Unable to access company LAN via VPN

Similar Questions

• Customer remote cannot access the server LAN via VPN

  Hi friends,

  I'm a new palyer in ASA.

  My business is small. We need to the LAN via VPN remote client access server.

  I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.

  Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.

  Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.

  Who can help me?

  Thank you very much.

  The following configuration:

  ASA Version 7.0(7)
  
      !
  
      hostname VPNhost
  
      names
  
      dns-guard
  
      !
  
      interface Ethernet0/0
  
      nameif outside
  
      security-level 10
  
      ip address 221.122.96.51 255.255.255.240
  
      !
  
      interface Ethernet0/1
  
      nameif inside
  
      security-level 100
  
      ip address 192.168.42.199 255.255.255.0
  
      !
  
      interface Ethernet0/2
  
      shutdown
  
      no nameif
  
      no security-level
  
      no ip address
  
      !
  
      interface Management0/0
  
      shutdown
  
      no nameif
  
      no security-level
  
      no ip address
  
      management-only
  
      !
  
      ftp mode passive
  
      dns domain-lookup inside
  
      access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
  
      access-list allow_PING extended permit icmp any any inactive
  
      access-list Internet extended permit ip host 221.122.96.51 any inactive
  
      access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
  
      access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
  
      access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
  
      access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
  
      pager lines 24
  
      mtu outside 1500
  
      mtu inside 1500
  
      ip local pool testpool 192.168.43.10-192.168.43.20
  arp timeout 14400
  
      global (outside) 1 interface
  
      nat (inside) 0 access-list VPN
  
      nat (inside) 1 access-list PAT_acl
  
      route outside 0.0.0.0 0.0.0.0 221.122.96.49 10
  
  
      username testuser password 123
  
      aaa authentication ssh console LOCAL
  
      aaa local authentication attempts max-fail 3
  no sysopt connection permit-ipsec
  
      crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
  
      crypto dynamic-map dyn1 1 set transform-set FirstSet
  
      crypto dynamic-map dyn1 1 set reverse-route
  
      crypto map mymap 1 ipsec-isakmp dynamic dyn1
  
      crypto map mymap interface outside
  
      isakmp enable outside
  
      isakmp policy 1 authentication pre-share
  
      isakmp policy 1 encryption des
  
      isakmp policy 1 hash md5
  
      isakmp policy 1 group 2
  
      isakmp policy 1 lifetime 86400
  
      isakmp nat-traversal  3600
  
      tunnel-group testgroup type ipsec-ra
  
      tunnel-group testgroup general-attributes
  
      address-pool testpool
  
      tunnel-group testgroup ipsec-attributes
  
      pre-shared-key *
  
      telnet timeout 5
  ssh timeout 10
  
      console timeout 0
  : end
  

  Topology as follows:

  

  Hello

  Configure the split for the VPN tunneling.

  1. Create the access list that defines the network behind the ASA.

     ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0 

  2. Mode of configuration of group policy for the policy you want to change.

     ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#

  3. Specify the policy to split tunnel. In this case, the policy is tunnelspecified.

     ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified 

  4. Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.

     ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List 

  5. Type this command:

     ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes 

  6. Associate the group with the tunnel group policy

     ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn 

  7. Leave the two configuration modes.

     ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#

  8. Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.

  Kind regards
  Abhishek Purohit
  CCIE-S-35269

• RV120W - cannot access static IP via VPN devices

  Hello

  I have a RV120W used to provide VPN access to several industrial devices. Some of these devices are assigned via DHCP from the router IP address. Can not do DHCP, so there a self-determined static IP.

  The VPN works well for all devices that are affected intellectual property. However, it does allow me to connect to the device that has a static IP address. I can connect to it very well when I'm on the LAN or WLAN, but it cannot ping via the VPN.

  Help!

  Thank you-

  Bailey

  Hi Bailey, it seems that the static device has no default gateway are entrusted to him.

  -Tom
  Please mark replied messages useful

• Cannot access remote network via VPN

  Hello

  I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
  There is also a public oriented Web server in the office which must be accessible.

  I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

  I'm quite puzzled as to why it does not work. Please could someone help.

  The results of tests and the router configuration are listed below. Please let me know if you need additional information.

