Unable to Ping hosts through IPSec Tunnel

Similar Questions

• ASA 5505 9.1 Unable to ping inside the IPSec VPN network

  To give some background that the asa has been reloaded and upgranded from 8.2 to 9.1.  I am able to connect to vpn, but unable to reach anything inside, including of the asa.  I didn't unfortunately not much experience with 8.3 +, but I thought that I had nat made appropriately.  Nothing else is currently configured for the asa, as it's just an asa test currently, so I could of just missed something odvious.

  ASA Version 9.1 (3)

  !

  hostname testasa

  activate the encrypted password of Ry5/Pmodu2QL1Xe3

  volatile xlate deny tcp any4 any4

  volatile xlate deny tcp any4 any6

  volatile xlate deny tcp any6 any4

  volatile xlate deny tcp any6 any6

  volatile xlate deny udp any4 any4 eq field

  volatile xlate deny udp any4 any6 eq field

  volatile xlate deny udp any6 any4 eq field

  volatile xlate deny udp any6 any6 eq field

  names of

  mask 192.168.3.1 - 192.168.3.200 255.255.255.0 IP local pool VPNPool

  !

  interface Ethernet0/0

  !

  interface Ethernet0/1

  switchport access vlan 2

  !

  interface Ethernet0/2

  switchport access vlan 2

  !

  interface Ethernet0/3

  switchport access vlan 2

  !

  interface Ethernet0/4

  switchport access vlan 2

  !

  interface Ethernet0/5

  switchport access vlan 2

  !

  interface Ethernet0/6

  switchport access vlan 2

  !

  interface Ethernet0/7

  switchport access vlan 2

  !

  interface Vlan1

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Vlan2

  nameif inside

  security-level 100

  IP 192.168.2.252 255.255.255.0

  !

  passive FTP mode

  network of the NETWORK_OBJ_192.168.2.0_24 object

  Subnet 192.168.2.0 255.255.255.0

  network of the NETWORK_OBJ_192.168.3.0_24 object

  subnet 192.168.3.0 255.255.255.0

  network of object obj-Interior

  Subnet 192.168.2.0 255.255.255.0

  object obj - vpn network

  subnet 192.168.3.0 255.255.255.0

  VPNGroup_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (inside, outside) static source inside obj obj-indoor destination static obj - vpn obj - vpn

  !

  NAT source auto after (indoor, outdoor) dynamic one interface

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.2.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec pmtu aging infinite - the security association

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  trustpool crypto ca policy

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  authentication crack

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 20

  authentication rsa - sig

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 40

  authentication crack

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 50

  authentication rsa - sig

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 60

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 70

  authentication crack

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 80

  authentication rsa - sig

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 100

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 110

  authentication rsa - sig

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 120

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 130

  authentication crack

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 140

  authentication rsa - sig

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 150

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  SSH group dh-Group1-sha1 key exchange

  Console timeout 0

  interface ID client DHCP-client to the outside

  dhcpd address 192.168.2.50 - 192.168.2.100 inside

  dhcpd dns 208.67.222.222 198.153.192.40 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  AnyConnect essentials

  internal VPNGroup group strategy

  Group Policy attributes VPNGroup

  value of server DNS 208.67.222.222 198.153.192.40

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPNGroup_splitTunnelAcl

  disable the split-tunnel-all dns

  no method of MSIE-proxy-proxy

  VLAN no

  NAC settings no

  test I9znLlryc6yq.BN4 encrypted privilege 15 password username

  tunnel-group VPNGroup type remote access

  attributes global-tunnel-group VPNGroup

  address pool VPNPool

  Group Policy - by default-VPNGroup

  IPSec-attributes tunnel-group VPNGroup

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the icmp

  inspect the icmp error

  !

  global service-policy global_policy

  context of prompt hostname

  Hello

  To be honest, I can't see anything in the configuration that should be a problem.

  Your NAT settings seem to be correct.

  You have the global setting of "sysopt connection permit - vpn" who does not appear in this form in the CLI configuration. This configuration means essentially that the SAA would allow traffic from a VPN connection to work around interface ACL of the interface when the VPN connection is completed (outside)

  Your ACL Split Tunnel is also correct.

