Through VPN 8.4 (2) broken?
Hello
Yes, I once again. Looks like I could have found something else wrong after upgrade to 8.4 (2) the 'same-security-traffic permit intra-interface' feature be broken, unless there is a new or additional order it takes to get this working. I'm not looking for the items, but what I found does not seem to apply, I hope someone here or has used Cisco look has an idea more.
8.4 (1) = work
TO
8.4 (2) no = no workie
I saw in the system log, but the decoder error message just told me to contact TAC. :-(
20 Jul 22:07:12 fw1: % ASA-6-110003: routing could not locate the next hop for ICMP to outside:10.10.x.55/0 to inside:10.20.x.3/1
I therefore hope SkyNet is to look at and has one different answer that "it's a bug, you're screwed."
Hey,.
This bug points to a problem with the packet - trace and not crossed himself.
The NAT command below seems useless to me and could cause a problem:
NAT (inside, all) source static obj - 172.140.60.0 obj - 172.140.60.0 destination static obj - 172.180.0.0 obj - 172.180.0.0 no-proxy-arp
The object obj - 172.140.60.0 is the pool of the VPN client while obj - 172.180.0.0 seems to be the network at the office of A. I hope I'm acorrect in my assumption.
If this is the case, I don't see a reason why this statement by NAT is necessary. Try to remove that and see if it works then.
Kind regards
Assia
Tags: Cisco Security
Similar Questions
-
burned by another router through vpn
Hello
Here's the deal:
RV042G <--------VPN------->ROUTER1 ROUTER2<---lan1--><---lan2--->
I have a RV042G connected to a router '1' (LAN1) via a VPN. I have another ('2' for LAN2) router behind the local '1' with another network router (no bridge, a different IP address).
For now, I PING the IP wan router "2" of the RV042G, but the distant RV042G, I can't access the devices behind the router '2' on LAN2. The opposite is true, the LAN2 I can ping all devices on any LAN included behind the VPN LAN
On the RV042G, I put a static route to indicate that the IP address of the LAN '2' was available router WAN '2', but a traceroute always shows that I don't use the VPN and ask my gateway provider instead. The static route list does not show the road, that I put.
At this point, I'm a little lost. What can I do to tell the RV that route to ROUTER2 is via the vpn and not my provider gateway?
Thanks for any help (and sorry for my bad English)
After reading this guide:
http://www.Cisco.com/c/dam/en/us/TD/docs/routers/CSBR/rv0xx/administrati...
... take a look on page 110. Group "remote control" is where you would list the subnets that are accessible through the VPN. Currently this group must contain "LAN1", so you'll need to add "LAN2.
see you soon,
SEB.
---lan2--->---lan1-->--------VPN-------> -
Routing of traffic for a specific user through vpn Ipsec
I want to route traffic to a specific host on the internet through our external interface (for example, 7.7.7.0/27) instead of the internet connection of the client (for example 9.9.9.9).
I have already added 9.9.9.9 in the split dns acl so that the road is inserted on the client workstation and a default route on the external interface is defined as follows:
CISCOASA # run HS | I have the route outside
Route outside 0.0.0.0 0.0.0.0 7.7.7.30 1
Nat config
object obj-InsideNetworks network
NAT 7.7.7.3 Dynamics (indoor, outdoor)
No nat
NAT (inside, all) source static obj-InsideNetworks obj-InsideNetworks destination DEST-Interior-SHEEP inside-DEST-SHEEP no-proxy-arp static
object obj-InsideNetworks network
range 10.0.1.0 10.0.255.255
object-group network inside-DEST-SHEEP
network-object 10.0.3.0 255.255.255.0
object-network 10.0.2.0 255.255.255.0
object-network 10.10.10.0 255.255.255.0
object-network 10.0.4.0 255.255.255.128
The static IP assigned to the vpn client is 10.0.4.150 if it is not the scope of the Interior-DEST-SHEEP. If again I traceroute
9.9.9.9 when connected, I get the first bond 7.7.7.1 and it stops there.
Would appreciate any help on this.
