Traffic permitted only one-way for VPN-connected computers

Hello

I currently have an ASA 5505.  I put up as a remote SSL VPN access. My computers can connect to the VPN very well.  They just cannot access the internal network (192.168.250.0).  They cannot ping the inside interface of the ASA, nor any of the machines.  It seems that all traffic is blocked for them.  The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN.  It seems that the traffic allows only one way.  I messed up with ACL with nothing doesn't.  Any suggestions please?

Pool DHCP-192.168.250.20 - 50--> for LAN

Pool VPN: 192.168.250.100 and 192.168.250.101

Outside interface to get the modem DHCP

The inside interface: 192.168.1.1

Courses Running Config:

: Saved

:

ASA Version 8.2 (5)

!

hostname HardmanASA

activate the password # encrypted

passwd # encrypted

names of

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.250.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

IP address dhcp setroute

!

passive FTP mode

DNS lookup field inside

DNS domain-lookup outside

pager lines 24

Within 1500 MTU

Outside 1500 MTU

mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 10 192.168.250.0 255.255.255.0

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.250.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH 192.168.250.0 255.255.255.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

dhcpd dns 8.8.8.8

!

dhcpd address 192.168.250.20 - 192.168.250.50 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

value of server DNS 8.8.8.8

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

tunnel-group AnyConnect type remote access

tunnel-group AnyConnect General attributes

address pool VPN_Pool

tunnel-group AnyConnect webvpn-attributes

enable AnyConnect group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:30fadff4b400e42e73e17167828e046f

: end

Hello

No worries

As we change the config I would do as well as possible.

First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

NAT (inside) 0-list of access NAT_0

Then give it a try and it work note this post hehe

Tags: Cisco Security

Similar Questions

  • I need to create a table of contents in iPages but I want only one word for the title, not the line of holes. Or, how can I change the contents of the table? Thank you!

    I need to create a table of contents in iPages but I want only one word for the title, not the line of holes. Or, how can I change the contents of the table? Thank you!

    Yes, you can have a one word title, by assigning a paragraph style title to this one word. No, you cannot change the text in a Table of contents, but you can change paragraph style font attributes (line) and add for example, a head of points between the types of OCD paragraph and page numbers. No part of the table of contents will not provide hyperlinks in exported PDF documents.

    When you look up in the menu bar, you can see the word iPages, or simply Pages. There is no product of iPages.

  • How to open the manual mini port for vpn connection in win7?

    How to open the manual mini port for vpn connection in win7?

    Hi Andrew,

    Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It would be better suited to the TechNet community.

    Please visit the link below to find a community that will provide the support you want.

    http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

  • Shoot only one email for each account

    I have a table with account, e-mail columns. Each account has five different emails. Now, I want to draw only one email for each account. One of the five e-mails for each account. Please help me with the SQL.

    Varun says:
    I have a table with account, e-mail columns. Each account has five different emails. Now, I want to draw only one email for each account. One of the five e-mails for each account. Please help me with the SQL.

    Assuming that all of the 5 different emails are in a single column

    SELECT account,email
from (select Account,email,row_number() over(partition by account) rn
from your table)
where rn=1

    Hope this helps

    Kind regards
    Claudy

  • A PIX-to-PIX VPN can allow traffic in only one direction?

    Here is the configuration of the PIX 501 that accepts incoming VPN tunnels of the other PIX dynamic-ip.  Everything works very well, allowing traffic to flow both ways after that the tunnel rises.  But then I somehow limit or prevent the traffic that originates on the PIX (192.168.27.2) to go to other networks of PIX?  In other words, if a tunnel exists (192.168.3.0 to 192.168.27.0), I only want to allow network traffic to access the network 27.0 3.0, and I want to anyone on the network 27.0 access network 3.0.

