuration group 3000client
key cisco123
pool ippool
!
! We do not want to divide the tunnel
! ACL 108
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
interface Ethernet0
no downtime
Description connected to VPN
IP 192.168.1.1 255.255.255.0
full-duplex
IP access-group 101 in
IP access-group 101 out
KeepAlive 10
No cdp enable
!
interface Ethernet1
no downtime
address 192.168.3.1 IP 255.255.255.0
IP access-group 101 in
IP access-group 101 out
full-duplex
KeepAlive 10
No cdp enable
!
interface FastEthernet0
no downtime
Description connected to the Internet
IP 172.16.12.20 255.255.224.0
automatic speed
KeepAlive 10
No cdp enable
!
! This access group is also only for test cases!
!
no access list 101
access list 101 ip allow a whole
!
local pool IP 192.168.10.1 ippool 192.168.10.10
IP classless
IP route 0.0.0.0 0.0.0.0 172.16.12.20
enable IP pim Bennett
!
Line con 0
exec-timeout 0 0
password 7 * edit from moderator *.
line to 0
line vty 0 4
!
end
^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-
Thomas,
Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.
Kurtis Durrett
-
The VPN Clients need access to the subnet on another router
Hello
We have a pix 515e PIX Version 8.0 (2)
We have two subnet 10.1.x.x/16 and 10.2.x.x/16
The firewall is on 10.1.x.x and vpn clients can access this subnet.
The firewall can ping 10.2.x.y where x is a server in the other subnet.
On the 10.2.x.x customers out the firewall.
The problem is that vpn clients cannot access the server of 10.2.x.y even if the pix can ping 10.2.x.y and the road for him.
What I need to check that the vpn rules are correct in the pix 515e?
I think it is a rule of exemption nat or something like that not exactly sure.
Everything would be a great help.
Thank you
Hello
For clients VPN access to these subnets, check the following:
1 NAT exemption include these subnets (if not using NAT)... it's the NAT0 ACL command
2. these subnets is included in the split tunneling
3. these subnets have a route to the PIX to send traffic to the VPN client pool.
4. There are no ACLs not applied to the inside interface of the PIX deny this communication.
Federico.
-
ASA problem inside the VPN client routing
Hello
I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.
Here are a few relevant config:
network object obj - 192.168.245.0
192.168.245.0 subnet 255.255.255.0
192.168.245.1 - 192.168.245.50 vpn IP local pool
NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary
Out of Packet trace:
Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access list
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.245.33 255.255.255.255 outside
Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group acl-Interior interface inside
access list acl-Interior extended icmp permitted an echo
Additional information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 5
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
Additional information:
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source any any destination static obj - 192.168.245.0
obj - 192.168.245.0 no-proxy-arp-search to itinerary
Additional information:
Definition of static 0/x.x.x.x-x.x.x.x/0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 277723432 id, package sent to the next module
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.
Check if the firewall is enabled on your host from the client ravpn and blocking your pings.
-
WAG320N - LAN clients cannot ping clients WLAN.
Hi all
I wonder if you can help. I currently have a router WAG320N, which seems to work out for a small problem.
However, the problem I am facing is that my LAN clients cannot ping my clients wireless and vice versa.
I googled this problem which has recommended that the AP isolation is off which is was by default.
Any other ideas?
Thanking in advance.
Sprite
As you are not able to ping customers wireless to wireline customers. Turn on the isolation of the AP.
See if that helps you.
-
The VPN client VPN connection behind other PIX PIX
I have the following problem:
I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).
So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5
I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.
Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.
If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:
305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x
194.x.x.x is our customer s address IP PIX
I understand that somewhere access list is missing, but I can not understand.
Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.
Can you please help me?
Thank you in advan
The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.
I've cut and pasted here for you to read, I think that the problem mentioned below:
Question:
Hi Glenn,.
Following is possible?
I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.
The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?
My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.
Thank you very much for any help provided in advance.
Response from Glenn:
First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:
fixup protocol esp-ike
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.
If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:
ISAKMP nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.
ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.
A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.
NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.
