Unable to gateway ping after the connection to the VPN

Similar Questions

• Cannot ping inside the vpn client hosts. It's a NAT problem

  Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

  AAA new-model

  !

  !

  AAA authentication login default local

  radius of group AAA authentication login userauthen

  AAA authorization exec default local

  AAA authorization groupauthor LAN

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group businessVPN

  key xxxxxx

  DNS 192.168.10.2

  business.local field

  pool vpnpool

  ACL 108

  Crypto isakmp VPNclient profile

  businessVPN group identity match

  client authentication list userauthen

  ISAKMP authorization list groupauthor

  client configuration address respond

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  Define VPNclient isakmp-profile

  market arriere-route

  !

  !

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  interface Loopback0

  IP 10.1.10.2 255.255.255.252

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  !

  Null0 interface

  no ip unreachable

  !

  interface FastEthernet0/0

  IP 111.111.111.138 255.255.255.252

  IP access-group outside_in in

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  inspect the outgoing IP outside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  clientmap card crypto

  !

  the integrated-Service-Engine0/0 interface

  description Locator is initialized with default IMAP group

  IP unnumbered Loopback0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  ip address of service-module 10.1.10.1 255.255.255.252

  Service-module ip default gateway - 10.1.10.2

  interface BVI1

  IP 192.168.10.1 255.255.255.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  IP virtual-reassembly

  IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

  IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

  IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

  IP nat inside source map route nat interface FastEthernet0/0 overload

  nat extended IP access list

  deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 any

  permit ip 192.168.10.0 0.0.0.255 any

  sheep extended IP access list

  permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

  outside_in extended IP access list

  permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

  permit any any eq 443 tcp

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

  allow any host 111.111.111.138 esp

  allow any host 111.111.111.138 eq isakmp udp

  allow any host 111.111.111.138 eq non500-isakmp udp

  allow any host 111.111.111.138 ahp

  allow accord any host 111.111.111.138

  access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

  !

  !

  !

  !

  route nat allowed 10 map

  match ip address nat

  1 channel ip bridge

  In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

  To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

  Kind regards

• Cannot ping via the VPN client host when static NAT translations are used

  Hello, I have a SRI 3825 configured for Cisco VPN client access.

  There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

  Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

  For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

  Any help would be appreciated.

  Concerning

  !

  session of crypto consignment

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group vpnclient

  key S3Cu4Ke!

  DNS 192.168.1.1 192.168.1.2

  domain domain.com

  pool dhcppool

  ACL 198

  Save-password

  PFS

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

  !

  Crypto-map dynamic dynmap 10

  86400 seconds, life of security association set

  game of transformation-3DES-SECURE

  market arriere-route

  !

  card crypto client cryptomap of authentication list drauthen

  card crypto isakmp authorization list drauthor cryptomap

  client configuration address card crypto cryptomap answer

  map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

  !

  interface GigabitEthernet0/0

  NAT outside IP

  IP 1.2.3.4 255.255.255.240

  cryptomap card crypto

  !

  interface GigabitEthernet0/1

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  !

  IP local pool dhcppool 192.168.2.50 192.168.2.100

  !

  Note access-list 198 * Split Tunnel encrypted traffic *.
  access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  !
  Note access-list 199 * NAT0 ACL *.
  access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 199 permit ip 192.168.1.0 0.0.0.255 any

  !

  Sheep allowed 10 route map
  corresponds to the IP 199

  !
  IP nat inside source map route sheep interface GigabitEthernet0/0 overload

  !

  IP nat inside source static 192.168.1.1 1.2.3.5
  IP nat inside source static 192.168.1.2 1.2.3.6

  The problem seems to be that static NAT take your nat exemption.

  The solution would be:

  IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
  IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

  HTH

  Herbert

• Œuvres ping for the VPN ASA5505 RDP does not work?

  I have an ASA5505 VPN remote access facility

  I have a server connected directly behind the ASA and I can ping the server without problem.

  The reports being encrypted and decrypted packets VPN client

  However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.

  I also do not see all RDP traffic hit the server (checked by ethereal)

  I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.

  This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?

  % ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)

  % ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session

  % ASA-609001 7: built internal local-host: 192.168.100.37

  % ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

  % ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

  % ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

  % ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

  % ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

  % 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)

  I have that configured NAT

  NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172

  The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?

  And decrypt packets increase not when trying to RDP

  Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!

  Thank you

  Roger

  Answer is based on your other thread:

  https://supportforums.Cisco.com/thread/2207372

• Cannot Ping across the VPN remote access

  Hello world

  I hope I posted this in the right place!

  I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!

  We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.

  When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.

  I'm sure it's something stupid I've done (or not done).