    Thanks for any comments.

    pixfirewall # sh conf
    : Saved
    : Written by enable_15 at 13:29:50.396 UTC Saturday, July 3, 2010
    6.3 (4) version PIX
    interface ethernet0 car
    interface ethernet1 100full
    ethernet0 nameif outside security0
    nameif ethernet1 inside the security100
    activate the encrypted password
    encrypted passwd
    pixfirewall hostname
    .com domain name
    fixup protocol dns-maximum length 4096
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol they 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol 2000 skinny
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names of
    access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.0.0 255.255.0.0
    access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0
    pager lines 24
    ICMP deny everything outside
    Outside 1500 MTU
    Within 1500 MTU
    IP address outside xxx.xxx.xxx.248 255.255.255.255
    IP address inside 192.168.27.2 255.255.255.0
    alarm action IP verification of information
    alarm action attack IP audit
    IP local pool ippool 10.10.10.1 - 10.10.10.254
    PDM logging 100 information
    history of PDM activate
    ARP timeout 14400
    NAT (inside) - 0 102 access list
    Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
    Timeout xlate 0:05:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
    Timeout, uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + 3 max-failed-attempts
    AAA-server GANYMEDE + deadtime 10
    RADIUS Protocol RADIUS AAA server
    AAA-server RADIUS 3 max-failed-attempts
    AAA-RADIUS deadtime 10 Server
    AAA-server local LOCAL Protocol
    No snmp server location
    No snmp Server contact
    SNMP-Server Community public
    No trap to activate snmp Server
    enable floodguard
    Permitted connection ipsec sysopt
    Crypto ipsec transform-set esp - esp-md5-hmac gvnset
    Crypto-map dynamic dynmap 10 transform-set gvnset
    gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
    gvnmap interface card crypto outside
    ISAKMP allows outside
    ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
    ISAKMP identity address
    ISAKMP keepalive 60
    ISAKMP nat-traversal 20
    part of pre authentication ISAKMP policy 9
    encryption of ISAKMP policy 9
    ISAKMP policy 9 md5 hash
    9 2 ISAKMP policy group
    ISAKMP policy 9 life 86400
    vpngroup address ippool pool gvnclient
    vpngroup dns 192.168.27.1 Server gvnclient
    vpngroup gvnclient wins server - 192.168.27.1
    vpngroup gvnclient by default-domain '.com'
    vpngroup split tunnel 101 gvnclient
    vpngroup idle 1800 gvnclient-time
    vpngroup password gvnclient *.
    Telnet 0.0.0.0 0.0.0.0 inside
    Telnet timeout 30
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH timeout 30
    management-access inside
    Console timeout 0
    Terminal width 80
    Cryptochecksum:
    pixfirewall #.

    Of course, without a doubt capable.

    You can configure the inside interface access list to deny traffic from 192.168.27.0/24 to 192.168.3.0/24, and then allow anything else.

    Example:

    access list for the Interior-acl deny ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0

    the Interior-acl ip access list allow a whole

    group-access Interior-acl in the interface inside

    Hope that helps.

  • VPN launched only one way

    Does anyone have an idea why a site to site VPN tunnel could only be put in place a way? I have a pix to connect to a vpn tunnel using NAT - T IPSEC concentrator. Since the hub if I initiate traffic to the pix, the tunnel rises and then I can access resources behind the hub on the side pix.

    If I try to open the flow of the side pix, the tunnel will not come to the top. Debugging on the pix, it's not even trying to open the tunnel.

    Here is an excerpt of the pix config:

    Crypto ipsec transform-set esp-3des esp-sha-hmac bench

    map TestMap 10 ipsec-isakmp crypto

    card crypto TestMap 10 corresponds to the address ACL_VPN

    card crypto TestMap 10 peer set 10.10.10.1

    card crypto TestMap 10 set transform-set bench

    TestMap outside crypto map interface

    ISAKMP allows outside

    ISAKMP key * address 10.10.10.1 netmask 255.255.255.255

    ISAKMP nat-traversal 20

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    I'm just using 10. address of the top for the peer for example. The ACL_VPN specifies local/remote subnets correctly. The default route is the external interface of the pix.

    The hub, I've specified that the tunnel is bidirectional.

    Everyone why it will undertake only a way to any idea?

    See you soon

    Brian

    Thanks for posting your "ACL_VPN" and your NAT Exemption ACL ACL.

    Thank you!

  • Only one speaker (for both) to work (after checking the FAQ)

    Hello

    I have an inspiron N5110 R15 3 years now, a few days ago one of the speakers stopped working. When I do a test of stereo sound, the left speaker (the one that always works) its left AND RIGHT sample tones. so I figure this is on some kind of maybe Mono?

    -When I plug the headphones I have the sound on both sides.

