Through remote access vpn Ipsec within the host is not available.

Team,

I have a question in confiuration vpn crossed.

ASA 3,0000 Version 5

the only question is, to access remote vpn clinet IP cannot access inside the host. However able to reach the branch of IP and it uses corprate Internet.

In SAA from the external interface I am able to ping remote clint IP but not from within the interface. Please help and let me know if additional information is required.

Thank you

Knockaert

Hello

For the NAT0 configuration, you only need NAT0 instruction for the interface "inside".

This single command/ACL should allow for 'inside' <-->'vpn-pool' communication.

NAT0 configurations on the 'external' interface should be necessary only if you make NAT0 between 2 VPN connections. I guess you could do this since you mention traffic crossed?

I suggest using different 'object-group' to define networks of NAT0 destination for different ' object-group' to the 'outside' to 'outside' and 'inside' users NAT0.

I also obsessively using beaches too wide network in the statements of NAT0. According to some records, they can cause problems

For example, this network ' object-network 172.16.0.0 255.240.0.0 "contains the 172.x.x.x.x set private IP address range. And in this case it contains some of your 'inside' networks too?

How is this a problem of crossed by the way? You say that the problem is between the VPN clients on the 'external' interface and network local hosts behind the 'internal '? Crossed would mean you have connection problem between 'outside' <->'outside' perhaps.

I don't know if I made any sense. Can be a bit messy. But can not give very specific answers that I don't know the entire configuration.

Also make sure you have the "inspect icmp" configured under the policy-map of the world, so that the response to ICMP echo messages are automatically allowed through the ASA.

-Jouni

Tags: Cisco Security

Similar Questions

Implementation of the remote access VPN IPSec using SRI 2801

Hello

I tried to set up a VPN for remote access using 2801 SRI. I've been able to establish my house vpn tunnel using the DSL (behind a NAT) connection, give it SRI the IP address that is in the ip pool I configured on safety. The problem I have right now is that it does not reach the company LAN network.

DIAGRAM:

MODEM PC (VPN CLIENT) ADSL - ROUTER SOHO - INTERNET - ISR2801 - LAN---(10.10.0.27&192.168.0.9) COMPANY

PC: 172.16.10.122

SOHO ROUTER LAN IP: 172.16.10.254

SOHO ROUTER WAN IP: Dynamically assigned by ISP

ISR2801 WAN IP: x.x.x.5/224

IP LAN ISR2801: 10.10.0.50/24

The CORPORATE LAN subnet: 10.10.0.0/24 and 192.168.0.9/24

2801 SRI CONFIGURATION:

AAA new-model

!

!

connection of AAA NOCAUTHEN group local RADIUS authentication

local NOCAUTHOR AAA authorization network

!

!

IP domain name xxxxx.com

!

!

!

username root password 7 120B551806095F01386A

!

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

ISAKMP crypto 5 40 keepalive

ISAKMP crypto nat keepalive 20

!

Configuration group isakmp crypto-GROUP NOC client

touch [email protected]/ * /! ~ $ 9876 qwerty

DNS 192.168.0.9

192.168.0.9 victories

xxxxx.com field

LWOP-pool

include-local-lan

netmask 255.255.255.0

!

!

Crypto ipsec transform-set AC - SET esp-3des esp-sha-hmac

!

dynamic-map crypto NOC-DYNAMICMAP 10

transformation-LWOP-SET game

!

!

list of crypto AC-customer card NOCAUTHEN card authentication

list of crypto isakmp NOCAUTHOR AC-card card authorization

crypto map CNP-map client configuration address respond

Crypto map AC - map 10-isakmp dynamic ipsec AC-DYNAMICMAP

!

!

!