  I have attached my config and would be grateful if someone could take a look and point me in the right direction.

  Thanks in advance for your help,

  Peter.

  Hi Peter,.

  You must add a line to the inside_access_in access list:

  Enable

  conf t

  access-list inside_access_in allow icmp a whole

  output

  write members

  Kind regards

  Cathy

• After the VPN Tunnel access problem is in place.

  Could someone please take a look at this config and tell me why, once I have the VPN tunnel to the top, I can't access all hosts on the 192.168.41.0 network? (The x are inserted for privacy). Thank you.

  Try...

  ISAKMP nat-traversal

• DSC-WX350 shows 'unable to display' remains after the withdrawal of the card photos

  I'm having a problem with the DSC-WX350 seeing "ghosts" of the pictures after having been withdrawn to a computer.

  If I pop the camera card, stick it in a card reader and move photos the camera on my computer, as soon as I put the card in the WX350 seem to see fake photos files moved: it acts as if they were still there (info, date taken, keeps in the County of photo, etc.) but only shows an error "Unable to display" gray.

  I then manually delete each erroneous entry manually. As you can imagine, making whenever I have move photos from your camera is a pain in the *. I've looked through all the folders on the card and see anywhere that would be markers of remains of file or something else because of this problem. Any ideas why this happens?

  (FYI, the card has been formatted freshly correctly before using it in the camera.)

  Thanks advance.

  Can anyone offer help?

  Per this message on the card need to be formatted, I made several times now to try to circumvent the problem: formatting through the camera, formatting through the computer, formatting the computer, then the camera... After each time the test photo, I take and then remove while the card is located on the computer returns an error "Unable to display the image" ghost once the card in the camera.

  This is ridiculous. I will not be manually re-deletion of photos I moved your device every single timejust to avoid this * error. What happens here?

• Unable to send messages after the accident, the solutions proposed did not.

  Tuesday (April 7), there was an update to 31.6. Thursday, there was an accident. Since that time cannot send messages. The proposed solutions did not work.

  I get the message that the SMTP server does not support the selected authentication.
  I tried the solution mentioned. But nothing helped. I configured the server out on the different types and remove the password as shown. After that, I did the configuration with different types of Setup again. No solution.
  There is not a possibility of webmail. So I'm stuck now.

  There is no problem with incoming messages, they come. This password should be deleted also?

  Any help would be greatly appreciated.

  Greetings,
  AZ58.

  Good. You can then mark the thread as "Solved" Please?
  Thank you.

• BDE is unable to add resources after the new installation

  Hey guys,.

  Having trouble with BDE 2.1 and get working serengeti. Looks like VHM is having problems connecting to vcenter. Here's the exact error.

  Location : /Opt/Serengeti/logs/VHM.log

  Message : 18:24:21.671 April 21, 2015 * VHM: failed to connect to vCenter (class java.io.FileNotFoundException): / tmp/keyStore (no such file or directory)

  18:24:21.672 April 21, 2015 * VHM: couldn't get vCenter connection through any protocol

  18:24:21.672 April 21, 2015 VHM: temporarily lost connection to vCenter

  Location : /Opt/Serengeti/logs/Serengeti-boot.log

  Message: E, [2015-04 - 21 T 18: 22:39.991825 #8536] ERROR -: Serengeti Web Service didn't generate the uuid in the file serengeti.properties in 5 minutes.     This is probably a VC connection problem, please consult /opt/serengeti/logs/serengeti.log

  Serengeti.log is not something useful spit.

  
  

  Anyone seen this before?

  
  

  Thank you!

  BDE VAPP must be deployed in the resource pool of top level under a pile of vCenter, otherwise, you will see the error log. Please kindly check it out.

  Thank you.

• Unable to access applications after the installation of CC2015.

  I installed CC 2015 and when you access applications, the right spinning wheel will not stop. Help?

  https://helpx.Adobe.com/creative-cloud/KB/creative-cloud-app-doesn ' t - open.html

