Two remote AnyConnect clients cannot get two voice via softphones?

We have a situation where two remote users of SSL VPNS cannot establish a voice call via softphones or cookie lync. They can both talk but I can't hear the other. Each user can call external or the office LAN without problems.

I'm under ASA version 9.1 (5) and v.3.1.05170 AnyConnect. Pretty basic config (purified) - any help would be appreciated!

# sh run
: Saved
:
ASA Version 9.1 (5)
!
host device name
something.com domain name
activate the encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
encrypted passwd
names of
General pool of local pool IP 10.x.x.x - 10.x.x.y
IP local pool pool-ops-TI 10.y.y.y - 10.y.y.z

interface GigabitEthernet0/0
nameif outside
security-level 0
IP x.x.x.x where x.x.x.x
!
interface GigabitEthernet0/1
description of the inside interface
nameif inside
security-level 100
IP address y.y.y.y y.y.y.y
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/6
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/7
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
Shutdown
No nameif
no level of security
no ip address
!
banner login ***********************************************************************
connection of the banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
connection of the banner is a computer network that is private and can be used only in direct
banner connection explicit owner. The owner reserves the right to
banner connection monitor use this network to ensure the security of networks and respond
banner connect on specific allegations of misuse. Use of this network must
the banner sign a consent to the monitoring of these or other purposes.
connection banner in addition, the owner reserves the right to consent to a valid
application of law banner connection to search the network for evidence of a crime
banner stored within the network connection.
banner login ***********************************************************************
banner asdm ***********************************************************************
asdm banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
asdm banner is a computer network that is private and can be used only in direct
banner asdm explicit owner. The owner reserves the right to
banner asdm monitor use this network to ensure the security of networks and respond
asdm banner of specific allegations of misuse. Use of this network must
banner asdm you consent to the monitoring of these or other purposes.
asdm banner in addition, the owner reserves the right to consent to a valid
application of law banner asdm to search the network for evidence of a crime
asdm banner stored within the network.
banner asdm ***********************************************************************
boot system Disk0: / asa915-smp - k8.bin
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT 1 Sun Mar 1 Sun Nov 02:00 02:00
DNS lookup field inside
DNS server-group DefaultDNS
Server name 192.168.0.0
Server name 192.168.0.0
something.com domain name
Local_LAN_Access list standard access allowed host 0.0.0.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer 40960
logging buffered stored notifications
logging trap notifications
record of the mistakes of history
notifications of logging asdm
logging - the id of the device hostname
logging inside 10.0.0.0 host
logging inside 10.0.0.0 host
Outside 1500 MTU
Within 1500 MTU
IP verify reverse path to the outside interface
IP verify reverse path inside interface
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
ICMP allow any inside
ASDM image disk0: / asdm - 721.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Route inside 10.0.0.0 255.0.0.0 y.y.y.y 1
Route inside 192.168.0.0 255.255.0.0 y.y.y.y 1
Route inside 0.0.0.0 0.0.0.0 y.y.y.y in tunnel
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
test_VPN card-attribute LDAP
name of the memberOf Group Policy map
map-value memberOf "CN = test VPN, OR = groups of VPN, OR = Groups, OU = company, DC =, DC =, DC = com" "test VPN".
dynamic-access-policy-registration DfltAccessPolicy
AAA-server test-deviceauth protocol ldap
Max - a attempts failed 5
AAA-server baird-deviceauth (inside) host 192.x.x.x
Server-port 636
LDAP-base-dn DC = x, DC =, DC = z
LDAP-scope subtree
LDAP-login-password
LDAP-connection-dn cn = b, OU = Service accounts, DC = x, DC =, DC = z
enable LDAP over ssl
microsoft server type
AAA-server test-rsa Protocol sdi
AAA-server test-rsa (inside) host
interval before attempt-3 new
AAA-server auth-ldap-tes ldap Protocol
AAA-server test-ldap-auth (inside) host
Server-port 636
LDAP-base-dn DC = country, DC = a, DC = com
LDAP-scope subtree
LDAP-login-password
LDAP-connection-dn CN = b, OU = Service accounts, DC = x, DC =, DC = z
enable LDAP over ssl
microsoft server type
LDAP-attribute-map test_VPN
identity of the user by default-domain LOCAL
the ssh LOCAL of baird-deviceauth console AAA authentication
HTTP authentication AAA console LOCAL baird-deviceauth
serial baird-deviceauth LOCAL console AAA authentication
Enable http server
http inside x.x.x.x y.y.y.y
HTTP 1.1.1.1 255.255.255.0 inside
redirect http outside 80
SNMP-server host inside x.x.x.x trap community version 2 c
SNMP server location
contact SNMP Server
SNMP-server community
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Server enable SNMP traps entity power cpu-temperature
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint trustpoint-selfsigned-vpncso
registration auto
FQDN
name of the object CN =, O =, C =, St =, =.
key pair
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint
Terminal registration
FQDN
name of the object CN = OR =, O =, C = St =, =.
key pair
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
trustpool crypto ca policy