  You might connect with VPN Client and run a continuous ICMP to a host of LAN and provide an output of the following command after a the ICMP has run a few seconds

  Crypto ipsec to show his

  Should see the counters of VPN.

  You can also try adding

  management-access inside

  This should allowed you to the 'internal' to the ASA IP ICMP and also manage ASA through the VPN connection by using the 'internal' the IP address provided you have enabled it. But for this you need to change the configuration of "nat" in this

  NAT (inside, outside) static source inside obj obj-indoor destination static obj - vpn vpn-obj-research route

  Hope this helps

  -Jouni

• AnyConnect SSL VPN through IPSEC Tunnel

  Everyone was able to set up and connect using Cisco anyconnect vpn ssl on a Cisco IPSEC's tunnel. I used this in the past from a Windows XP system in the past but its not working now. None of my users are able to cooect using the Anyconnect on IPSEC. IPSEC on its own works very well.

  The Anyconnect is also able to create the connection to its ASA firewall however its not able to route all traffic through. Do you have any suggestions?

  Thanks for the update.

• Virtual MACHINE is unable to ping host and vice versa

  It is a very strange problem.  VMWare support tried to understand this output as Dell.  So, I just throw it to the community to see if anyone else has experienced this problem and may have a solution.  I have 3 identical Dell R720 servers.  2 work with no problem, but 1 (let's call it vm8) gave me problems since day 1.  Reference verified Dell equipment today and has updated me the BIOS, firmware and drivers on vm8, which did not solve the problem.  VMWare technicians checked each parameter network in recent weeks and currently, they are not the cause.

  VM8 have ESXi installed 5.5.0.  The Server 4 has 2 NICs with 4 ports each.  Current configuration is vmnic 0-3 is connected to our LAN, 4-5 on our DMZ and 6-7 in our SAN (iSCSI). The AP will go up and down because VM8 loses connectivity to our isolation address (gateway).

  VM8 (Mgmt IP network is 172.20.100.9) has only 1 VM (172.20.100.40). Same subnet (255.255.255.0).  .9 happens to ping expiration.40 using vmkping.  When I ping.9 de.40, the first package gets a quick response, then all following packets timeout.  According to VMWare, when you ping in (VM to host) it does not go out through the card physical network to the physical switch.  Everything is internal with vmnic and vSwitch.  When I ping my gateway (172.20.100.1), the ping is successful.  When I ping.9 from my workstation, the first packet times out, then answered the following packages.  It is the exact opposite of ping the virtual computer.

  Here's a better ventilation-

  .9 VM8 host

  .40 VM on the host VM8

  .1 gateway

  .122 workstation over LAN

  .25 vRanger connection (physical server on LAN)

  Ping

  .9 40 (100% packet loss)

  first package de.40 a.9 (75% packet loss) Gets the response, then 3 timeout

  .9 a.122 good ping (0 packet loss)

  .122 a.9 (0 packet loss) good ping

  vmkping (75% loss).9 a.25 does not appear each packet that it is sent.  But other results, can I assume first package times out.

  first package de.25 a.9 (75% loss) has expired, the following 3 got a response

  .40 a.122 good ping (0 packet loss)

  . 122. 40 (100% packet loss)

  The 3 can ping a.1 (every 20 minutes on VM8 I get a "vSphere HA agent on this host failed isolation address 172.20.100.1"

  Also, throughout the day, I get the message - "vSphere HA agent on this host cannot reach some of the management of the addresses of network of other hosts, and HA is perhaps not able to restart the virtual computer if a failure of the host is displayed."  I came to work in the morning, and all my VMS on VM8 migrated to my other 2 hosts.  My backups don't work on VM on VM8.  I use vRanger connection and when I ping connection vRanger VM8 (physical server), the first package expires and the following packages get a response.  Then, when connection vRanger goes to back up my VM, runs aground due to loss of original packet.