  Mylenium

• No Internet access after the connection of the cisco vpn client

  Hi Experts,

  Please check below config.the problem is vpn is connected but no internet access

  on the computer after the vpn connection

  ASA Version 8.0 (2)
  !
  ciscoasa hostname
  activate 8Ry2YjIyt7RRXU24 encrypted password
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  IP 192.168.10.10 255.255.255.0
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  IP 192.168.14.12 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  2KFQnbNIdI.2KYOU encrypted passwd
  passive FTP mode
  standard access list dubai_splitTunnelAcl allow 192.168.14.0 255.255.255.0
  INSIDE_nat0_outbound list of allowed ip extended access all 192.168.14.240 255.255.2
  55.240
  pager lines 24
  Within 1500 MTU
  Outside 1500 MTU
  IP local pool testpool 192.168.14.240 - 192.168.14.250
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access INSIDE_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout, uauth 0:05:00 absolute
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.14.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-md5-hmac setFirstSet
  Crypto-map dynamic dyn1 1 set transform-set setFirstSet
  Crypto-map dynamic dyn1 1jeu reverse-road
  dynamic mymap 1 dyn1 ipsec-isakmp crypto map
  mymap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 43200
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  !
  global service-policy global_policy
  password encrypted user testuser IqY6lTColo8VIF24 name
  username password khans X5bLOVudYKsK1JS / encrypted privilege 15
  tunnel-group mphone type remote access
  tunnel-group mphone General attributes
  address testpool pool
  tunnel-group ipsec-attributes mphone
  pre-shared-key *.
  context of prompt hostname
  Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
  : end
  ciscoasa #.

  Hello

  Large.  Try adding the below to make it work

  vpn-sheep access list extended permits all ip 192.168.15.0 255.255.255.0

  NAT (inside) 0-list of access vpn-sheep

  Harish

• No visible responsibilities by the user after the cloning of the Production instance

  Hello
  In my environment, a user is disabled in Production, but he has access in the DEV instance. When I clone the production on the DEV instance and allow this user, he is not able to see the responisbilities which it is supposed to see.
  
  I ran the "Synchronize WF LOCAL tables, but the user is not able to see the responsibility."
  
  Am I missing something?
  
  Thank you

  Hello

  Have you tried to bounce Apache and see if it helps?

  Please see the solutions suggested in the thread following/docs.

  Responsibility are not
  Re: Responsibility is not

  Assignment of responsibility not Visible when connecting through AppsLocalLogin.jsp
  Re: Assignment of responsibilities not Visible when connecting through AppsLocalLogin.jsp

  Note: 388018.1 - Unable to see a responsibility in the navigation after the end Date has been removed
  Note: 727638.1 - Unable to see responsibilities after the end Date is deleted on ATG RUP6
  Note: 406892,1 - missing or corrupt user role responsibilities
  Note: 429852.1 - reactivated the user does not see responsibilities

  Kind regards
  Hussein

• Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access

  Hello

  I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.

  So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).

  The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)

  I added some ACE for this in the ACL of VPN tunnel to divide.

  NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54

  And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.

  The network INTERIOR, I can connect to the server.

  

  Thanks in advance.

  Hello

  This is most likely a problem with NAT hair/U-turn hairpin.

  Will need to see the configurations or you would need to check yourself

  I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.

  So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.

  Then, you will need to check the output of this command

  See the race same-security-traffic

  You should see the command in the output below

  permit same-security-traffic intra-interface

  If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.

  Then, should ensure that dynamic PAT is configured for the VPN Clients.

  8.2 software (and below)

  You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0

  In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add

  NAT (outside) 1

  This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server

  Software 8.3 (and above)

  Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a

  network of the VPN-PAT object

  subnet

  dynamic NAT interface (outdoors, outdoor)

  Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.

  Hope this helps

  Let me know how it goes

  -Jouni

• Impossible to connect to the gateway SSL of the company site and program database after that upgraded 10.0

  Dear All/Admin/Tech,
  After the upgrade to Firefox 10.0 staff of my company in Indonesia can not rained access gateway SSL for the web of our company and therefore cannot log on to our web database program.

  In my tests, in Singapore (with the same ISP fiber broadband), I have the same problem.

  Both Chrome and IE have no problem, but Firefox stops on error "the connection was reset".

  Firefox is now super sensitive to the shift of site Web, allows no ports or y at - there some problem in which Firefox to reject Web page or program?

  So far, that seems to happen on Firefox 10.0 and our SSL https web portal. What is good on all other browsers.

  Help, please.

  Thank you and best regards,
  Joel Li

  I also have problems with 10 FF and Fortinet VPN.

  It helped me a little... http://social.technet.Microsoft.com/forums/en-us/w7itprosecurity/thread/e6e8ada8-BC12-4f6f-8de3-1d3fd2ff4931

  The problems seems to be in the Microsoft Security Update KB2585542, that TLS and SSL fixes. Apparently some websites that use SSL do not work properly because of this.

  I had to disable the update of security KB2585542, then downgrade to FF 9.0.1.

  BUT I don't want to remain unpatched and with an older version of FF. A way around this problem without downgrading?

  EDIT: Just to be clear, even after I disabled the patch MS that I kept getting "the connection was reset" in FF10. Everything worked great until I upgraded to FF10 even with the patch on.

• I'm unable to install Adobe software licenses after the connection. It is said that it does not recognize my username after login.

  I'm unable to install Adobe software licenses after the connection. It is said that it does not recognize my username after login.

  Yes.  and?