Telnet timeout 5
SSH enable ibou
SSH stricthostkeycheck
x.x.x.x inside SSH
SSH timeout 30
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 15
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
no statistical access list - a threat detection
no statistical threat detection tcp-interception
NTP server 1.1.1.1 source inside
NTP server 2.2.2.2 source inside
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 2
AnyConnect profiles baird-client-profile disk0: / customer-baird - profile .xml
AnyConnect enable
attributes of Group Policy DfltGrpPolicy
value of banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
value of banner is a computer network that is private and can be used only in direct
banner value explicit owner. The owner reserves the right to
banner value monitor use this network to ensure the security of networks and respond
the value of the banner of the specific allegations of misuse. Use of this network must
value of the banner a consent to the monitoring of these or other purposes.
value of server DNS 1.1.1.1 2.2.2.2
VPN - connections 2
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy excludespecified
value of Split-tunnel-network-list Local_LAN_Access
something.com value by default-field
Split-dns value something.com, us.something.com
activate dns split-tunnel-all
the address value general-pool pools
WebVPN
use-smart-tunnel homepage
AnyConnect value dart modules, nam
AnyConnect value profiles baird-client-profile user type
AnyConnect ask flawless anyconnect
Group Policy 'test' internal
Group Policy attributes 'test '.
Split-tunnel-policy excludespecified
value of Split-tunnel-network-list Local_LAN_Access
activate dns split-tunnel-all
the address value it-ops-pool pools
internal testMacs group policy
attributes of the strategy of group testMacs
WINS server no
value of server DNS 1.1.1.1 2.2.2.2
client ssl-VPN-tunnel-Protocol
field default value xyz.com
username admin privilege 15 encrypted password
attributes global-tunnel-group DefaultRAGroup
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
management of the password password-expire-to-days 10
tunnel-group DefaultRAGroup webvpn-attributes
the aaa authentication certificate
attributes global-tunnel-group DefaultWEBVPNGroup
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
management of the password password-expire-to-days 10
tunnel-group DefaultWEBVPNGroup webvpn-attributes
the aaa authentication certificate
tunnel-group test remote access connection type
tunnel-group test-Connect General attributes
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
management of the password password-expire-to-days 10
tunnel-group test connection webvpn-attributes
the aaa authentication certificate
allow group-url http://abc.xyz.com
allow group-url https://abc.xyz.rwbaird.com
type tunnel-group testMacs remote access
tunnel-group testMacs General-attributes
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
Group Policy - by default-testMacs
management of the password password-expire-to-days 10
use-set-name of the secondary-username-of-certificate
tunnel-group testMacs webvpn-attributes
allow group-url http://abc.xyz.com/macs
allow group-url https://abc.xyz.com/macs
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory 26
Subscribe to alert-group configuration periodic monthly 26
daily periodic subscribe to alert-group telemetry
Cryptochecksum:aa675139dc84529791f9aaba46eb17f9
: end

I confess that I have not read your config in detail, but a few tips:

-If you do split tunnel, don't forget to push a route for the entire pool VPN subnet or subnets of VPN clients

-Make sure you have the same-security-traffic permitted intra-interface

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa81/command/ref/refg...

-If you use NAT, you must exclude such NAT inter-VPN-device traffic

-If you have ACLs (not shown) do not forget to leave your pool VPN subnet is talking to himself.  Generally, it would be in the ACL entering the external interface.

at the end of the packet - trace is your friend.

NGP

Tags: Cisco Security

Similar Questions

  • I can connect to my wireless router, but cannot get internet connectivity via Wireless. If I connect the cable to the port on the router, I get internet connectivity.

    Wireless router / Internet problems

    I am running Windows Vista Home Edition with Security Essentials.  I can connect to my wireless router, but cannot get internet connectivity via Wireless.  If I connect the cable to the port on the router, I get internet connectivity.  Is there a firewall setting that could cause this problem?

    Hello

    Your router could be suspicious here, you have successfully updated its firmware as a possible solution? And I would like to
    Update your WiFi drivers on computers. How you are positioned in the router? Are there
    obstacles in the path?