!

interface FastEthernet0/0

IP address x.x.x.5 255.255.255.224

Speed 100

full-duplex

card crypto AC-map

!

interface FastEthernet0/1

IP 10.10.0.50 255.255.255.0

Speed 100

full-duplex

!

local IP NOC-POOL 192.168.250.101 pool 192.168.250.110

IP route 0.0.0.0 0.0.0.0 XXX1

IP route 10.10.0.0 255.255.255.0 10.10.0.10

IP route 172.16.10.0 255.255.255.0 FastEthernet0/0

Route IP 192.168.0.0 255.255.255.0 10.10.0.10

IP route 192.168.250.0 255.255.255.0 FastEthernet0/0

!

I have attached a few screenshots. My goal here is to have access to my LAN to the company (10.10.0.0/24 and 192.168.0.9/24). I don't know what is missing here.

No, we don't need not NAT. wanted to confirm if NAT could cause this problem.

The config looks good. Can you ping routers ip internal interface the client LAN once it connects?

Are correct, w.r.t. transatlantic lines reaching pool behind router VPN?

If so, I would like to take a look at the exits following when a client is connected.

See the crypto eli

ISAKMP crypto to show his

Crypto ipsec to show his

SPSP

Configuration remote access VPN (IPSec) using FULL domain name

Hi friends of Cisco,

We have the DNS (only the internal IP) within our network, right now that we have configured VPN for remote access using public IP address and connect us with the same public IP address. I need help to use the domain name FULL rather than use public IP.

Can you please provide the configuration for this.

Feature: ASA 5520

Type of configuration: IPSec

Thank you

Estel

Hi Philippe,.

You can use one of the free Web of DNS dynamic sites and configure ASA to dynamic DNS.

Reference - http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/basic_ddns.html

HTH,

-Dieng

Client connected to the remote access VPN, but got the wrong default gateway

Hi all

I struggled for a few days and really need some help here. My PC (192.168.254.x) is on the same vlan with external interface (192.168.254.171) to my PIX506E. When I run the Cisco VPN client, my PC shows connected and gets the IP address of 10.9.0.150 that is expected. However, it also gets the entry door of 10.9.0.1 that I have no idea where it came from. So my PC can not access any external or internal network.

I've listed below the configuration of my and highlighted the part that I typed in. PIX version 7.1 (2) is the latest version that I can install on PIX506E. Help, please. Thank you very much.

pixfirewall # sh run
: Saved
:
PIX Version 7.1 (2)
!
pixfirewall hostname
activate 2KFQnbNIdI.2KYOU encrypted password
names of
!
interface Ethernet0
nameif outside
security-level 0
IP 192.168.254.171 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
IP 10.10.10.1 255.255.255.0
!
2KFQnbNIdI.2KYOU encrypted passwd
Flash: / pix712.bin starting system
passive FTP mode
pager lines 24
Enable logging
timestamp of the record
logging buffered information
Outside 1500 MTU
Within 1500 MTU
10.9.0.150 mask - local 10.9.0.160 ROBERT-pool IP 255.255.255.0
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
internal group strategy Robert-GP
attributes of Group Policy GP-Robert
value of server DNS 8.8.8.8
username cisco password encrypted privilege 15 3USUcOPFUiMCO4Jk
robert yXUoa8oHzS0Ncp2O of encrypted password username
robert username attributes
Strategy Group-VPN-Robert-GP
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Dynamic crypto map DYN1 1 set of transformation-RIGHT
Dynamic crypto map DYN1 1jeu reverse-road
map MYMAP 1 ipsec-isakmp dynamic DYN1 crypto
MYMAP outside crypto map interface
ISAKMP allows outside
part of pre authentication ISAKMP policy 1
ISAKMP policy 1 3des encryption
ISAKMP policy 1 sha hash
Group of ISAKMP policy 1 2
ISAKMP policy 1 life 43200
ISAKMP nat-traversal 30
tunnel-GROUP ROBERT type ipsec-ra
tunnel-group ROBERT-General-attributes
address-pool ROBERT-
Group Policy - by default-Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
pre-shared-key *.
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
SSH version 2
Console timeout 0
SSL rc4 - md5 encryption
Cryptochecksum:7157c6095f2abae2aae9e15c1caa81aa
: end
pixfirewall #.

disconnect from the vpn session after adding the new ACL to the external interface and try again?