Hello
If you try to NAT the VPN user traffic when it connects to the Internet through the ASA NAT configuration so that the user should then be
network of the VPN-CLIENT-PAT object
subnet 10.0.4.128 255.255.255.128
dynamics of NAT (outdoors, outdoor)
Insert the dynamic PAT public IP in the above configuration. You can either use "interface" parameter to use the public IP address of ASAs or insert a detached public IP address that can be used. I guess the Pool of VPN uses the 10.0.4.128/25 subnet.
You must also make sure you have the following configuration enabled
permit same-security-traffic intra-interface
You can check with
See the race same-security-traffic
Note that there is another similar parameter that ends in "inter-interface" who used to work for this situation.
Hope this helps
Let me know if make you it work
-Jouni
-
How to get specific IP through VPN tunnel
I've implemented remote access via VPN Cisco VPN.
We use the tunneling split at the tunel internal IP of VPN tunnel only range.
Now I need to get a specific IP address on the Cisco VPN Client
through Internet and internal network.
I added this specific IP address to split tunnel ACL
I can check it out using Cisco VPN Client, status > statistics, details of the itinerary.
but when I traceroute to that specific IP address it ends on
first jump, ASA public interface.
ASA road 0.0.0.0/0.
I need to put in place?Hello
If you need to allow the VPN client to connect to the ASA and you--turn to the Internet, you must:
permit same-security-traffic intra-interface
Also, make sure you NAT traffic:
NAT (outside) 1 VPN-range
Global 1 interface (outside)
Be careful with the above NAT commands (is just one example and depends on your configuration).
Federico.
-
Access another network through VPN
Hello, currently we have an easy vpn server in one of our sites. Remote users can access the LAN (172.17.x.x) through the VPN. Is it possible to access another network (192.168.2.x) via the same VPN connection? Please see the network diagram.
Kind regards
Tony
Hello Tony
Thank you for the config and details
I've done the configuration in the assumption that the new subnet to which the VPN users wants to access is 192.168.2.0/24 and is behind the router Dlink
VPN SERVER
----------------NZEV extended IP access list
permit ip 192.168.2.0 0.0.0.255 anyaccess-list 120 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.25.0 0.255.255.255access-list 121 allow ip 10.0.0.0 0.255.255.255 192.168.2.0 0.0.0.255
access-list 122 allow ip 192.168.25.0 0.0.0.255 192.168.2.0 0.0.0.255IP route 192.168.2.0 255.255.255.0 172.17.0.6
CISCO router
------------
IP route 192.168.2.0 255.255.255.0 172.21.100.1
IP route 10.0.0.0 255.0.0.0 172.17.0.71
IP route 192.168.25.0 255.255.255.0 172.17.0.71Router DLink
---------------
IP route 10.0.0.0 255.0.0.0 172.21.100.2
IP route 192.168.25.0 255.255.255.0 172.21.100.2Please let me know if you have any other questions
Harish.
be sure to note all the useful messages!
-
Mapping a network drive through VPN on a WRVS4400N router
I have a WRVS4400N router and have connected through the VPN Client quick 1.3.0.3 my laptop running XP. I can ping any IP on my network I can access HTTP addresses and distance desktop (VNC), but I cannot map a network drive.
The network drive on a PC running XP, I tried using the name of the system as well as the period of investigation and no mapping work. When it is connected directly to the LAN/WLAN router, there is no problem of mapping of the disks.
Any help would be appreciated. Thank you!
Hey Blair,
because this issue concerns a product in small businesses of Cisco / Linksys range, I suggest move you into the community, where you will have a better chance to get expert advice.
Best regards
Herbert
Moderator of Cisco -
Cisco VPN Client anything cannot access through VPN on an ASA5505 8.4
Hello
Completely new to Cisco ASA and the need to get this working ASAP.
8.4 (1) ASA 5505 is the secondary FW and I need to authorize all out and block everything coming, but for the VPN clients. Since a jerk of Cisco, I used the ASDM and it's sorcerers to make this work, which may explain my situation.