    Actually try updating your driver and disabling the network logon.

    Control Panel - network - write down of the brand and the model of the Wifi - double click top - tab of the driver - write
    version - click the driver update (cannot do something that MS is far behind the pilots of certification). Then
    Right click on the Wifi device and UNINSTALL - Reboot - it will refresh the driver stack.

    Look at the sites of the manufacturer for drivers - and the manufacturer of the device manually.
    http://pcsupport.about.com/od/driverssupport/HT/driverdlmfgr.htm

    How to install a device driver in Vista Device Manager
    http://www.Vistax64.com/tutorials/193584-Device-Manager-install-driver.html

    Download - SAVE - go where you put it - right click – RUN AS ADMIN.

    You can download several at once however restart after the installation of each of them.

    After watching the system manufacturer, you can check the manufacturer of the device an even newer version. (The
    manufacturer of system become your backup policies).

    Repeat for network (NIC) card and is a good time to get the other updated drivers as Vista like
    updated drivers.

    I would also turn off auto update for the drivers. If the updates Windows suggests a just HIDE as they
    are almost always old, and you can search drivers manually as needed.

    How to disable automatic driver Installation in Windows Vista - drivers
    http://www.AddictiveTips.com/Windows-Tips/how-to-disable-automatic-driver-installation-in-Windows-Vista/
    http://TechNet.Microsoft.com/en-us/library/cc730606 (WS.10) .aspx

    ------------------------------------------------------

    Make sure you know the details of connection to your wireless router - SSID and password.

    You lose connection when you do and have to redo your logon.

    Control Panel - Network & Sharing Center - right, click Customize - page set of network locations.
    lower left click on merge or delete network locations - REMOVE all instances of your network (and the
    others you don't use anymore) - REBOOT. Start - Connect To log on to the network.

    -----------------------------------------------------

    Check this box:

    Strange problem with Internet under Vista
    http://www.catonett.com/blog/archives/194

    Windows Vista cannot obtain an IP address from certain routers or some non-Microsoft DHCP servers
    http://support.Microsoft.com/kb/928233/en-us

    ----------------------------------------------------

    And:

    Network connection problems
    http://windowshelp.Microsoft.com/Windows/en-us/help/33307acf-0698-41ba-B014-ea0a2eb8d0a81033.mspx

    I hope this helps.

    Rob Brown - Microsoft MVP<- profile="" -="" windows="" expert="" -="" consumer="" :="" bicycle="" -="" mark="" twain="" said="" it="">

  • AnyConnect client cannot ping gateway

    I'm currently implementing anyconnect for some users in our Organization. Once the clients connect to the VPN via. AnyConnect, they cannot access anything whatsoever, including their default gateway (via ping). I'm not sure what I did wrong, but it's a quick fix, a person can report to me. It's a little frustrating because I had this lab work, but can not see the obvious errors.

    Pool VPN: 192.168.200.0/24

    inside the ASA interface 192.168.2.1

    Grateful for any help received.

    Greg

    :

    ASA Version 8.2 (1)

    !

    hostname asaoutsidedmz

    activate the encrypted 123 password

    123 encrypted passwd

    names of

    !

    interface Ethernet0/0

    link to the description to the ISP router / WAN

    nameif outside

    security-level 0

    IP address x.x.x.235 255.255.255.224

    !

    interface Ethernet0/1

    internal LAN interface Description

    Shutdown

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Ethernet0/2

    description of the DMZ interface

    nameif dmz

    security-level 50

    IP 192.168.2.1 255.255.255.0

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    !

    boot system Disk0: / asa821 - k8.bin

    passive FTP mode

    clock timezone IS - 5

    clock to summer time EDT recurring

    DNS domain-lookup outside

    DNS domain-lookup dmz

    DNS server-group DefaultDNS

    cisco.com-domain name

    outside_access_in list extended access permit tcp any host x.x.x.232 eq www

    outside_access_in list extended access permit tcp any host x.x.x.234 eq ssh

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 dmz

    management of MTU 1500

    local pool SSLVPNDHCP 192.168.200.20 - 192.168.200.25 255.255.255.0 IP mask

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 621.bin

    don't allow no asdm history

    ARP timeout 14400

    Global interface 10 (external)