Disconnect the vpn session and try again and if does not apply this line.

permit same-security-traffic intra-interface

See the ipsec crytop her.

Please post this output.

Thank you

Multicast through remote access VPN (ASA)

Hi all

I have an ASA 5505 I want to use a device that will end for several clients for rheumatoid arthritis in so they can access our TEST network. The problem is that the net TEST provides streams video multicast clients need to see. I currently do with a Windows Server and Clients through L2TP. How can I do this with the ASA instead? I know, IPSEC does support multicast... can do something?

Hello

You can check the related multicast L2TP below mentioned example link...

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Concerning

Knockaert

authentication of remote access, vpn and ldap

I have a test environment with 2 hours fireval 5505: the first firewall is remote access VPN server and the Interior of this firewall is a network of domain with a domain controller, DNS server and a workstation. DHCP is disabled and the PC have a static address.outside of the VPN server is attached outside the other ASA 5505 firewall. on the inside of the firewall, there is a workstation.the workstation would be to connect via vpn for remote access on the domain network. I have configured the VPN server for remote access through a wizard and his

configuration is the following

Result of the command: "show running-config"

: Saved

ASA Version 8.2(1)

hostname ciscoasa

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 10.13.74.5 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.30.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

dns server-group DefaultDNS

domain-name dri.local

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240

access-list outside_access_in extended permit tcp 192.168.50.0 255.255.255.240 10.13.74.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.50.1-192.168.50.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record vpnldap

network-acl inside_nat0_outbound

aaa-server vpn protocol ldap

aaa-server vpn (inside) host 10.13.74.20

ldap-base-dn DC=DRI,DC=LOCAL

ldap-group-base-dn cn=test,cn=users,dc=dri,dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=test,cn=users,dc=dri,dc=local

server-type microsoft

http server enable

http 10.13.74.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 10.13.74.9-10.13.74.40 inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 10.13.74.20 10.8.2.5

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value dri.local

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:1fc23fb20a74f208b3cde5711633ad3d

: end

When I tried to workstation on the internal part of the second firewall (no remote access vpn server) to connect to the vpn, everything is ok. I used the cisco vpn client, but I can't ping domain controller, workstation, I can't use the shared folder on them. Why?

Please help me

Thank you

Thanks for letting me know! Can you please give the station "answered"? Thank you!

Unable to SSH/telnet through the remote access VPN to ASA interface

Hi all - im trying to SSH/telnet to my ASA in my remote access VPN tunnel but

can't get this to work. what Miss me?

remote access VPN subnet: 192.168.25.0

LAN subnet: 192.168.1.0

config is attached. THX-

Please enter the command

Private access Managament

and you will be able to telnet/ssh to the asa on this ip 192.168.1.253

Remote access VPN with ASA 5510 by using the DHCP server

Hello

Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?

I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:

!

ASA Version 8.2 (5)

!

interface Ethernet0/1

nameif inside

security-level 100

IP 10.6.0.12 255.255.254.0

!

IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)

!

Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

!

Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic dyn1 1jeu transform-set FirstSet

dynamic mymap 1 dyn1 ipsec-isakmp crypto map

mymap map crypto inside interface

crypto ISAKMP allow inside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 43200

!

VPN-addr-assign aaa

VPN-addr-assign dhcp

!

internal group testgroup strategy

testgroup group policy attributes

DHCP-network-scope 10.6.192.1

enable IPSec-udp

IPSec-udp-port 10000

!

username testlay password * encrypted

!

tunnel-group testgroup type remote access

tunnel-group testgroup General attributes

strategy-group-by default testgroup

DHCP-server 10.6.20.3

testgroup group tunnel ipsec-attributes

pre-shared key *.