  Thank you and best regards,
  Simon

  1. routing on the router table
  Router #sh ip route
  Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
  xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
  C XXX.yyy.zzz.192 is directly connected, Vlan10
  GGG.hhh.125.0/32 is divided into subnets, subnets 1
  C GGG.HHH.125.34 is directly connected, Dialer0
  172.16.0.0/32 is divided into subnets, subnets 1
  S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
  S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

  2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
  > ping 172.16.100.1
  Ping 172.16.100.1 with 32 bytes of data:
  Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

  3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
  > ping 172.16.100.10
  Ping 172.16.100.10 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  4. ping the router to the successful local server
  router #ping 172.16.100.10
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

  5 see the version
  Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
  ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
  the availability of router is 1 hour, 9 minutes
  System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
  Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
  10 FastEthernet interfaces
  1 ISDN basic rate interface
  Configuration register is 0 x 2102

  6. router Config
  AAA authentication login default local
  connection of local AAA VPN authentication.
  AAA authorization exec default local
  local authorization AAA VPN network
  !
  !
  AAA - the id of the joint session
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  Configuration group customer isakmp crypto ASI_Group
  key mykey
  DNS aaa.bbb.cccc.ddd
  domain mydomain.com
  pool VPN_Pool
  ACL VPN_ACL
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
  !
  crypto dynamic-map 10 DYNMAP
  game of transformation-TS1
  market arriere-route
  !
  !
  list of authentication of VPN client VPN crypto card
  card crypto VPN VPN isakmp authorization list
  crypto map VPN client configuration address respond
  card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
  !
  !
  !
  IP cef
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  username admin privilege 15 password mypassword
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface FastEthernet0
  WAN description
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  automatic duplex
  automatic speed
  PPPoE enable global group
  PPPoE-client dial-pool-number 1
  !
  interface FastEthernet2
  Description Public_LAN_Interface
  switchport access vlan 10
  full duplex
  Speed 100
  !
  FastEthernet6 interface
  Description Private_LAN_Interface
  switchport access vlan 100
  full duplex
  Speed 100
  !
  interface Vlan1
  no ip address
  !
  interface Vlan10
  Public description
  IP address xxx.yyy.zzz.193 255.255.255.248
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Vlan100
  172.16.100.1 IP address 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Dialer0
  IP unnumbered Vlan10
  no ip unreachable
  IP mtu 1452
  IP virtual-reassembly
  encapsulation ppp
  no ip mroute-cache
  Dialer pool 1
  Dialer-Group 1
  Authentication callin PPP chap Protocol
  PPP chap hostname myhostname
  PPP chap password mychappassword
  PPP ipcp dns request accept
  failure to track PPP ipcp
  PPP ipcp address accept
  VPN crypto card
  !
  IP pool local VPN_Pool 172.16.100.50 172.16.100.60
  !
  !
  no ip address of the http server
  no ip http secure server
  !
  VPN_ACL extended IP access list
  IP 172.16.100.0 allow 0.0.0.255 any
  !
  Dialer-list 1 ip protocol allow
  not run cdp
  !
  !

  Simon,

  Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

  Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

  Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

  IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

  Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

  I hope this helps.

  Luis Raga

• RVL200 and Windows 2000 Server - can not access network resources via VPN

  I am new to the VPN, and I feel I'm missing something very basic in my configuration. I just installed a RVL200 as the gateway for my corporate network router.  The network includes a Windows 2000 Server that acts as server DHCP and several PC and a printer.  I was able to "establish a SSL VPN tunnel" home connection to the router, but after recording in everything I see is the screen of virtual Passage - one with lock icons - otherwise I am inside the router.  The statement shows that I am connected.  Once the tunnel is established, what am I supposed to do to get computers to the computers on my network?  I can ping all computers on the network using their LAN address.  I'm supposed to see a choice of network resources to get to this point?  I put the router as a trusted site in the server and even tried to disable all firewalls, but I see that the VPN screen with icons.  I don't know how to proceed from here because I don't know what I'm supposed to see.  Thanks for any help that you can give to a newbie!

  The SSL connection is only for the VPN router. To access the computer, you can use Windows Remote Desktop connection. So that you can access to remote computers on the network, or you could look for 3 third-party software for remote access

  Hope this helps

• Unable to access windows update via internet

  running a network most of the machines have a gigabite network conditions. Internet router is a Netgear SRX5308 tunnel VPN site-to-site running. I have 2 machines to implement both running Windows XP Professional. #1 computer is connected to our internal network, the other #2 is connected to the internet via a separate router doesn't do not part of the network.

  using the #1 machine

  When I try to use windows update I get error 8024402f. and not to download updates.

  using the #2 machine

  When I try to use windows update it works fine, I get the updates and everything is fine.