    So far, I have tried

    1 reset

    2 tried update driver if the Device Manager

    3. turn on device

    4A ran the audio problems (win 7, 64 bits)

    5. looked around the frequently asked questions here

    * I do not uninstall the driver and downloaded a new because it seems strange to be the issue, after working for 3 years and all of a sudden it stops. you are the experts, so I'll gladly do if you say.

    current driver is manufactor (IDT high definition...)

    Thank you in advance.

    Another test, that you can run is ePSA Audio Quick Check. Note that not all ePSA and ePSA models do not all control by Audio fast. If you do not then just fail the color bar test as described in the FAQ. If you hear tones in the two speakers at the trials then the speaker itself is good and another part is the cause of the problem, probably the socket for headphones, since you know the audio working properly up to this day.

    If you hear only tones in one speaker and the other speaker is confirmed then failing or has a bad connection.

    The final test you can do is to perform a System Recovery. If it's a software problem then recovery will fix the problem and if it is material, then it will be no and hardware will be confirmed as the source of the problem. But no point in doing so, if only one speaker is heard in the previous test...

    icecoldnine
    I do not uninstall the driver and downloaded a new because it seems strange to be the issue, after working for 3 years and all of a sudden it stops.

    You need not to do because you tried the native driver which served the same purpose. A simple re-installation of the audio driver (no download) is that your settings will be lost - in other words, the default configuration is restored thus exclude a problem of configuration, such as defined as mono in the sound properties.

    If you want to check this, open the playback of the sound properties, right click on the speaker/headphones, select Properties, click the levels tab, click the Balance button. It does not matter how cursors are defined so that they are both the same level of the dB.

    Download a new copy of the pilot aims to eliminate corruption from the existing driver. Sometimes, they stop everything works correctly.

  • I pay for adobe cannot open soft, monthly cc only one possibility for a month after the locking of all the?

    I pay for monthly cc cannot open soft, adobe that one possibility for a month after all locked?

    Hi Noel, please try the steps mentioned below.

    1 disconnect and reconnect to creative cloud

    2 CC asking serial number

    3 CC back unexpectedly to the trial

    Let us know if any links are useful.

    Atul_Saini

  • I want only one application for now

    I have vascular Adobe Creative Cloud and want only an app for now which is Photoshop... I accidentally installed Lightroom, Bridge CC, Exchange Panel, Extendscript toolkit, extensions, touch app creative cloud plugins Manager and want to uninstall these applications until I have a full understanding of the creative cloud.

    I pay monthly membership and do not want to uninstall the creative cloud.

    Please advise on how to uninstall these other applications.

    Thank you.

    HI Margaret,.

    Please use the cleanup tool to remove the application you want to uninstall:

    http://helpx.Adobe.com/Creative-Suite/KB/CS5-cleaner-tool-installation-problems.html

    Choose the best option based on your decision.

    Kind regards

    Baudier

  • Cisco IPSec VPN works only one way.

    I'm hitting my head against the wall for more than 2 weeks now. I can't get this figured out.

    We have 2 locations and a server with an Internet service provider. Currently, we are connecting to our Internet service provider via a vpn ipsec to our headquarters. later, we will add the 1 direction.

    The problem is the following. My vpn is in place, I can ping my local ip address, my IP of the tunnel, the remote tunnel interface, the vlan remote or the gateway, but I can't ping anything you wanted. The branch to the ISP I ping the router in the Internet service provider's domain controller and the server very well. but I can't ping or talk about anything either at the Office on the side of the IAF. and so I can not communicate with any host on the LAN. Can someone please help me with this?

    Can I unload the configs of the two routers here someone watching?

    Thanks in advance.

    Exemption from the NAT on the end server must include the following reject order:

    NAT extended IP access list

    5 deny ip 10.1.20.0 0.0.0.255 10.178.164.128 0.0.0.127

    Disable the ip nat translation before testing again.

  • Audio intermittent one-way via VPN NEM

    I have a user who uses an ASA 5505 in NEM to have access to his laptop and home IP Cisco phone. The ASA 5505 establishes a tunnel to an ASA 5510, which is connected and speaking of EIGRP to our main switch. Off the main switch, we have our CCM cluster.

    The problem occurs during the first call, after a long period of no appeal. After, if happening during the first call, he or she can continue to make calls without the question. I that it was a matter of time-out, but its ASA configuration is exactly the same. In addition, it uses the same group policy, the tunnel-group etc. that everyone with the same configuration.

    When the problem occurs, it can not hear the other party but they can hear him/herself.