!

I got following output when I test connect to the ASA with Cisco VPN client 5.0

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO

4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID

Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

[OK]

KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable

Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes

Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!

Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.

Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address

Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048) , : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740) , : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

Kind regards

Lay

For the RADIUS, you need a definition of server-aaa:

Protocol AAA - NPS RADIUS server RADIUS

AAA-server RADIUS NPS (inside) host 10.10.18.12

key *.

authentication port 1812

accounting-port 1813

and tell your tunnel-group for this server:

General-attributes of VPN Tunnel-group

Group-NPS LOCAL RADIUS authentication server

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

How to prohibit remote access vpn client to use the local DNS server

Hello

I'm on ASA5505 remote access vpn configuration.

Everything works fine so far, except when the client got connected, he always used the local DNS server provided by the ISP. How can I force the customer to use the DNS server configured on ASA?

Thank you.

Kind regards

The command "Activate dns split-tunnel-all" is supported only on SSL VPN and VPN IKEv2. Since you're using IKEv1, this command is not supported.

Here's the order reference:

http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/S8.html#wp1533793

You configure no split tunnel? If you are, then you need to configure "tunnelall" split tunnel policy, and that will force the dns resolution and everything else through the VPN tunnel.

ODA IP ASA when you browse the web via remote access vpn

Hi all

I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing.

The firmware version of the ASA is 9.1 (6)

Thanks in advance

Hello

What you want to achieve is calles u-turn.

You must enable the feature allowed same-security-traffic intra-interface

For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post):

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Thank you

PS: Please do not forget to rate and score as good response if this solves your problem

ASA to remote access VPN with external IP dynamic

Hi forum,

I was wondering if it was possible to set up an ASA to provide access to remote connections VPN (IPSEC or WebVPN/SSL) of the outside world, if the external IP address is dynamic (i.e. obtained through DHCP)? I understand how to use DynamicDNS to provide a host name for the VPN clients, I ask simply if the SAA can be configured to allow VPN connections from a DHCP interface addressed. I understand there are problems with the site to site VPN when both sides are addressed in a dynamic way, but it seems that the remote VPN access should work. Just hoping to confirm this before I go and I'm working on a config.

Thanks in advance...

The same configuration applies.

In my view, that the only difference is that with the external IP being dynamic:

interface e0/0

IP address dhcp setroute

crypto map

The only difference is that (the PCF file) VPN clients should have the VPN connection with a hostname (rather than an IP address) and the IP must be solved at the IPs of the SAA.

I'll try to find you an example configuration if you do not.

Federico.

ASA 5505 - remote access VPN to access various internal networks

Hi all

A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x.

Here is the config:

:

ASA Version 8.2 (5)

!

ciscoasa hostname

enable encrypted password xxx

XXX encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 200.190.1.15 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address 255.255.255.0 xxxxxxx

!

exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

passive FTP mode

access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any

outside_access_in list extended access permit icmp any external interface

access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0

Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0

MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool

IP verify reverse path to the outside interface

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow all outside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 200.190.1.0 255.255.255.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1

Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1

Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1

Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

http server enable 10443

http server idle-timeout 5

Server of http session-timeout 30

HTTP 200.190.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

Crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

(omitted)

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 3600

Telnet timeout 5

SSH 200.190.1.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

Console timeout 5

dhcpd outside auto_config

!

a basic threat threat detection

scanning-threat shun threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

internal MD_SSL_Gp_Pol group strategy

attributes of Group Policy MD_SSL_Gp_Pol

VPN-tunnel-Protocol webvpn

WebVPN

list of URLS no

disable the port forward

hidden actions no

disable file entry

exploration of the disable files

disable the input URL

internal MD_IPSEC_Tun_Gp group strategy

attributes of Group Policy MD_IPSEC_Tun_Gp

value of banner welcome to remote VPN

VPN - connections 1

VPN-idle-timeout 5

Protocol-tunnel-VPN IPSec webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl

the address value Remote_IPSEC_VPN_Pool pools

WebVPN

value of the RDP URL-list

attributes of username (omitted)