    Global interface (dmz) 10

    NAT (inside) 10 0.0.0.0 0.0.0.0

    NAT (dmz) 10 0.0.0.0 0.0.0.0

    static (dmz, external) x.x.x.232 192.168.2.18 netmask 255.255.255.255

    static (dmz, external) x.x.x.234 192.168.2.36 netmask 255.255.255.255

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 x.x.x.225 1

    dynamic-access-policy-registration DfltAccessPolicy

    RADIUS Protocol RADIUS AAA server

    GANYMEDE + Protocol Ganymede + AAA-server

    the ssh LOCAL console AAA authentication

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    No encryption isakmp nat-traversal

    Telnet timeout 5

    Console timeout 5

    management-access inside

    !

    no statistical threat detection tcp-interception

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-2.3.2016-k9.pkg 1 image

    enable SVC

    tunnel-group-list activate

    internal group SSLVPN strategy

    SSLVPN group policy attributes

    value of SSL VPN profile banner

    VPN - connections 1

    VPN-idle-timeout 30

    Protocol-tunnel-VPN l2tp ipsec svc

    WebVPN

    SVC request no svc default

    attributes of Group Policy DfltGrpPolicy

    Protocol-tunnel-VPN IPSec l2tp ipsec

    username password privilege 123 encrypted test11 0

    attributes of test11 username

    type of remote access service

    type tunnel-group SSLVPNTunnel remote access

    attributes global-tunnel-group SSLVPNTunnel

    address SSLVPNDHCP pool

    Group Policy - by default-SSLVPN

    tunnel-group SSLVPNTunnel webvpn-attributes

    enable AgricorpVPN group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    inspect the pptp

    !

    global service-policy global_policy

    context of prompt hostname

    : end

    A few things to look at. Firstly, interface e0/1 is the stop of the config above for connecting clients will not be able to achieve the devices on the "inside" of the SAA. Second, you don't have NAT 0 rules configured to exempt the return of LAN or DMZ traffic to the client IP pool.

  • Client cannot get the external IP of DHCP address through WiM

    WISN 5.2.178.0

    6509 12.2 (33) SXH2a

    WISN is in place, 1231 & 1131 joined APs, radio stations upwards, the customer associated but not an IP address.

    Virtual interface with vlan # & IP on the destination VLAN.

    WLAN with same vlan # as above.

    I tried Open, PSK, WPA. Client cannot obtain an IP address.

    What did I miss?

    You have the virtual address set to 1.1.1.1?

    Also, you have set up the address of the DHCP server on your interfaces VLAN? This is important because the controller basically uses an ip helper address to properly forward DHCP requests.

    If you have these configured, try to use the internal DHCP server to test. The web GUI, access controller-> the DHCP server in-house. Configure a DHCP scope and activate it (don't worry, it is only used for wireless clients. It does not meet the DHCP requests on your network).

    Now, go back to the controller-> Interfaces and configure the DHCP server to the management interface of the controller. See if your customers are able to get the addresses of the internal scope.

  • AnyConnect client cannot access external sites

    I am installing AnyConnect VPN with no split tunneling. ASA 5505 v8.2. It seems that it should be really easy. I must be missing something.

    I can get AnyConnect users to connect very well and they can access internal sites and on other sites in IPSec tunnel. But no access to internet.

    Internal 10.1.1.x pool VPN is 10.1.1.251 - 253 (list of Temp for the test). I have published the following plotter:

    packet-tracer input outside tcp 10.1.1.253 12345 69.147.125.65 80 detailed

    The last reported point (where it fails) is:

    Phase: 7
    

    Type: WEBVPN-SVC
    

    Subtype: in
    

    Result: DROP
    

    Config:
    

    Additional Information:
    

    Forward Flow based lookup yields rule:
    

    in  id=0xda7e9808, priority=70, domain=svc-ib-tunnel-flow, deny=false
    

    hits=364, user_data=0xcb000, cs_id=0x0, reverse, flags=0x0, protocol=0
    

    src ip=TempVPNPool3, mask=255.255.255.255, port=0
    

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    Which means by SVC-WEBVPN?

    A relevant config:

    No ACLs, filters or limitations of policy group on HQ customers.

    Security-same permit intra-interface

    Global 1 interface (outside)

    On advice, I've added: nat (outside) 1 10.1.1.0 255.255.255.0, then I can get no tunnel guests outside guests, but then no IPSec.

    Kind of a weird, that with this, the tracer of package does not change. Continue to deny shows, but the site is accessible.

    When you say tunnel IPsec sites... is that the tunnels IPsec Site to Site on the SAA?

    The command:

    NAT (outside) 1 10.1.1.0 255.255.255.0

    It should allow the AnyConnect customer pool for PATed to Internet.