192.168.101.0/24 is the local network
192.168.101.5 is the IP of ASA
192.168.101.2 is the primary FW (and the default gateway for servers, I have to access through the VPN)
10.10.101.0/24 is the VPN IP range (this can be what you want, I'm not married to it somehow)
My Cisco VPN Client connects to the ASA and receives 10.10.101.1 IP address, but I get no connectivity to the ASA or any other 192.168.101.x or service server (tried RDP, telnet, ping, etc.)
Configuration file is attached.
Help pretty please!
Thank you.
Did you add a route for the VPN Pool on the main firewall to the ASA?
Best regards
Peer
Sent by Cisco Support technique iPad App
-
No internet access through VPN router
Hi all
I configure a Cisco 851 router do a VPN site-to site at ASA5510. The VPN works great. I can get to any host behind ASA5510. But the host behind Cisco 851 cannot go to the internet. I have only set up traffic to the subnet behind ASA5510 through the VPN tunnel. The rest of the traffic through 851 internet connection. The part of configuration is listed below. Except the nat by Fa4 VPN traffic. I miss something here?
Any help is appreciated.
interface FastEthernet4
IP address 24.xx.xx.xx 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP tcp adjust-mss 1400
automatic duplex
automatic speed
crypto SITE map
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 24.xx.xx.1
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source overload map route interface FastEthernet4 sheep
Ganymede IP source interface Vlan1
!
IP extended SITE access list
permit ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
sheep extended IP access list
deny ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
allow an ip 10.5.x.0 0.0.0.255Lou
Based on the subset of configuration, it looks correct, you should be able to browse the Internet with the NAT configuration.
Do you have any ACL applied to your inside interface which may be blocking access? If you perform a traceroute, where the traffic stops?
-
I have everyone!
I want to connect my people by VPN, once install the vpn and attempt to login system download blue screen and restarted in win xp3. How to solve this problem?Hi Satya,
The question you have posted is related to the VPN connection and would be better suited to the TechNet community.
Please visit the link below to find a community that will provide the support you want.
http://social.technet.Microsoft.com/forums/en/itproxpsp/threads -
Here is my config on a Cisco 1841. The Netflow server is 10.11.1.61 which is behind an ISA firewall. The ISA firewall is configured to allow the 172.18.32.1 to 10.11.1.61 Netflow traffic. However, it never sees no traffic even attempt to reach the 10.11.1.61 of 172.18.32.1. Is there something missing in my router config?
IP cef
IP flow-cache timeout idle 10
IP flow-cache timeout active 1interface FastEthernet0/0
IP 172.18.32.1 255.255.255.0
route IP cache flow
IP nat insideThe FastEthernet0/0 flow-export source IP
IP flow-export version 5
10.11.1.61 IP flow-export destination 9996NAT extended IP access list
deny ip any 10.11.0.0 0.0.255.255
IP 172.18.32.0 allow 0.0.0.255 anylist of IP - VPN access scope
IP 172.18.32.0 allow 0.0.0.255 10.11.0.0 0.0.255.255
IP 172.18.32.0 allow 0.0.0.255 10.18.0.0 0.0.0.255
IP 172.18.32.0 allow 0.0.0.255 10.15.1.0 0.0.0.255
IP 172.20.32.0 allow 0.0.0.255 10.18.0.0 0.0.0.255Hello
Could you add "exit-functions" under the flow of exporter configuration and try again?
Thank you
Wen
-
No internet access through VPN
Hi, I have the router Cisco 881 (MPC8300) with c880data-universalk9 - mz.153 - 3.M4.bin when users establish a VPN connection to the corporate network, had access to all the resources but no internet access, please help me what else I need to configure to achieve my goal. I don't want to split the tunnel, internet via VPN, users must have. In my opinion, I have put an additional configuration for NAT, but my router not recognize u-Turn and NAT commands on the object on the network.
My config:
Building configuration...
Current configuration: 13562 bytes
!