  These are things I've already tried.  I tested individually each physical NETWORK adapter.  I removed all the ports on the two NIC to try to isolate a specific port. All the 4 vmnic is active adapters in network properties NIC Teaming management and I moved each vmnic individually to unused to test each port.  I replaced the Cat6 cables.  I used different Dell switches and various ports of the switch.  I even swapped the switch ports that host another employee, exclude a switch port configuration problem. In addition, port security is disabled on the ports.  I upgraded ESXi 5.5.0 to a newer version.  There is a known issue with the tg3 driver, which I've updated to the latest version without problem.  I also used tg3 workaround by disabling NetQueue.  And we do not use of VLAN. Dell technical support says that it is not a hardware problem and thinks it's a matter of layer 2, but does not know where.  Basically, it's an internal problem (meaning strictly on VM8) with vSwitches or vmnic or it's a material gremlin in our Dell R720 box.

  The final recommendation of Dell is to blow the ESXi server and install a clean copy.  It's extremely frustrating and I'm out of ideas.

  Thanks in advance.

  Any luck that you have an IP address that is duplicated on your network?

• Virtual machine is unable to ping host ESX

  I have a server host to ESX 3.5 Update 4 and I had a weird problem.  I searched for days and can't find an answer then perhaps someone could help me.

  My ESX host works perfectly.  I can manage it by Internet or by customer VI.  Setting up and installation of virtual computer very well market.  The problem occus with the networking of several virtual machines.  I have a group of virtual ports for the virtual machine that is connected to a virtual switch that is bound to a physical card.  The service console is also connected to a single virtual switch. The problem is that only the first virtual machine that is put on will be able to connect to the internet and other devices and computers on the network.  I have 5 different VM with different operating systems and the same network settings.  Any one that I first start will work, but only that one first.  The rest of the virtual machine can ping only this virtual machine that was started first.  They don't ping to the ESX host or anything on the network.

  The network gateway is 192.168.1.254, the ESX host is 192.168.1.110 and the VM is 192.168.1.111 - 115, the DNS is 192.168.1.50

  All virtual machines have static IP.  They each have their own respective intellectual property, the walkways are all set to 192.168.1.254 and DNS to 192.168.1.50

  Yet even as the first market works, and it works perfectly, can see everything on the network and connect to the internet.

  SuryaVMware is absolutely perfect with his suggestion. I went through the same scenario on the 3750's a few months back myself.

  If you found this helpful, please consider awarding points

• I can't do FTP through IPsec Tunnel

  users at the branch office (perth) cannot do FTP to a server on the internet. We simply want to change on NAT/rules to get there.

  We have head office is in Sydney that this router's IPsec VPN to other areas including Melbourne, Perth,...

  we want just difficulty centimeters FTP for users of Perth not on all the other branches.

  All things are IPsec router to router. routers to perth and sydney, I ping address FTP (203.171.5.4) but from a client in perth, I can't ping or telnet to this IP address.

  I downloaded routers routers from sydney and perth configs.

  Please ask me for more picture of the environment.

  Thanks in advance,

  Reza

  Reza,

  Is because we are dealing with two different concepts of the ACL here.
  160 ACL is applied to an interface (path to Ethernet0), so this ACL is permit/deny traffic).
  The 150 ACL is applied to a NAT rule (you cannot delete it because you will lose Internet).

  I asked remove ACL filtering which is only 160.

  The test I was asking was to remove the 160 ACL or add a line like this:
  access ip-list 160 allow a whole
  And check if everything works.

  Federico.

• Virtual machine is unable to ping host on vSphere5.1 fresh install

  Hello

  I did a new install of vSphere 5.1 (previously 4.1 installed that works well). No vCenter for now.

  Running a virtual machine on LAN Paessler PRTG under Win 2 k 3 x 64.

  This virtual machine has been moved from 4.1 to 5.1, nothing has changed.

  This virtual machine can't ping the host. No monitoring WMI class too.

  A physical computer on the LAN can ping on host vSphere with no problems.

  What's wrong?

  Thank you

  Vincent

  According to the screenshots, the subnet mask, you use in your local network is 255.255.0.0. As a first step, please run ipconfig / all in the virtual machine to verify that the virtual machine is configured with the same subnet mask. Secondly, run the ping command from the virtual machine, rattling of its own IP to see if it succeeds.