VPN-group-policy MD_IPSEC_Tun_Gp

type of remote access service

type tunnel-group MD_SSL_Profile remote access

attributes global-tunnel-group MD_SSL_Profile

Group Policy - by default-MD_SSL_Gp_Pol

type tunnel-group MD_IPSEC_Tun_Gp remote access

attributes global-tunnel-group MD_IPSEC_Tun_Gp

address pool Remote_IPSEC_VPN_Pool

Group Policy - by default-MD_IPSEC_Tun_Gp

IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp

pre-shared key *.

!

!

context of prompt hostname

: end

The following ACL and NAT exemption ACL split tunnel is incorrect:

MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

It should have been:

Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0

access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

Then 'clear xlate' and reconnect with the VPN Client.

Hope that helps.

Remote access VPN

We have 10 sites with ASA 5505 connected to the ASA 5510 of main office

through IPSec VPN tunnels. Home users connect to the main office network

using the remote access vpn connection. They can also connect to the ASA 5505

remote sites by vpn for remote access to the ASA 5510?

Thanks, please help!

Here's the PDF.

Problem with remote access VPN

Hello

I installed a remote access VPN on my firewall ASA5505 via the ASDM Assistant.

I can successfully connect with the Cisco VPN client. My firewall also shows me the VPN session and shows the Rx packets. However, Tx packets remain 0, so no traffic is getting out. My ASA5505 is configured as a router on a stick with 25 different VLAN. I want to restrict traffic to one VLAN specific using a card encryption.

When I run a command to ping t on my connected Windows box, the firewall log shows me the following message:

"Unable to find political IKE initiator: outside Intf, Src: 10.7.11.18, Dst: ' 172.16.1.1

"This message indicates that the fast path IPSec processing a packet that triggered of IKE, but IKE policy research has failed. This error could be associated calendar. The ACL triggering IKE could have been deleted before IKE has processed the request for initiation. "This problem will likely correct itself."

Unfortunately, the problem is correct.

The "sh cry isa his" and "sh cry ips its ' commands show the following output:

2 IKE peers: 62.140.137.99

Type: user role: answering machine

Generate a new key: no State: AM_ACTIVE

Interface: outside

Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 85.17.xxx.xxx (outside interface IP)

local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)

Remote ident (addr, mask, prot, port): (172.16.1.1/255.255.255.255/0/0)

current_peer: 62.140.137.99, username: eclipsevpn

dynamic allocated peer ip: 172.16.1.1

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 4351, #pkts decrypt: 4351, #pkts check: 4351

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 85.17.xxx.xxx/4500, remote Start crypto. : 62.140.137.99/3698

Path mtu 1500, fresh ipsec generals 82, media, mtu 1500

current outbound SPI: B3D60F71

current inbound SPI: B89BA14A

SAS of the esp on arrival:

SPI: 0xB89BA14A (3097207114)

transform: aes - esp esp-sha-hmac no compression

running parameters = {RA, Tunnel, NAT-T program,}

slot: 0, id_conn: 196608, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

calendar of his: service life remaining key (s): 25126

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFE1FFF8 0xFFFFFFFF

outgoing esp sas:

SPI: 0xB3D60F71 (3017150321)

transform: aes - esp esp-sha-hmac no compression

running parameters = {RA, Tunnel, NAT-T program,}

slot: 0, id_conn: 196608, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

calendar of his: service life remaining key (s): 25126

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

I really have no idea what's going on. I installed a remote access VPN countless times, but this time it shows me the error as described above.

Hi Martijn,

just a few quick thoughts:

-is your ok NAT exemption, i.e. ensure that the return traffic is not NAT' ed.