    If you need clients AnyConnect to access the Internet and the access to remote IPsec tunnels as well, you can do it with policy NAT:

    access-list anyconnect deny ip 10.1.1.0 255.255.255.0 x.x.x.x

    access-list anyconnect deny ip 10.1.1.0 255.255.255.0 y.y.y.y

    access-list allowed anyconnect ip 10.1.1.0 255.255.255.0 any

    NAT (outside) 1 access list anyconnect

    Global 1 interface (outside)

    With the above configuration, you are bypassing NAT for AnyConnect customers when they want to access remote sites through the IPsec tunnels (assuming that x.x.x.x and y.y.y.y for remote networks through these tunnels).

    And the rest of the AnyConnect (10.1.1.0/24) pool will be PATed to Internet.

    Federico.

  • AnyConnect Clients cannot communicate with each other

    I have a problem that I've been pulling my hair out... my teleworkers connect to our network of Corp. via a connection AnyConnect VPN (version 3.1) to a Cisco ASA5520. I have not split tunneling enabled for this profile, so that all traffic should pass through the tunnel and all guests are in the same subnet L3... as far as their IP VPN address goes. The problem is the teleworker PCs cannot communicate with each other (pings/RDP/etc.). When I look at the newspaper I see traffic from one to another, have denied anything, but they do not communicate. My Network Corp., I can communicate with the two PCs Anyconnect very well. When I go to monitoring. ASDM itineraries I see each host that is connected to the ASA via Anyconnect, and the gateway for each is the default gateway of the SAA.

    Am I missing some setting in the VPN profile that prevents the access between these hosts? I think that something come in the newspaper...

    Have you enabled crossed and also a free NAT between AnyConnect users?

    permit same-security-traffic intra-interface

    network of the AnyConnect_users object

    subnet

    public static AnyConnect_users AnyConnect_users destination NAT (outside, outside) static source AnyConnect_users AnyConnect_users

    If this does not resolve your problem, please post a sanitized complete configuration of your ASA.

  • ICE - client cannot get the option "on my computer"

    My client by going to "Edit the Image" in the ice, does not get the "From My Computer" option that would have allowed him to upload a new picture. Do you have any idea what could prevent this option from being available for them, only "On Site" appears. When I try, it comes to me. Thank you. Wojtek

    Hello

    The option is not available in some versions of Internet Explorer (8 and 9). Use another browser option for the customer?

    Thank you

    Abhishek

  • ASA 5520: Remote VPN Clients cannot ping LAN, Internet

    I've set up a few of them in my time, but I am confused with this one.  Can I establish connect via VPN tunnel but I can't ping or go on the internet.  I searched the forum for similar and found a little issues, but none of the fixes seem to match.  I noticed a strange thing is when I run ipconfig/all of the vpn client, the IP address that has been leased over the Pool of the VPN is also the default gateway!

    I have attached the config.  Help, please.

    Thank you!

    Exemption of NAT ACL has not yet been applied.

    NAT (inside) 0-list of access Inside_nat0_outbound

    In addition, you have not split tunnel, not sure you were using internet ASA for the vpn client internet browsing.

    You can also enable icmp inspection if you test in scathing:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    Hope that helps.

  • Cannot get pse10 to take my styles, have had some PES 10 for 2011 pse13 bought and installed, uninstalled pse10 inorder to get pse13 to install easer, I reinstalled pse10 but now the stules I do not appear in the effect section. I checked the two section

    Cannot get pse10 to take my styles, have had some PES 10 for 2011 pse13 bought and installed, uninstalled pse10 inorder to get pse13 to install easer, I reinstalled pse10 but now the stules I do not appear in the effect section. I checked the two sections where the styles light up on windows 7

    I suggest that you need to reset your preferences file by using this method:

    Start PSE10 until the Welcome screen.  The home screen looks like this:

    When you are in the Welcome screen, press first Ctrl + Alt + Shift + AND click 'change' to get a different dialog like this:

    You must click Yes and you're done.  This particular area is sometimes hidden, so you will need to drag the homescreen on the side with your mouse a #to make it visible.

    I hope this helps.

  • Have a new 6 but cannot get it to sync with iTunes on my Mac. The two systems have system updates (and both confirm). How can I update iTunes on my phone when he said the latest version?

    Have a new 6s, but cannot get it to sync with iTunes on my Mac. Both systems have system updates (and confirm the latest version). How can I update iTunes on my phone when he said the latest version?