  I also tested this issue on my work machine machine has Windows 7 and I get the same error code. Even with updates automatic it will not download updates and I get the same error.

  The problem maybe in my router and if so how can I fix the problem?

  I tried the suggestion on the forum as well as by ELP files that Microsoft has put in place. I need help, try to identify and solve this problem.

  Thanks in advance for your help

  I suspected. To avoid confusion and duplication of effort, please post a follow-up later all replies to your original thread (which I just posted a new response).

• No access to iBook store. I can see the books purchased in my "library" but have been unable to access the shop via the icons at the bottom of the screen of the library. I was also unable to access the shop via one of the links at the end of the books.

  Recommended links, NY Times, Top Charts, and Top authors are not allowing me to access the iBook on my iPad store. This problem began immediately after I downloaded and opened a book called "'Adobe After Effects: A Stey by step Guide" by Richard Lee. "

  I tried all of the fixes published to access the iBook store, but nothing has worked. I don't feel this problem on my iPhone, which is synchronized to my iPad to share books.

  How to solve this problem without having to do a restore complete, please?

  "I tried all of the fixes published to access the iBook store, but nothing has worked."

  We have no way of knowing exactly what troubleshooting have you tried unless you tell us.

  If you have not yet tried, reboot your iPad.

  1. Press and hold the sleep/wake button until the Red slider appears.
  2. Drag the slider to turn off your device completely off.
  3. Once the device turns off, press and hold the sleep/wake button again until you see the Apple logo.

• Satellite Pro P100 - unable to access the LAN

  This is the first time I want to use the LAN outlet. Where plug the LAN cable and the activation of the network connection are no response at all (light indicators do not work). Test the card gives a good result. I reinstalled the success of whithout pilot.
  What is a configuration problem?

  I use WINDOWS XP. Thank you.

  Hello

  Do you have a message on the limited connectivity from Windows?
  What is card LAN recognized correctly in Device Manager?

  You may need to check the configuration. You use DHCP or a static IP address? You should try it with static IP addresses.

  In addition, go to the command line (cmd) and type ipconfig / renew. What happens exactly?

• Unable to connect to uverse via VPN to the office

  I just signed up for by att uverse and I can't connect to my office through vpn.  any advice?

  Original title: uverse / connectivity

  Hi Dottut,

  You must contact the support technique uverse AND technical support at your office if you understand how to get them to work together, everyone takes part but not all of the answer (but I would start by the Office IT Department first).

  Good luck!

• I'm unable to access the Internet via the wireless or wired. Reinstall I tried all browsers and it still does not work.

  I can't go online with or without wire. I've uninstalled and reinstalled IE 7 and 8. And firefox installed. Still can't. Message reads page cannot be displayed. When I fix it cannot renew ip address

  Help

  original title: I can't go online with or without wire

  Hello

  I suggest you follow the steps mentioned below:

  Method 1:

  Renew the IP in the command prompt and check if the problem persists. Follow these steps to open the command prompt and type the command:

  a. click the Start button. Type cmd , and then click on OK.

  (b) to release the IP address type ipconfig/release and hit Efriendship.

  c. in order to renew the IP address type ipconfig/renew and press on Enter.

  Method 2:

  If the previous step fails, follow the steps in the link:

  http://support.Microsoft.com/kb/870702

• Unable to access the VPN Client LAN

  I configured a 877 for VPN Client Access. The Client authenticates and connects and receives an IP address off the coast of the pool of intellectual property. However, he is unable to access anything on the IP network.

  I have included my router config. The VPN Client is v5.0.05.0290.

  Any ideas on what I'm missing?

  Can try reverse our ACL VPN-Client, I think that it is written in the wrong way

  For example:

  VPN-Client extended IP access list

  Note * permit VPN Client pool *.

  IP enable any 192.168.201.0 0.0.0.255

  or more precise

  VPN-Client extended IP access list

  Note * permit VPN Client pool *.

  192.168.1.0 255.255.255.0 ip permit 192.168.201.0 0.0.0.255

• Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

  Hello

  I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

  When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

  However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

  VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

  Please help me I need to find a solution as soon as POSSIBLE!

  Thank you in advance.