Hope that helps.
-
Connection to the VPN Client 5.0.07 returns error 443 (activity included)
I got the Cisco VPN Client to work on my windows 8.1 box, but my windows 10 box gives me some issues.
I am trying to connect to a Cisco VPN using Cisco VPN Client 5.0.07.0290. 10 Windows. The first Cisco VPN would not install and I discovered that I had to install Citrix DNE before installing Cisco VPN. I did it and now the Cisco VPN client installs fine.
Now, I get an error 443 with the following log information when I try to connect:
---
Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\1 20:31:03.517 23/07/15 Sev = WARNING/2 CVPND/0xA3400017
Download key failed.2 20:31:03.517 23/07/15 Sev = WARNING/3 IKE/0xE3000002
Function download_key_entry failed with the error code of 0 x 00000000(ISAWIN:346)3 20:31:03.518 23/07/15 Sev = WARNING/3 IKE/0xE3000050
Failed to load IPsec keys4 20:31:03.518 23/07/15 Sev = WARNING/2 IKE/0xE30000A7
SW unexpected error during the processing of negotiator fast Mode:(Navigator:2263)5 20:31:03.533 23/07/15 Sev = WARNING/2 IPSEC/0xE3700003
Function CniMemRealloc() failed with the error code of 0 x 00000000 (IPSecDrvBSafeMem:152)---in the event logs, I see the following error message:Service Service VPN from Cisco Systems, Inc. is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
----Things I've tried:I took the SSL certificate to my computer that works (windows 8.1) and installed on my machine Windows 10 and ensured that it was valid. I then imported it in the Cisco client. It did not work.I checked the registry to ensure there was incorrect data in the DisplayName value, and that works.Any thoughts on what I might try next?Hello Onimallar,
I had this same problem with my Windows 64-bit 10. But on my 32-bit Windows 10 VM the Client VPN Cisco worked OK. So I looked into the differences. It seems that Setup 64-bit VPN client cannot change the network settings to add the network client 'DNE light filter' required for the properties of the network adapter.
I tried the Citrix DNE update, and while that helped Cisco VPN Client install successfully on my 64-bit machine, it would not establish a connection.
Using the differences, I removed the two of the DNE Updater and Cisco VPN Client, and then installed 64-bit Dell SonicWall VPN Client, as this has been installed in my VM 32 bits (the 32-bit version). This added the workstation network DNE filter of my 64-bit machine. I reinstalled the Cisco VPN Client successfully and was able to connect to a remote site with success.
It worked for me.
You can download the SonicWall VPN Client from:
https://support.software.Dell.com/SonicWALL-Global-VPN-client/Windows%20...
-
Terminating the VPN client on 871W
Hello
I tried to install EasyVPN on a cisco 871W by SDM. The goal is to finish the VPN client with authentication with an external RADIUS/advertising (on a local subnet). I implemented the IAS on a win2003 Server advertising and checked the accounts.
SDM was missing the 'crypto map' piece of config. After you add this in the CLI it still didn't work. Thus, EasyVPN is not as easy at is sounds...
Could someone with some knowledge of VPN and IPsec and so forth please look at this config? Maybe it gives me an idea of what I did wrong (which, without a doubt, must be the case).
Thank you
Erik
==
AAA new-model
!
AAA rad_eap radius server group
auth-port 1645 10.128.7.5 Server acct-port 1646
!
AAA rad_mac radius server group
!
AAA rad_acct radius server group
!
AAA rad_admin radius server group
!
AAA server Ganymede group + tac_admin
!
AAA rad_pmip radius server group
!
RADIUS server AAA dummy group
!
AAA authentication login default local
AAA authentication login eap_methods group rad_eap
AAA authentication login mac_methods local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ipmobile default group rad_pmip
AAA authorization sdm_vpn_group_ml_1 LAN
AAA accounting network acct_methods
action-type market / stop
Group rad_acct
!
!
!
AAA - the id of the joint session
clock timezone MET 1
clock to DST DST PUTS recurring last Sun Mar 02:00 last Sun Oct 02:00
!