    The message to update iTunes refers to iTunes on your Mac - is your Mac on a high enough version of Mac OS X to support the required iTunes version? If this isn't the case, then your Mac can be changed?

  • AnyConnect 4.1 - cannot get the secure gateway configuration

    So I AnyConnect working on one SAA however, ASA another located in another country, I get the following error:

    "Unable to get the secure gateway configuration.

    I get a prompt for the username and password seems to be authentication very well however in step 'check' the profile updates this error.

    I was comparing my two setups and they look identical.

    Working ASA model: 5512 worm 9.1 (4)

    Does not not ASA: 5510 worm 9.1 (4)

    Client version: 4.1.02011

    Any ideas?

    Thank you

    Hello, Kevin.

    I know, if there is no customer profile configured on ASA, the software Anyconnect client will use the client profile by default, which is placed on the local computer (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) when installing Anyconnect software.

  • ASA5505 with 10 users. Need to connect 25 remote users with AnyConnect Client

    Hello to everyone.

    I ASA5505 with license 10 users. I need to connect 25 remote users via SSL VPN (in my case cisco Anyconnect client). So I have to buy the license more security (ASA5505-SEC-PL =) for more then 10 simultaneous VPN connections on Cisco ASA 5505. Fix?

    And the main question. What I need to order the user getting up-to-date (for example ASA5505-SW-10-50 =, or ASA5505-SW-10-UL =) license for my device Cisco ASA5505 in order to have 25 connections of concurrent remote users without restriction for each remote user?

    You need the license SecPlus for increased remote access users. But you don't need an extra user license if you still only up to 10 internal systems.

  • The success, but AnyConnect VPN cannot remote desktop

    Hi all

    I have a problem when I am unable to remote desktop in any PC LAN when I am connected via VPN.  I can ping all the nodes inside the network and I can open a web page from my local PC address inside, as well.  So it seems like it was only the RDP (3389) is affected.  Remote access for PCs are turned on, as I am able to get to them via a different method (SBS Remote Web Access).