  BTW. What type/model of virtual network adapter is configured for the virtual computer?

  André

• Impossible to ping Host

  Set address management
  Unable to ping host on the same network segment
  Checked firewall

  Dear Madlabs

  Please activate the correct network card as part of management network of DCUI

• Unable to Ping IP across 2 IPsec Tunnels

  Hello world

  Here's the Setup program

  Server1 - layer 2 switch-ASA1 -L2 tunnel-ASA2 -Layer2 tunnel-ASA3- layer 2 switch - Server2.

  Server1 IP 10.31.2.83/28

  Server2 IP 10.31.2.35/28

  Server1 has its default gateway to ASA1

  Server1 can ping the ASA1 but cannot ping the Server2.

  ASA1 is also unable to ping server2.

  Ping 10.31.2.35
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
  ?????
  Success rate is 0% (0/5)

  ASA2 can ping the Server2

  Ping 10.31.2.35
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10

  ASA2 can ping Server1

  Ping 10.31.2.83
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.31.2.83, wait time is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10

  ACL is allowing traffic, routing, crypto card also allows the traffic.

  What else can I check?

  Any help is appreciated.

  Concerning

  Mahesh

  I don't understand what you mean with Tunnel of Layer2. Is it relevant to this question?

  IPsec is involved?

  Do you have any troubleshooting basic Layer 3? Check the routing information?

  (1) the ASA2 has 2 interfaces, one for each tunnel?

  • ASA2 there transatlantic lines?
    • 10.31.2.80 255.255.255.240 to ASA1
    • 10.31.2.32 to ASA3 255.255.255.240

  (2) ASA2 has only one interface for the two tunnels?

  • You same-security-traffic allow intra-interface?
  • If IPsec is involved, understanding Cryptography ACLs on ASA2
    • 10.31.2.80/28-> 10.31.2.32/28 to ASA3
    • 10.31.2.32/28-> 10.31.2.80/28 to ASA1

  The following command will help all three ASAs:

  SH, route

  HS card crypto

  SH crypto ipsec his (look for the counters of packets on the SAs)

  Best regards, MiKa

• GRE over IPSec tunnel cannot pass traffic through it

  I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

  Head office

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.89
  game of transformation-IPSec_PLC
  match address 100
  !
  !
  !
  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.94 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial0/1/0:0
  tunnel destination 167.134.216.89

  interface Serial0/1/0:0
  IP 167.134.216.90 255.255.255.252
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.90 host 167.134.216.8

  Router eigrp 100
  network 167.134.216.92 0.0.0.3

  Directorate-General of the

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
  !
  !
  Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
  transport mode
  !
  map PLC - CUM 10 ipsec-isakmp crypto
  defined by peer 167.134.216.90
  game of transformation-IPSec_PLC
  match address 100

  Tunnel1 interface
  bandwidth 1984
  IP 167.134.216.93 255.255.255.252
  Mtu 1476 IP
  load-interval 30
  source of tunnel Serial1/0/0:1
  tunnel destination 167.134.216.90

  interface Serial1/0/0:1
  bandwidth 1984
  IP 167.134.216.89 255.255.255.252
  IP access-group 101 in
  load-interval 30
  no fair queue
  card crypto PLC - CUM

  access-list 100 permit gre 167.134.216.89 host 167.134.216.90

  ER-7600 #sh crypto isakmp his
  conn-id State DST CBC slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0

  ER-3845 #sh crypto isakmp his
  status of DST CBC State conn-id slot
  167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

  ER-3845 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
  3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
  3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

  ER-7600 #sh active cryptographic engine connections

  Algorithm of address State IP Interface ID encrypt decrypt
  3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
  2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
  2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

  I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

  Please help, it's so frustrating...

  Thanks in advance

  Oscar

  Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

  It may be useful

  Manish

• Site VPN to IPsec with PAT through the tunnel configuration example

  Hello

  as I read a lot about vpn connections site-2-site
  and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

  now, I got suite facility with two locations A and B.

  192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
  172.16.16.0/24 Site has

  ---------------------------------------------------------------------------

  Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  ---------------------------------------------------------------------------

  Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
  witch need to access a server terminal server on the SITE b.