  Hello

  Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

  No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  After re-configured this way, make sure that this command is also available:

  Sysopt connection permit VPN

  This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

  Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

  XXXX--> server IP

  AAAA--> VPN IP of the user

  Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

  Thank you

  David Castro,

• remote VPN and vpn site to site vpn remote users unable to access the local network

  As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config

  The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.

  ASA Version 8.2 (2)
  !
  host name
  domain kunchevrolet
  activate r8xwsBuKsSP7kABz encrypted password
  r8xwsBuKsSP7kABz encrypted passwd
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  PPPoE client vpdn group dataone
  IP address pppoe
  !
  interface Ethernet0/1
  nameif inside
  security-level 50
  IP 192.168.215.2 255.255.255.0
  !
  interface Ethernet0/2
  nameif Internet
  security-level 0
  IP address dhcp setroute
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  management only
  !
  passive FTP mode
  clock timezone IST 5 30
  DNS server-group DefaultDNS
  domain kunchevrolet
  permit same-security-traffic intra-interface
  object-group network GM-DC-VPN-Gateway
  object-group, net-LAN
  access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
  tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 Internet
  IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  enable ASDM history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  AAA authentication http LOCAL console
  AAA authentication enable LOCAL console
  LOCAL AAA authentication serial console
  Enable http server
  x.x.x.x 255.255.255.252 out http
  http 192.168.215.0 255.255.255.252 inside
  http 192.168.215.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic dynmap 65500 transform-set RIGHT
  card crypto 10 VPN ipsec-isakmp dynamic dynmap
  card crypto VPN outside interface
  card crypto 10 ASA-01 set peer 221.135.138.130
  card crypto 10 ASA - 01 the transform-set RIGHT value
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  the Encryption
  sha hash
  Group 2
  lifetime 28800
  Telnet 192.168.215.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  Console timeout 0
  management-access inside
  VPDN group dataone request dialout pppoe
  VPDN group dataone localname bb4027654187_scdrid
  VPDN group dataone ppp authentication chap
  VPDN username bb4027654187_scdrid password * local store
  interface for identifying DHCP-client Internet customer
  dhcpd dns 218.248.255.141 218.248.245.1
  !
  dhcpd address 192.168.215.11 - 192.168.215.254 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Des-sha1 encryption SSL
  WebVPN
  allow outside
  tunnel-group-list activate
  internal kun group policy
  kun group policy attributes
  VPN - connections 8
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value split tunnel
  kunchevrolet value by default-field
  test P4ttSyrm33SV8TYp encrypted password username
  username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
  username kunauto attributes
  Strategy Group-VPN-kun
  Protocol-tunnel-VPN IPSec
  tunnel-group vpngroup type remote access
  tunnel-group vpngroup General attributes
  address pool VPN_Users
  Group Policy - by default-kun
  tunnel-group vpngroup webvpn-attributes
  the vpngroup group alias activation
  vpngroup group tunnel ipsec-attributes
  pre-shared key *.
  type tunnel-group test remote access
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  Review the ip options
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
  : end
  kunauto #.

  Hello

  Looking at the configuration, there is an access list this nat exemption: -.

  192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0

  But it is not applied in the States of nat.

  Send the following command to the nat exemption to apply: -.

  NAT (inside) 0 access-list sheep

  Kind regards

  Dinesh Moudgil

  P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

• Access PIX NIC canoe internal via VPN

  Hello

  We have a customer with a PIX 515 we installed and we have a private network virtual of our office to them. We communicate to all their guests behind the PIX over the good VPN configuration (telnet) and monitoring (SNMP). We want to control the PIX via snmp as well. We are unable to access the internal ip address of the NIC through the VPN. We can not ping, telnet or use SNMP to it.

  The VPN works great as I said above, but is there anything else I need to do to allow access to the internal IP of NIC address?

  This is the normal behavior of Pix. You cannot communicate with a Pix interface unless it's the only one to receive the traffic. Therefore, you can monitor and communicate with the outside/IP of the Pix from the Web interface.

  BTW... This changed in Pix v6.3 that came out yesterday. You can use the command [management-access] to manage your Pix using his IP address private through a VPN tunnel.

• CANNOT ACCESS THE LAN WITH THE EASY VPN CONFIGURATION

  Hello

  I configured easy vpn server in cisco 1905 SRI using ccp. The router is already configured with zone based firewall. With the help of vpn client I can reach only up to the internal interface of the router, but cannot access the LAN from my company. I need to change any configuration of ZBF since it is configured as "deny everything" from outside to inside? If so that all protocols should I match?   Also is there any exemption of NAT for VPN clients? Please help me! Thanks in advance.