    I'm a bit new to ASAs, so any help is greatly appreciated.  TIA

    ASA 5505

    ASA Version 8.2 (5)
    !
    host name asa
    activate the encrypted password of IqUJj3NwPkd23LO9
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    name 10.0.1.0 Net-10
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    switchport access vlan 3
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    192.168.1.98 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    11.11.11.11 IP address 255.255.255.0
    !
    interface Vlan3
    No nameif
    security-level 50
    192.168.5.1 IP address 255.255.255.0
    !
    passive FTP mode
    object-group service RDP - tcp
    EQ port 3389 object
    TSTGRP_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
    inside_nat0_outbound list extended access permits all ip Net-10 255.255.255.224
    inside_nat0_outbound list of allowed ip extended access all 12.0.1.0 255.255.255.224
    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 12.0.1.0 255.255.255.224
    inside_access_in of access allowed any ip an extended list
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    mask IP local pool SSLClientPool-10 10.0.1.1 - 10.0.1.20 255.255.255.128
    12.0.1.1 mask - 12.0.1.20 local pool IPSec-12 IP 255.255.255.0
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 11.11.11.11 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA authentication enable LOCAL console
    the ssh LOCAL console AAA authentication
    LOCAL AAA authorization command
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    Crypto ca trustpoint ASDM_TrustPoint0
    registration auto
    name of the object CN = not - asa .null
    pasvpnkey key pair
    Configure CRL
    string encryption ca ASDM_TrustPoint0 certificates
    certificate fecf8751
    308202da 308201c 2 a0030201 020204fe cf875130 0d06092a 864886f7 0d 010105
    31153013 06035504 03130c 70 61732d 61 73612e6e 756c6c31 16301406 0500302f
    092a 8648 86f70d01 09021607 7061732d 61736130 33303530 36323134 1e170d31
    3131365a 170d 3233 30353034 32313431 31365a 30 2f311530 13060355 0403130c
    7061732d 6173612e 6e756c6c 01090216 07706173 4886f70d a 31163014 06092, 86
    2D 617361 30820122 300 d 0609 2a 864886 f70d0101 01050003 82010f00 3082010 has
    00dc6f5c 02820101 584be603 1219ad4a 43085 has 97 b8fd7e33 c887933d 1b46dbca
    deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c 15 a9447e1e 8ba749cb
    61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
    25c035e4 86870084 ea9ab8ae 8b 664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
    0c81d2dd bcdc8393 3f4fbcba 1b477d45 af862bdf 50499615 7b9dac1b 502063b 8
    67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd e5ad6cba 999ae711 ca 71, 9310
    c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
    6379a 040 90469661 and 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
    a32a1003 af020301 0001300d 4886f70d 01010505 00038201 010084b 1 a 06092, 86
    c96aeec0 62698729 4e65cace e6f2e325 62909905 df31fbeb 8d767c74 395b 9053
    434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
    f1d715b9 89da338b f5ac9726 2de50629 34520055 55d1fcc5 f59c1271 ad14cd7e
    14adc454 f9072744 bf66ffb5 20 c 04069 375b858c 723999f8 5cc2ae38 4bb4013a
    2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
    6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
    f08b2946 be8e04d7 9d15ef96 2e511fc5 804c402b 33987858 46a7b473 a 429, 1936
    681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
    quit smoking
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 192.168.1.100 255.255.255.255 inside
    SSH 10.0.1.1 255.255.255.255 outside
    SSH timeout 5
    Console timeout 0
    dhcpd auto_config inside
    !
    dhcpd address 192.168.1.222 - 192.168.1.223 inside
    dhcpd dns 11.11.11.12 11.11.12.12 interface inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL-trust outside ASDM_TrustPoint0 point
    WebVPN
    allow outside
    SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
    SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
    enable SVC
    tunnel-group-list activate
    internal SSLClientPolicy group strategy
    attributes of Group Policy SSLClientPolicy
    VPN-tunnel-Protocol svc
    attributes of Group Policy DfltGrpPolicy
    value of 11.11.11.12 DNS server 11.11.12.12
    Protocol-tunnel-VPN IPSec webvpn
    username, password test 1w1. Encrypted F5oqiDOWdcll privilege 0
    username test attributes
    VPN-group-policy SSLClientPolicy
    test1 lQ8frBN8p.5fQvth encrypted privilege 15 password username
    username, password test2 w4USQXpU8Wj/RFt8 encrypted privilege 0
    name of user test2 attributes
    VPN-group-policy SSLClientPolicy
    username password test3 SC8q/LweL74qU0Zu encrypted privilege 0
    test3 username attributes
    VPN-group-policy SSLClientPolicy
    attributes global-tunnel-group DefaultRAGroup
    address pool IPSec-12
    IPSec-attributes tunnel-group DefaultRAGroup
    pre-shared key *.
    NO-SSL-VPN Tunnel-group type remote access
    General-attributes of the NO-SSL-VPN Tunnel-group
    address-pool SSLClientPool-10
    Group Policy - by default-SSLClientPolicy
    NO-SSL-VPN Tunnel - webvpn-attributes group
    enable PAS_VPN group-alias
    allow group-url https://11.11.11.11/PAS_VPN
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    privilege level 3 mode exec cmd command perfmon
    privilege level 3 mode exec cmd ping command
    mode privileged exec command cmd level 3
    logging of the privilege level 3 mode exec cmd commands
    privilege level 3 exec command failover mode cmd
    privilege level 3 mode exec command packet cmd - draw
    privilege show import at the level 5 exec mode command
    privilege level 5 see fashion exec running-config command
    order of privilege show level 3 exec mode reload
    privilege level 3 exec mode control fashion show
    privilege see the level 3 exec firewall command mode
    privilege see the level 3 exec mode command ASP.
    processor mode privileged exec command to see the level 3
    privilege command shell see the level 3 exec mode
    privilege show level 3 exec command clock mode
    privilege exec mode level 3 dns-hosts command show
    privilege see the level 3 exec command access-list mode
    logging of orders privilege see the level 3 exec mode
    privilege, level 3 see the exec command mode vlan
    privilege show level 3 exec command ip mode
    privilege, level 3 see fashion exec command ipv6
    privilege, level 3 see the exec command failover mode
    privilege, level 3 see fashion exec command asdm
    exec mode privilege see the level 3 command arp
    command routing privilege see the level 3 exec mode
    privilege, level 3 see fashion exec command ospf
    privilege, level 3 see the exec command in aaa-server mode
    AAA mode privileged exec command to see the level 3
    privilege, level 3 see fashion exec command eigrp
    privilege see the level 3 exec mode command crypto
    privilege, level 3 see fashion exec command vpn-sessiondb
    privilege level 3 exec mode command ssh show
    privilege, level 3 see fashion exec command dhcpd
    privilege, level 3 see the vpnclient command exec mode
    privilege, level 3 see fashion exec command vpn
    privilege level see the 3 blocks from exec mode command
    privilege, level 3 see fashion exec command wccp
    privilege see the level 3 exec command mode dynamic filters
    privilege, level 3 see the exec command in webvpn mode
    privilege control module see the level 3 exec mode
    privilege, level 3 see fashion exec command uauth
    privilege see the level 3 exec command compression mode
    level 3 for the show privilege mode configure the command interface
    level 3 for the show privilege mode set clock command
    level 3 for the show privilege mode configure the access-list command
    level 3 for the show privilege mode set up the registration of the order
    level 3 for the show privilege mode configure ip command
    level 3 for the show privilege mode configure command failover
    level 5 mode see the privilege set up command asdm
    level 3 for the show privilege mode configure arp command
    level 3 for the show privilege mode configure the command routing
    level 3 for the show privilege mode configure aaa-order server
    level mode 3 privilege see the command configure aaa
    level 3 for the show privilege mode configure command crypto
    level 3 for the show privilege mode configure ssh command
    level 3 for the show privilege mode configure command dhcpd
    level 5 mode see the privilege set privilege to command
    privilege level clear 3 mode exec command dns host
    logging of the privilege clear level 3 exec mode commands
    clear level 3 arp command mode privileged exec
    AAA-server of privilege clear level 3 exec mode command
    privilege clear level 3 exec mode command crypto
    privilege clear level 3 exec command mode dynamic filters
    level 3 for the privilege cmd mode configure command failover
    clear level 3 privilege mode set the logging of command
    privilege mode clear level 3 Configure arp command
    clear level 3 privilege mode configure command crypto
    clear level 3 privilege mode configure aaa-order server
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:7f67d8c8b24bc533cf546b545aa33327