! Last configuration change at 09:52:38 PCTime Saturday, May 16, 2015, by admin
version 15.3
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
XXX host name
!
boot-start-marker
start the flash system: c880data-universalk9 - mz.153 - 3.M4.bin
boot-end-marker
!
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authentication login ciscocp_vpn_xauth_ml_2 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
AAA authorization ciscocp_vpn_group_ml_2 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone PCTime 1 0
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
!
Crypto pki trustpoint TP-self-signed-1751279470
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1751279470
revocation checking no
rsakeypair TP-self-signed-1751279470
!
!
TP-self-signed-1751279470 crypto pki certificate chain
certificate self-signed 01
XXXX
!
!
Protocol-IP port-map user - 2 tcp 8443 port
user-Protocol IP port-map - 1 tcp 3389 port
!!
!
!
IP domain name dmn.local
8.8.8.8 IP name-server
IP-server names 8.8.4.4
IP cef
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ174992C8
!
!
username privilege 15 secret 5 xxxx xxxx
username secret VPNUSER 5 xxxx
!
!
!
!
!
!
type of class-card inspect sdm-nat-user-protocol--2-1 correspondence
game group-access 105
corresponds to the user-Protocol - 2
type of class-card inspect entire game SDM_AH
match the name of group-access SDM_AH
type of class-card inspect entire game PAC-skinny-inspect
Skinny Protocol game
type of class-card inspect entire game SDM_IP
match the name of group-access SDM_IP
type of class-card inspect entire game PAC-h323nxg-inspect
match Protocol h323-nxg
type of class-card inspect entire game PAC-cls-icmp-access
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect entire game PAC-h225ras-inspect
match Protocol h225ras
type of class-card inspect entire game SDM_ESP
match the name of group-access SDM_ESP
type of class-card inspect entire game PAC-h323annexe-inspect
match Protocol h323-annex
type of class-card inspect entire game PAC-cls-insp-traffic
match Protocol pptp
dns protocol game
ftp protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
type of class-card inspect the correspondence SDM_GRE
match the name of group-access SDM_GRE
type of class-card inspect entire game PAC-h323-inspect
h323 Protocol game
type of class-card inspect correspondence ccp-invalid-src
game group-access 103
type of class-card inspect entire game PAC-sip-inspect
sip protocol game
type of class-card inspect correspondence sdm-nat-https-1
game group-access 104
https protocol game
type of class-card inspect all match mysql
match the mysql Protocol
type of class-card inspect correspondence ccp-Protocol-http
http protocol game
type of class-card inspect entire game CCP_PPTP
corresponds to the SDM_GRE class-map
inspect the class-map match PAC-insp-traffic type
corresponds to the class-map PAC-cls-insp-traffic
type of class-card inspect entire game SDM_EASY_VPN_SERVER_TRAFFIC
match Protocol isakmp
match Protocol ipsec-msft
corresponds to the SDM_AH class-map
corresponds to the SDM_ESP class-map
type of class-card inspect correspondence ccp-icmp-access
corresponds to the class-ccp-cls-icmp-access card
type of class-card inspect the correspondence SDM_EASY_VPN_SERVER_PT
corresponds to the SDM_EASY_VPN_SERVER_TRAFFIC class-map
!
type of policy-map inspect PCB - inspect
class type inspect PCB-invalid-src
Drop newspaper
class type inspect mysql
inspect
class type inspect PCB-Protocol-http
inspect
class type inspect PCB-insp-traffic
inspect
class type inspect PCB-sip-inspect
inspect
class type inspect PCB-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect PCB-skinny-inspect
inspect
class class by default
drop
type of policy-card inspect sdm-license-ip
class type inspect SDM_IP
Pass
class class by default
Drop newspaper
type of policy-card inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect CCP_PPTP
Pass
class class by default
Drop newspaper
type of policy-card inspect PCB-enabled
class type inspect SDM_EASY_VPN_SERVER_PT
Pass
class class by default
drop
type of policy-card inspect PCB-permits-icmpreply
class type inspect PCB-icmp-access
inspect
class class by default
Pass
!