Crypto pki trustpoint TP-self-signed-1278336536
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1278336536
revocation checking no
rsakeypair TP-self-signed-1278336536
!
!
TP-self-signed-1278336536 crypto pki certificate chain
certificate self-signed 01
3082024A 308201B 3 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31323738 33333635 6174652D 3336301E 170 3039 31303237 32313237
32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 32373833 65642D
33363533 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
81008B 56 5902F5DF FCE1A56E 3A63350E 45956514 1767EF73 FEC6CD16 7E982A82
B0AF8546 ABB3D35A B7C3A7E3 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC 37A 02103
4EFC398B 0C8B6BE5 AD3E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E
32E6B3B7 861F87FA 222197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C
BF8F0203 010001A 3 72307030 130101 1 FF040530 030101FF 301D 0603 0F060355
551 1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355
1 230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D 0603
551D0E04 16041484 C9111E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A
010104 05000381 8693B 599 70EC1F1A D2995276 F3E4AF9D 81002F4A 0D 864886F7
17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3
AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4
E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E38BC3 342C3AC9
2BEF6821 E4C50277 493AD5B6 2AFE
quit smoking
dot11 syslog
!
IP source-route
!
!
DHCP excluded-address IP 10.128.1.250 10.128.1.254
DHCP excluded-address IP 10.128.150.250 10.128.150.254
DHCP excluded-address IP 10.128.7.0 10.128.7.100
DHCP excluded-address IP 10.128.7.250 10.128.7.254
!
pool IP dhcp VLAN30-COMMENTS
import all
Network 10.128.1.0 255.255.255.0
router by default - 10.128.1.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
IP dhcp VLAN20-STAFF pool
import all
Network 10.128.150.0 255.255.255.0
router by default - 10.128.150.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
IP dhcp SERVERS VLAN10 pool
import all
Network 10.128.7.0 255.255.255.0
router by default - 10.128.7.254
10.128.7.5 DNS server
-10.128.7.5 NetBIOS name server
aaa.com domain name
4 rental
!
!
IP cef
no ip domain search
IP domain name aaa.com
inspect the tcp IP MYFW name
inspect the IP udp MYFW name
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
VPDN enable
!
!
!
username privilege 15 secret 5 xxxx xxxx
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpn
key xxxx
pool SDM_POOL_1
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
!
Bridge IRB
!
!
interface Loopback0
10.128.201.1 the IP 255.255.255.255
map SDM_CMAP_1 crypto
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 20
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 30
!
interface FastEthernet4
no ip address
Speed 100
full-duplex
PPPoE enable global group
PPPoE-client dial-pool-number 1
No cdp enable
!
interface Dot11Radio0
no ip address
Shutdown
No dot11 extensions aironet
!
interface Vlan1
address IP AAA. BBB. CCC.177 255.255.255.240
no ip redirection
no ip proxy-arp
NAT outside IP
no ip virtual-reassembly
No autostate
Hold-queue 100 on
!
interface Vlan10
SERVER description
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 10
Bridge-group of 10 disabled spanning
!
interface Vlan20
Description of the STAFF
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 20
Bridge-group 20 covering people with reduced mobility
!
Vlan30 interface
Description COMMENTS
no ip address
IP nat inside
no ip virtual-reassembly
No autostate
Bridge-group 30
Bridge-group 30 covering people with reduced mobility
!
interface Dialer1
MTU 1492
IP unnumbered Vlan1
no ip redirection
no ip proxy-arp
NAT outside IP
inspect the MYFW over IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP authentication pap callin
PPP pap sent-name of user password 7 xxxx xxxxx
!
interface BVI10
Description the server network bridge
IP 10.128.7.254 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface BVI20
Description personal network bridge
IP 10.128.150.254 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface BVI30
Bridge network invited description
IP 10.128.1.254 255.255.255.0
IP access-group Guest-ACL in
IP nat inside
IP virtual-reassembly
!