-Make sure that there is no overlap crypto ACL

-When connected, make a package tracer to see what is happening with the return packages.

for example

packet-tracer in the interface within the icmp 10.7.11.18 0 0 172.16.1.1 detail

(where is the name of the interface on which 10.7.11.18 resides)

This will show you all the steps the rail package in-house (routing, nat, encryption etc.) so it should give you an idea of what is happening, for example when it comes to the bad interface, nat evil rule, wrong entry card crypto etc.

HTH

Herbert

No remote access VPN traffic of Asa

Hi all

I set up a Vpn on ASA5510 remote access.

When the client connect, receive the ip address of the pool (192.168.55.X) but generates no traffic.

If I type ipconfig on the pc I have only IP and mask but no gateway is not assigned, is this normal?

If I ping a host of pc to all hosts on the local network 192.168.0.X in the logs I have:

"3 14 July 2012 16:15:50 305005 192.168.0.10 no group translation found for icmp src FASTWEB:192.168.55.1 dst (type 8, code 0) LAN:192.168.0.10 '

NAT could be a problem but I do not understand how to do it.

That's my piece of config:

standard access list test_splitTunnelAcl allow Net_R_Dmz 255.255.255.224

standard access list test_splitTunnelAcl allow Net_R_Server 255.255.255.0

standard access list test_splitTunnelAcl allow Net_R_Client 255.255.255.0

standard access list test_splitTunnelAcl allow Net_V_VoIP 255.255.255.0

standard access list test_splitTunnelAcl allow Net_V_Lan 255.255.255.0

test_splitTunnelAcl list standard access allowed 192.168.0.0 255.255.255.0

permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R 255.255.255.0

permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Network_V object-group

permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Client 255.255.255.0

permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Server 255.255.255.0

permit access ip 192.168.0.0 scope list Lan_nat0_outbound 255.255.255.0 Net_R_Dmz 255.255.255.224

Lan_nat0_outbound ip Net_VpnClient 255.255.255.0 allowed extended access list all

Fastweb_access_in ip Net_R_Client 255.255.255.0 allowed extended access list all

Fastweb_access_in ip Net_R_Server 255.255.255.0 allowed extended access list all

Fastweb_access_in ip Net_R 255.255.255.0 allowed extended access list all

Fastweb_access_in ip Net_VpnClient 255.255.255.240 allowed extended access list all

permit access ip 192.168.0.0 scope list Lan_access_in 255.255.255.0 any

mask 192.168.55.1 - 192.168.55.10 255.255.255.240 IP local pool Vpn_Pool

Global (FASTWEB) 1 interface

NAT (LAN) 0-list of access Lan_nat0_outbound

NAT (LAN) 1 192.168.0.0 255.255.255.0

Access-group Fastweb_access_in in interface FASTWEB

Lan_access_in access to the LAN interface group

Route FASTWEB 0.0.0.0 0.0.0.0 93.x.x.x 1

internal group R10M strategy

attributes of R10M group policy

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list test_splitTunnelAcl

tunnel-group R10M type remote access

attributes global-tunnel-group R10M

address pool Vpn_Pool

Group Policy - by default-R10M

IPSec-attributes tunnel-group R10M

pre-shared-key *.

Thank you.

M.

Hi Marco,.

see this:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (LAN) 1 192.168.0.0 255.255.255.0

LAN ip 192.168.0.0 match FASTWEB 255.255.255.0 any

dynamic translation of hen 1 (93.x.x.x.x [Interface PAT])

translate_hits = 267145, untranslate_hits = 18832

Additional information:

Definition of dynamic 192.168.0.10/0 to 93.x.x.x.x/18070 using subnet mask 255.255.255.255

do not hit the exemption from the rule,

Please add this to your nat 0 access-list:

Lan_nat0_outbound line 1 scope ip allow any 192.168.55.0 255.255.255.0

and let me know how it goes.

Good luck.

Mohammad.

Through remote access vpn Ipsec within the host is not available.

Similar Questions

Maybe you are looking for