safety zone-to-zone
security of the area outside the area
ezvpn-safe area of zone
zone-pair security PAC-zp-self-out source destination outside zone auto
type of service-strategy inspect PCB-permits-icmpreply
zone-pair security PAC-zp-in-out source in the area of destination outside the area
type of service-strategy inspect PCB - inspect
source of PAC-zp-out-auto security area outside zone destination auto pair
type of service-strategy inspect PCB-enabled
sdm-zp-NATOutsideToInside-1 zone-pair security source outside the area of destination in the area
type of service-strategy inspect sdm-pol-NATOutsideToInside-1
in the destination box source sdm-zp-in-ezvpn1 ezvpn-pairs area security
type of service-strategy inspect sdm-license-ip
source of sdm-zp-out-ezpn1 of security area outside zone ezvpn-zone time pair of destination
type of service-strategy inspect sdm-license-ip
safety zone-pair sdm-zp-ezvpn-out1-source ezvpn-zone of destination outside the area
type of service-strategy inspect sdm-license-ip
safety zone-pair source sdm-zp-ezvpn-in1 ezvpn-area destination in the area
type of service-strategy inspect sdm-license-ip
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
Configuration group customer crypto isakmp Domena
key XXXXXX
DNS 192.168.1.2
Dmn.local field
pool SDM_POOL_1
Save-password
Max-users 90
netmask 255.255.255.0
banner ^ Cwelcome ^ C
ISAKMP crypto ciscocp-ike-profile-1 profile
match of group identity Domena
client authentication list ciscocp_vpn_xauth_ml_2
ISAKMP authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac ESP_AES-256_SHA
tunnel mode
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP_AES-256_SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
IP 192.168.9.1 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
Description $ETH - WAN$ $FW_OUTSIDE$
IP x.x.x.x 255.255.255.248
NAT outside IP
IP virtual-reassembly in
outside the area of security of Member's area
automatic duplex
automatic speed
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ezvpn-safe area of Member's area
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface Vlan1
Description $ETH_LAN$ $FW_INSIDE$
IP 192.168.1.1 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly in
Security members in the box area
IP tcp adjust-mss 1452
!
local IP SDM_POOL_1 192.168.10.10 pool 192.168.10.100
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
The dns server IP
IP nat inside source list 3 interface FastEthernet4 overload
IP nat inside source static tcp 192.168.1.3 interface FastEthernet4 443 443
IP nat inside source static tcp 192.168.1.2 8443 interface FastEthernet4 8443
IP route 0.0.0.0 0.0.0.0 X.x.x.x
!
SDM_AH extended IP access list
Note the category CCP_ACL = 1
allow a whole ahp
SDM_ESP extended IP access list
Note the category CCP_ACL = 1
allow an esp
SDM_GRE extended IP access list
Note the category CCP_ACL = 1
allow a gre
SDM_IP extended IP access list
Note the category CCP_ACL = 1
allow an ip
!
not run cdp
!
Note access-list 3 INSIDE_IF = Vlan1
Note CCP_ACL category in the list to access 3 = 2
access-list 3 Let 192.168.1.0 0.0.0.255
Note access-list 23 category CCP_ACL = 17
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 allow 10.10.10.0 0.0.0.7
Note access-list 100 Auto generated by SDM management access feature
Note access-list 100 category CCP_ACL = 1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 100 tcp refuse any host 192.168.1.1 eq telnet
access-list 100 tcp refuse any host 192.168.1.1 eq 22
access-list 100 tcp refuse any host 192.168.1.1 eq www
access-list 100 tcp refuse any host 192.168.1.1 eq 443
access-list 100 tcp refuse any host 192.168.1.1 eq cmd
access-list 100 deny udp any host 192.168.1.1 eq snmp
access ip-list 100 permit a whole
Note access-list 101 category CCP_ACL = 1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
Note access-list 103 CCP_ACL category = 128
access-list 103 allow the ip 255.255.255.255 host everything
access-list 103 allow ip 127.0.0.0 0.255.255.255 everything
access-list 103 allow ip 93.179.203.160 0.0.0.7 everything
Note 104 CCP_ACL category = 0 access-list
IP access-list 104 allow any host 192.168.1.3
Note access-list 105 CCP_ACL category = 0
IP access-list 105 allow any host 192.168.1.2-----------------------------------------------------------------------
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 102 in
transport input telnet ssh
line vty 5 15
access class 101 in
transport input telnet ssh
!