    Looks like traffic is underway for RDP but there is no response packet

    7: 22:24:58.824954 802. 1 q vlan P0 10.0.1.1.49162 #1 > 192.168.1.20.3389: S 3361152799:3361152799 (0) win 65535

    8: 22:24:59.824740 802. 1 q vlan P0 10.0.1.1.49162 #1 > 192.168.1.20.3389: S 3361152799:3361152799 (0) win 65535

    This can result from Neatgear (192.168.1.1), drop the packets. You can have solutions on SAA by tapping the traffic on the inside of the interface on the ASA. Here's what you need to do:

    vpn_nat_inside 10.0.1.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    NAT (10 vpn_nat_inside list of outdoor outdoor access)

    Global interface (10 Interior)

    This pat only vpn traffic entering the pool and will not have effect on anything else.

    Kind regards

    Bad Boy

    P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

  • Cisco AnyConnect Secure mobility Client cannot initialize connection subsystem after updates Windows (Feb 10, 2015)

    Hello

    The customer Cisco Anyconnect Secure mobility gives me an error when I try to use it. It started after the latest updates for Windows (10 Feb. 2015).

    The error it causes is "could not initialize the subsystem of connection".

    I looked at another machine with the updates installed with same issue.

    On my machine - I back before restore point windows updates be done, and the Cisco Anyconnect Client's worked well.

    After you install the updates, it stopped working again.

    Help, please

    Michael

    I assume you are using Windows 8.1. The workaround is to set the AnyConnect Client to use Windows 8 Compatibility Mode. He has worked on several machines. After the change, you will need to log off the coast and turn it on for Windows.

    Cumulative update 11 IE KB3021952 includes KB3023607.  Apparently, it's the latest patch that causes the problem, according to what I said. (I do not even 3023607 in the history of WU, but if I type "wmic qfe" is here). However, I suggest updating leaving in place and using workaround.

  • AnyConnect client... SSL vs. IPSec

    Hello

    I have a few questions on the Anyconnect VPN remote access.

    The anyconnect client works with SSL or IPSec ISAKMPv2? Y at - it no default or the default method?

    Where you would identify what method you choose? The anyconnect client automatically detects the type (SSL or IPSec)-based VPN server? How does the SSL over IPSec works in this case?  What is new ANyconnect 4.xclient?

    I would say that 90% or more customers use SSL.

    IPsec IKEv2 is used mainly by two categories of people:

    1. those who have need of next gen cryptographic algorithms for legal or regulatory reasons

    2. those who have had lovers, or CCIE candidates configure their VPN (joke - just a little bit)

    Is, when it is implemented correctly, did a good job to secure your traffic.

    The server (for example, the ASA) defines the method and the client that honors due to the associated connection profile that updates / downloads from the server.

    This initial process, even if you have IPsec IKEv2, normally happens over SSL as part of the preamble of IPsec session establishment. Manually, you can eliminate this small, but it is generally more trouble that it's worth.

Maybe you are looking for