  Please see my full configuration:

  Router #sh run
  Building configuration...

  Current configuration: 8150 bytes
  !
  ! Last modification of the configuration at 05:40:32 UTC Wednesday, July 4, 2012 by
  ! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
  ! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  router host name
  !
  boot-start-marker
  boot-end-marker
  !
  !
  Passwords security min-length 6
  no set record in buffered memory
  enable secret 5 xxxxxxxxxxx
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login ciscocp_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization ciscocp_vpn_group_ml_1 LAN
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  !
  No ipv6 cef
  IP source-route
  no ip free-arps
  IP cef
  !
  Xxxxxxxxx name server IP
  IP server name yyyyyyyyy
  !
  Authenticated MultiLink bundle-name Panel
  !

  parameter-map local urlfpolicy TSQ-URL-FILTER type
  offshore alert
  block-page message "Blocked according to policy"
  parameter-card type urlf-glob FACEBOOK
  model facebook.com
  model *. Facebook.com

  parameter-card type urlf-glob YOUTUBE
  mires of youtube.com
  model *. YouTube.com

  parameter-card type urlf-glob CRICKET
  model espncricinfo.com
  model *. espncricinfo.com

  parameter-card type urlf-glob CRICKET1
  webcric.com model
  model *. webcric.com

  parameter-card type urlf-glob YAHOO
  model *. Yahoo.com
  model yapo

  parameter-card type urlf-glob PERMITTEDSITES
  model *.

  parameter-card type urlf-glob HOTMAIL
  model hotmail.com
  model *. Hotmail.com

  Crypto pki token removal timeout default 0
  !
  Crypto pki trustpoint TP-self-signed-2049533683
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2049533683
  revocation checking no
  rsakeypair TP-self-signed-2049533683
  !
  Crypto pki trustpoint tti
  crl revocation checking
  !
  Crypto pki trustpoint test_trustpoint_config_created_for_sdm
  name of the object [email protected] / * /
  crl revocation checking
  !
  !
  TP-self-signed-4966226213 crypto pki certificate chain
  certificate self-signed 01
  3082022B 30820194 02111101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43647274 31312F30
  69666963 32303439 35323236 6174652D 3833301E 170 3132 30363232 30363332