!
endI'd be grateful for help
concerning
Hello
Enter the subnet pool VPN to access-list 3 for source NAT
You may need to check the firewall also rules to allow the connection based on areas you
HTH,
Averroès
-
site-to-site between 5505 s ASA: a subnet cannot send traffic through VPN
Hello again! In case you saw my last post, I managed to solve the problem of isakmp with my tunnel from site to site a couple of weeks.
Everything works fine now, except for one strange thing. First of all, a topology:
Our main campus is 1 (192.168.32.0/20) of the plant, plant 2 (192.168.16.0/20) and MOS (192.168.0.0/20). The ASA "KSIASA01" is on the main campus.
On the other side of the tunnel, on a SDSL circuit ~ 400 Kbps, is plant 3 (192.168.48.0/20) and the ASA "KSIASA03."
Now I can ping addresses in factory 3 very well to our main campus, if I leave the subnets 192.168.11.0/24, 192.168.25.0/24, 192.168.18.0/24 and 192.168.42.0/24. However, several other subnets fails when I ping from the main campus. The. I'm more concerned is 192.168.38.0/24.
Here's the twist: if I ping from plant 3, I can ping everything in the main campus very well. Also, after I ping the subnet 192.168.38.0/24 of plant 3, I can then ping back from 192.168.38.0/24 to plant 3 without problems. But after an hour or two, we can no more.
On KSIASA01, if I turn the Packet Tracer, failed pings reach "VPN Lookup" and then fail with "(acl-drop) Flow is refused by the configured rule." "
My research tells me so far that it can be a NAT problem, but I can't understand it. I will attach sanitized configs for the two ASAs. Thanks in advance for your help and advice.
Hello, Jefferson.
NAT seems perfect (at first glance).
The only problem I've found there's inconsistency in encryption ACL:
the Plant1-Plant2-MOS object-group network
network-object MOS 255.255.240.0
network-object Plant2 255.255.240.0
network-object Plant1 255.255.240.0
outside_2_cryptomap list extended access allowed object-group Plant1-Plant2-MOS Plant3 255.255.240.0 ip
vs.
the Plant1Plant2MOS object-group network
network-object MOS 255.255.240.0
network-object Plant2 255.255.240.0
object-network Subnet38 255.255.255.0
object-network Subnet42 255.255.255.0
access extensive list ip Plant3 outside_1_cryptomap allow 255.255.240.0 object-group Plant1Plant2MOS
-
ASA 5510 worm. 8.2 (5) access through VPN without client management?
Hi all
I am completely new to networking Cisco and virtual private networks, I'm working on to the ASA 5510 8.2 (5) 46. Currently, the unit is set up very very little. Access to the administration are accessible from my home network to 192.168.2.1. I'm trying to enable management access remotely by VPN. I created a clientless SSL VPN, which, during the wizard process, access to the specified administration was the/admin adding to the VPN https url. Add the/admin in the url for VPN is not me the VPN connection, and by using the/admin url from the portal returns a message "not available". Also, from the portal I can't access the ASDM using inside IP network management, it also returns the message as "unavailable". Again, I'm new to this, any help would be greatly appreciated. Here is my config. and thank you!