pool of local SDM_POOL_1 192.168.2.1 IP 192.168.2.100
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
IP http secure ciphersuite 3des-ede-cbc-sha
IP http secure-client-auth
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
overload of IP nat inside source list 101 interface Vlan1
IP nat inside source static tcp 10.128.7.1 25 AAA. BBB. Expandable 25 CCC.178
IP nat inside source static tcp 10.128.7.1 80 AAA. BBB. CCC.178 extensible 80
IP nat inside source static tcp 10.128.7.1 443 AAA. BBB. CCC.178 extensible 443
IP nat inside source static tcp 10.128.7.1 8333 AAA. BBB. CCC.178 extensible 8333
IP nat inside source static tcp 10.128.7.2 25 AAA. BBB. Expandable 25 CCC.179
IP nat inside source static tcp 10.128.7.2 80 AAA. BBB. CCC.179 extensible 80
IP nat inside source static tcp 10.128.7.2 443 AAA. BBB. CCC.179 extensible 443
IP nat inside source static tcp 10.128.7.2 8333 AAA. BBB. CCC.179 extensible 8333
IP nat inside source static tcp 10.128.7.3 25 AAA. BBB. Expandable 25 CCC.180
IP nat inside source static tcp 10.128.7.3 80 AAA. BBB. CCC.180 extensible 80
IP nat inside source static tcp 10.128.7.3 443 AAA. BBB. CCC.180 extensible 443
IP nat inside source static tcp 10.128.7.3 8333 AAA. BBB. CCC.180 extensible 8333
IP nat inside source static tcp 10.128.7.4 25 AAA. BBB. Expandable 25 CCC.181
IP nat inside source static tcp 10.128.7.4 80 AAA. BBB. CCC.181 extensible 80
IP nat inside source static tcp 10.128.7.4 443 AAA. BBB. CCC.181 extensible 443
IP nat inside source static tcp 10.128.7.4 8333 AAA. BBB. CCC.181 extensible 8333
IP nat inside source static tcp 10.128.7.5 25 AAA. BBB. Expandable 25 CCC.182
IP nat inside source static tcp 10.128.7.5 80 AAA. BBB. CCC.182 extensible 80
IP nat inside source static tcp 10.128.7.5 443 AAA. BBB. CCC.182 extensible 443
IP nat inside source static tcp 10.128.7.5 8333 AAA. BBB. CCC.182 extensible 8333
IP nat inside source static tcp 10.128.7.6 25 AAA. BBB. Expandable 25 CCC.183
IP nat inside source static tcp 10.128.7.6 80 AAA. BBB. CCC.183 extensible 80
IP nat inside source static tcp 10.128.7.6 443 AAA. BBB. CCC.183 extensible 443
IP nat inside source static tcp 10.128.7.6 8333 AAA. BBB. CCC.183 extensible 8333
IP nat inside source static tcp 10.128.7.7 25 AAA. BBB. Expandable 25 CCC.184
IP nat inside source static tcp 10.128.7.7 80 AAA. BBB. CCC.184 extensible 80
IP nat inside source static tcp 10.128.7.7 443 AAA. BBB. CCC.184 extensible 443
IP nat inside source static tcp 10.128.7.7 8333 AAA. BBB. CCC.184 extensible 8333
IP nat inside source static tcp 10.128.7.8 25 AAA. BBB. Expandable 25 CCC.185
IP nat inside source static tcp 10.128.7.8 80 AAA. BBB. CCC.185 extensible 80
IP nat inside source static tcp 10.128.7.8 443 AAA. BBB. CCC.185 extensible 443
IP nat inside source static tcp 10.128.7.8 8333 AAA. BBB. CCC.185 extensible 8333
IP nat inside source static tcp 10.128.7.9 25 AAA. BBB. Expandable 25 CCC.186
IP nat inside source static tcp 10.128.7.9 80 AAA. BBB. CCC.186 extensible 80
IP nat inside source static tcp 10.128.7.9 443 AAA. BBB. CCC.186 extensible 443
IP nat inside source static tcp 10.128.7.9 8333 AAA. BBB. CCC.186 extensible 8333
IP nat inside source static tcp 10.128.7.10 25 AAA. BBB. Expandable 25 CCC.187
IP nat inside source static tcp 10.128.7.10 80 AAA. BBB. CCC.187 extensible 80
IP nat inside source static tcp 10.128.7.10 443 AAA. BBB. CCC.187 extensible 443