  quit smoking
  encryption pki certificate chain tti
  for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
  license udi pid CISCO1905/K9 sn xxxxxx
  licence start-up module c1900 technology-package datak9
  username privilege 15 password 0 xxxxx xxxxxxx
  !
  redundancy
  !
  !
  !
  !
  !
  type of class-card inspect entire tsq-inspection-traffic game
  dns protocol game
  ftp protocol game
  https protocol game
  match icmp Protocol
  match the imap Protocol
  pop3 Protocol game
  netshow Protocol game
  Protocol shell game
  match Protocol realmedia
  match rtsp Protocol
  smtp Protocol game
  sql-net Protocol game
  streamworks Protocol game
  tftp Protocol game
  vdolive Protocol game
  tcp protocol match
  udp Protocol game
  match Protocol l2tp
  class-card type match - all BLOCKEDSITES urlfilter
  Server-domain urlf-glob FACEBOOK game
  Server-domain urlf-glob YOUTUBE game
  CRICKET urlf-glob-domain of the server match
  game server-domain urlf-glob CRICKET1
  game server-domain urlf-glob HOTMAIL
  class-map type urlfilter match - all PERMITTEDSITES
  Server-domain urlf-glob PERMITTEDSITES match
  inspect the class-map match tsq-insp-traffic type
  corresponds to the class-map tsq-inspection-traffic
  type of class-card inspect correspondence tsq-http
  http protocol game
  type of class-card inspect all match tsq-icmp
  match icmp Protocol
  tcp protocol match
  udp Protocol game
  type of class-card inspect correspondence tsq-invalid-src
  game group-access 100
  type of class-card inspect correspondence tsq-icmp-access
  corresponds to the class-map tsq-icmp
  !
  !
  type of policy-card inspect urlfilter TSQBLOCKEDSITES
  class type urlfilter BLOCKEDSITES
  Journal
  reset
  class type urlfilter PERMITTEDSITES
  allow
  Journal
  type of policy-card inspect SELF - AUX-OUT-policy
  class type inspect tsq-icmp-access
  inspect
  class class by default
  Pass
  policy-card type check IN and OUT - POLICIES
  class type inspect tsq-invalid-src
  Drop newspaper
  class type inspect tsq-http
  inspect
  service-policy urlfilter TSQBLOCKEDSITES
  class type inspect tsq-insp-traffic
  inspect
  class class by default
  drop
  policy-card type check OUT IN-POLICY
  class class by default
  drop
  !
  area inside security
  security of the OUTSIDE area
  source of security OUT-OF-IN zone-pair outside the destination inside
  type of service-strategy check OUT IN-POLICY
  zone-pair IN-to-OUT DOMESTIC destination outside source security
  type of service-strategy inspect IN and OUT - POLICIES
  security of the FREE-to-OUT source destination free outdoors pair box
  type of service-strategy inspect SELF - AUX-OUT-policy
  !
  Crypto ctcp port 10000
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  Group 2
  !
  ISAKMP crypto client configuration group vpntunnel
  XXXXXXX key
  pool SDM_POOL_1
  include-local-lan
  10 Max-users
  ISAKMP crypto ciscocp-ike-profile-1 profile
  vpntunnel group identity match
  client authentication list ciscocp_vpn_xauth_ml_1
  ISAKMP authorization list ciscocp_vpn_group_ml_1
  client configuration address respond
  virtual-model 1
  !
  !
  Crypto ipsec transform-set TSQ-TRANSFORMATION des-esp esp-md5-hmac
  !
  Profile of crypto ipsec CiscoCP_Profile1
  game of transformation-TRANSFORMATION TSQ
  set of isakmp - profile ciscocp-ike-profile-1
  !
  !
  !
  !
  !
  !
  the Embedded-Service-Engine0/0 interface
  no ip address
  response to IP mask
  IP directed broadcast to the
  Shutdown
  !
  interface GigabitEthernet0/0
  Description LAN INTERFACE-FW-INSIDE
  IP 172.17.0.71 255.255.0.0
  IP nat inside
  IP virtual-reassembly in
  security of the inside members area
  automatic duplex
  automatic speed
  !
  interface GigabitEthernet0/1
  Description WAN-INTERNET-INTERNET-FW-OUTSIDE
  IP address xxxxxx yyyyyyy
  NAT outside IP
  IP virtual-reassembly in
  security of the OUTSIDE member area
  automatic duplex
  automatic speed
  !
  interface Serial0/0/0
  no ip address
  response to IP mask
  IP directed broadcast to the
  Shutdown
  no fair queue
  2000000 clock frequency
  !
  type of interface virtual-Template1 tunnel
  IP unnumbered GigabitEthernet0/0
  ipv4 ipsec tunnel mode
  Tunnel CiscoCP_Profile1 ipsec protection profile
  !
  local IP SDM_POOL_1 172.17.0.11 pool 172.17.0.20
  IP forward-Protocol ND
  !
  no ip address of the http server
  local IP http authentication
  IP http secure server
  !
  IP nat inside source list 1 interface GigabitEthernet0/1 overload
  IP route 0.0.0.0 0.0.0.0 yyyyyyyyy
  IP route 192.168.1.0 255.255.255.0 172.17.0.6
  IP route 192.168.4.0 255.255.255.0 172.17.0.6
  !
  access-list 1 permit 172.17.0.0 0.0.255.255
  access-list 100 permit ip 255.255.255.255 host everything
  access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
  access-list 100 permit ip yyyyyy yyyyyy everything
  !
  !
  !
  !
  !
  !
  !
  !
  control plan
  !
  !
  !
  Line con 0
  line to 0
  line 2
  no activation-character
  No exec
  preferred no transport
  transport of entry all
  output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
  StopBits 1
  line vty 0 4
  transport input ssh rlogin
  !
  Scheduler allocate 20000 1000
  end

  A few things to change:

  (1) pool of IP must be a single subnet, it is not the same subnet as your subnet internal.

  (2) your NAT ACL 1 must be changed to ACL extended for you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:

  access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255

  access-list 120 allow ip 172.17.0.0 0.0.255.255 everything

  overload of IP nat inside source list 120 interface GigabitEthernet0/1

  No inside source list 1 interface GigabitEthernet0/1 ip nat overload

  (3) OUT POLICY need to include VPN traffic:

  access-list 121 allow ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255

  type of class-card inspect correspondence vpn-access

  game group-access 121

  policy-card type check OUT IN-POLICY

  vpn-access class

  inspect