    This problem occurs without worrying whether or not it has a PC behind the phone.

    External and internal calls are affected.

    I am aware that more one-audio questions are questions of RTP connectivity between two end points. I see clearly in the routing table of all our routers, that the path to the subnet his phone is on has not changed for days, and she got the question within this period.

    I'm looking for a good place to begin troubleshooting that doesn't require me to a pcap. If all else fails, I'll do a pcap, but trying to be what some judicious with my time.

    I am certainly able to accept that maybe it's his router at home since it is one of the unique things only on access at its facilities, compared to other people the 20 I only did this.

    Thanks in advance.

    Cisco IP Phone 7941

    CCM 7.1.5.32900 - 2

    ASA 5505 8.2 (5)

    ASA 5510 8.2 (5)

    Edit: Moved to the VPN

    Hello

    I suggest you ask if the number of packets increases during an ongoing call. (press on '?' twice).

    Also, I think you asked this question in wrong discussion group, it must be under the lead of security instead of the voice.

  • Traffic going only 1-way?

    I have a vpn site-to site between a router Cisco 1941 and a router XTM22 of Watchguard.

    The tunnel is up, and on the side with the Watchguard router, I have full access to the

    LAN side Cisco 1941.

    However, I can't access any of the devices on the local network with Watchguard.

    If you had to guess, what router should tell you the origin of the problem? I don't really know where

    to start the search.

    Your help is greatly appreciated.

    Keith

    Keith,

    Encrypted and decrypted packets usually means that the traffic goes through the tunnel, so I don't think you have a LCD problem. In any case you forgot to mention where you apply each ACL.  I guess one of them is for the card encryption and the other is for NAT, but I can't say about the other two.

    Now, when you say that you have no chance to ride on the LAN side watchguard, what exactly you are trying to do? Address a reader? Ping a host?

    Also, since the LAN Cisco can ping you the inside interface of the WatchGuard? Can you ping any host on the LAN?

    Thank you

    Luis

  • BBM BBM works only one-way

    Hello

    Since yesterday (2016-01-26) the following error portfolio:

    Messages sent from a BlackBerry device are received, but the messages that I send to a BlackBerry smartphone get only the check box, but no D or R marking.

    I use BBM on an Android phone, with the most recent version 2.11.0.18

    Try to solve the problem I did the following steps - but none of them changed something in the behaviour:

    . Restart of BBM

    . Restaring the phone

    . Reinstalling BBM

    . Try BBM on two other Android devices

    . Try to create a group - for this my invitation was received by the BlackBerry device, but cannot be accepted

    . You try to join a group - I received the invitation and I could accept it, but the group does not appear

    . Try a cat prlvate

    . Try another account

    The only thing that works is the exchange between two Android devices.

    Another curiosity: yesterday and today, that one message has send - only!

    I have some other ideas that I could try to solve the problem - did someone knows more? Is there a network BlackBerry problem?

    Today, I was able to exchange a few messages again, it seams to work again.

    Without changing anything.

  • BlackBerry Smartphones Yahoo contacts synchronizes only one way

    Sync OTA between the Contacts of Yahoo and the BB address book synchronizes only Yahoo for my BB.  If I make changes on a contact in Yahoo, it appears on the BB in 4 hours.  But if I make a change to a contact on my BB, the change does not appear in Yahoo.  Does anyone else have this problem or does anyone know if this is supposed to work this way or not?

    After you delete the account of the phone completely and then add, everything worked normally.  In fact, it seems to be synchronization immediately, rather than the 4 hour time limit specified in the master of BIS.

  • Observed only one IP for 11 GR 2 RAC SCAN, all the problems?

    Hello

    In one of our customers environment I've observed that they only used a single IP for RAC 11 GR 2 ANALYSIS, but wherever I know Oracle recommended to use 3 IPs to SCAN.

    There will be problems with the single use IP Scan instead of three?

    Please suggest.

    Thank you

    Mahi

    A single SCAN VIP (with the SCANL) would be necessary in fact to get the job of RAC 11.2. Three are recommended for environments where the only VIP SCAN isn't able to handle the workload. So there is nothing wrong in this moment with your configuration. It seems, you use a configuration of DNS to resolve the name SCAN and your guys N/W used a single IP address only to the name of SCANNING resolution.

    Aman...

Maybe you are looking for