IP nat inside source static tcp 10.128.7.10 8333 AAA. BBB. CCC.187 extensible 8333
IP nat inside source static tcp 10.128.7.11 25 AAA. BBB. Expandable 25 CCC.188
IP nat inside source static tcp 10.128.7.11 80 AAA. BBB. CCC.188 extensible 80
IP nat inside source static tcp 10.128.7.11 443 AAA. BBB. CCC.188 extensible 443
IP nat inside source static tcp 10.128.7.11 8333 AAA. BBB. CCC.188 extensible 8333
IP nat inside source static tcp 10.128.7.12 25 AAA. BBB. Expandable 25 CCC.189
IP nat inside source static tcp 10.128.7.12 80 AAA. BBB. CCC.189 extensible 80
IP nat inside source static tcp 10.128.7.12 443 AAA. BBB. CCC.189 extensible 443
IP nat inside source static tcp 10.128.7.12 8333 AAA. BBB. CCC.189 extensible 8333
!
Guest-ACL extended IP access list
deny ip any 10.128.7.0 0.0.0.255
deny ip any 10.128.150.0 0.0.0.255
allow an ip
IP Internet traffic inbound-ACL extended access list
allow udp any eq bootps any eq bootpc
permit any any icmp echo
permit any any icmp echo response
permit icmp any any traceroute
allow a gre
allow an esp
!
access-list 1 permit 10.128.7.0 0.0.0.255
access-list 1 permit 10.128.150.0 0.0.0.255
access-list 1 permit 10.128.1.0 0.0.0.255
access-list 2 allow 10.0.0.0 0.255.255.255
access-list 2 refuse any
access-list 101 permit ip 10.128.7.0 0.0.0.255 any
access-list 101 permit ip 10.128.150.0 0.0.0.255 any
access-list 101 permit ip 10.128.1.0 0.0.0.255 any
Dialer-list 1 ip Protocol 1
!
!
!
!
format of server RADIUS attribute 32 include-in-access-req hour
RADIUS-server host 10.128.7.5 auth-port 1645 acct-port 1646 borders 7 xxxxx
RADIUS vsa server send accounting
!
control plan
!
IP route 10 bridge
IP road bridge 20
IP road bridge 30
Banner motd ^.
Unauthorized access prohibited. *
All access attempts are logged! ***************^
!
Line con 0
password 7 xxxx
no activation of the modem
line to 0
line vty 0 4
access-class 2
privilege level 15
transport input telnet ssh
!
max-task-time 5000 Planner
AAA.BBB.CCC.ddd NTP server
endErik,
The address pool you are talking about is to assign to the customer or the public router interface? If you want to set up your vpn client software point a full domain name instead of an IP address that you can do it too long you can ensure the use of the name is resolved by a DNS SERVER.
The range of addresses that you can be asigned to your Dialer interface will depend on your ISP.
-Butterfly
Maybe you are looking for
-
Flashblock 1.5.18 blocking some sites
I see that Flashblock has been updated, however, there are still problems with it. Some sites, for example AOL, WTOP, etc. that video by default in HTML format and play will no longer work if Flashblock is enabled, even if these sites are added to th
-
Only get a gray screen after upgrade of El Capitan. What can I do?
I tried to install an upgrade, but only now have a gray screen. The installation seems to have stopped half way through.
-
timers stopped when removable Panel
I am relatively new to LabWindows, and up to now, this has not been a problem, but now I write several critical applications of the time, it is. Simply, I need to find a way to put around the problem stop Timers reminders while manipulating panels -
-
MI contra mi pc adminitrason sena to me olvido as hago
Yo album the contra sena of adminitración of mi pc y no puedo en LC that there is quiero quitar el adminitrador
-
I can, t get the impression to move to the right to display the box to click it down-size letters