: Saved : ASA Version 8.2(5)46 ! hostname ALP5510 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 99.66.203.148 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-46-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 68.94.156.1 name-server 68.94.157.1 same-security-traffic permit inter-interface pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn 192.168.2.10 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 101 0.0.0.0 0.0.0.0 nat (management) 101 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.203.150 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http server session-timeout 20 http 192.168.1.0 255.255.255.0 management http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.2.3-192.168.2.10 inside dhcpd dns 68.94.156.1 68.94.157.1 interface inside dhcpd enable inside ! dhcpd address 192.168.1.3-192.168.1.10 management dhcpd dns 68.94.156.1 68.94.157.1 interface management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside enable inside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn webvpn svc ask enable group-policy eng internal group-policy eng attributes vpn-tunnel-protocol webvpn webvpn url-list value EngineerBookmarks username user1 password mbO2jYs13AXlIAGa encrypted privilege 15 username user1 attributes vpn-group-policy eng webvpn url-list value EngineerBookmarks tunnel-group test type remote-access tunnel-group test general-attributes address-pool vpn tunnel-group Engineering type remote-access tunnel-group Engineering general-attributes default-group-policy eng ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:05f3afe3383542c8f62b1873421a7484 : end asdm image disk0:/asdm-714.bin asdm location 99.66.203.150 255.255.255.255 inside no asdm history enable
I'm TAC if you give me a number I can help you, I think we will extend that if we continue on the support forum
-
Access to a remote network through VPN remote access
Hello
I'm having a problem with users who access VPN from home. We currently have 3 offices facility, as shown below. When I VPN in the Philadelphia office, I am unable to access the resources of Connecticut offices or North Carolina.
The VPN subnet is 192.168.10.0. Inside the office of the PA, I have no problem with NC or CT. I have to add a static route from the Pennsylvania Treasury and NC? If so, could you give me a hand with the correct syntax?
Office <-----------IPSecVPN---------->Office <------------IPSecVPN------------->Office of Connecticut from Pennsylvania, North Carolina
192.168.5.0 192.168.1.0 192.168.2.0
Hello
Yes, basically the ASA accommodation the customer VPN service in this case well enough is the same configuration related to two sites with the exception of course which is obvious
- Networks/subnets
- Different ACL for each VPN L2L
Although naturally the problem for me is the WRVS4400N configuration.
Basically, you do the same things on this unit than the other remote site.
You add the VPN pool as another remote network for VPN L2L configurations. You also confirm that there is operation NAT0 for this network also. I don't know I can help you there as I do not know the device.
Can you please mark it as answered and evaluate other useful answers
Naturally ask for more and I'll try to help you if I can
-Jouni
------------IPSecVPN------------->-----------IPSecVPN----------> -
ASA 8.2 (5) upgrade 8.2 (5.26) breaks through VPN?
I have 3 sites. Site A is connected to Site B and Site C both via the IPSEC tunnels (all devices are ASA5540). A site also acts as a VPN concentrator for remote access users. I upgraded the code to the Site from 8.2 ASA (5) 8.2 (5.26) by the Cisco Advisory to deal with SSL VPN RDP ActiveX vulnerability. This update solved the problem with ActiveX RDP, but now users who connect with AnyConnect CAN Site A not connect to hosts in Site B or C. Site they can Ping these guests, but cannot connect to them using TCP (i.e. telent, rdp, ftp, etc...).
So what has changed with this upgrade of minor code and how to restore the ability of these remote users use resources on other sites? If anyone else has experienced this?
Thank you
Hey.
I think you're hit a bug
traffic crossed AnyConnect fails. I don't remember the id of the bug, but I can do it tomorrow.
Maybe you are looking for
-
How can I make my HTML email compatible?
I can't see some incoming emails. This takes place recently. It comes either with the message to use a client HTML compatible e-mail or in a large amount of code. What are the settings need to be changed to correctly display all emails.
-
Why does my Mac Pro backup files as I remove them? It fills up my storage.
Why is my Mac book pro backup of the files I was trying to delete them? It fills up my storage (according to 'about this Mac' I have 102 GB backups on my Mac HD) and I can't find in finder to their redelete.
-
How do I set up my screen so it does not turn off automatically?
I sometimes pull up of recipes and read them the monitor that I Cook. In this way I save ink and paper. The monitor automatically stops a lot too quickly.
-
I had a windows XP SP2, but I can't install it on my computer (Acer Veriton X4610G)
He always shows me this message from check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and completed. Run chdsk /F to check the alteratio
-
spooler stopped working