  As I have no influence on where and when guests pop up in my Site.
  I would like to hide them behind a single ip address to SITE B.

  If in the event that a new hosts need access, or old hosts can be deleted,
  its as simple as the ACL or conviniently inlet remove the object from the network.

  so I guess that the acl looks like this:

  ---------------------------------------------------------------------------

  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

  ---------------------------------------------------------------------------

  But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
  address for the translation of PAT?

  something like this he will say, it must be treated according to the policy:

  NAT (1-access VPN INVOLVED-HOST internal list)

  Now how do I do that?
  The rest of the config, I guess that will be quite normal as follows:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of AA peers. ABM CC. DD
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

  ---------------------------------------------------------------------------

  On SITE B

  the config is pretty simple:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of peer SITE has IP
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  ---------------------------------------------------------------------------

  Thank you for you're extra eyes and precious time!

  Colin

  You want to PAT the traffic that goes through the tunnel?

  list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

  PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (inside) 1 access list PAT

  Global (outside) 1 192.168.0.3 255.255.255.255

  Then, the VPN ACL applied to the card encryption:

  list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

  Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

  The interesting thing is that traffic can only be activated from your end.

  The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

  Is that what you are looking for?

  Federico.

• Any traffic sent through my IPsec tunnel

  Hi support community,

  I've been struggling for days which is - I guess - something very basic.

  I have a router that I want to connect to my ASA via the VPN. This router has a dynamic IP, so I managed to make it appear the tunnel with a dynamic crypto map, and the router falls into the DefaultL2LGroup (I guess I have no choice anyway, at me if I'm wrong). So that part is OK now, the tunnel is UP.

  However, SAA, I can see packets entering the tunnel but no package is removed from the ASA to the router.

  ASA is a private network router and 192.168.250.0/24 has 192.168.242.0/24.

  And here is the : configuration

  Allow OPT_cryptomap_2 to access extended list ip 192.168.242.0 255.255.255.0

  Dynamic crypto map CIPAC-ENERGY-VALE3 2 match address OPT_cryptomap_2

  map OPT_map 2-isakmp dynamic ipsec CIPAC-ENERGY-VALE3 crypto

  I do not understand what Miss me. I can not ping to the interface on the ASA (I have a permit icmp any one on the interface), but without success.

  This means that packets are decpasulated and do not yet reach the virtual interface on the ASA?

  Tunnel is UP:

  Show the details of its crypto isakmp

  IKE Peer: 180.214.xx.102

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  Encryption: aes - 256 Hash: SHA

  AUTH: preshared Lifetime: 86400

  See the crypto

  address of the peers: 180.214.xx.102

  Tag crypto map: CIPAC-ENERGY-VALE3, seq num: 2, local addr: 202.xxx.xx.14

  Access extensive list ip 192.168.250.0 OPT_cryptomap_2 allow 255.255.255.0 192.168.242.0 255.255.255.0

  local ident (addr, mask, prot, port): (192.168.250.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.242.0/255.255.255.0/0/0)

  current_peer: 180.214.xx.102

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 90, #pkts decrypt: 80, #pkts check: 10

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #pkts not his (send): 0, invalid #pkts his (RRs): 0

  #pkts program failed (send): 0, #pkts decaps failed (RRs): 0

  #pkts invalid prot (RRs): 0, #pkts check failed: 0

  invalid identity #pkts (RRs): #pkts invalid len (RRs), 5: 0

  #pkts incorrect key (RRs): 0,

  #pkts invalid ip version (RRs): 0,

  replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0

  #pkts replay failed (RRs): 0

  #pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0

  #pkts internal err (send): 0, #pkts internal err (RRs): 0

  local crypto endpt. : 202.xxx.xx.14/0, remote Start crypto. : 180.214.xx.102/0

  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

  current outbound SPI: B30EBC2B

  current inbound SPI: 52DD8189

  Ping from the ASA interface to the router:

  # Ping ASA001

  TCP Ping [n]:

  Interface: CLT-CIPAC-VALE (192.168.250.1)

  Target IP address: 192.168.242.254

  County of repeat: [5]

  Datagram size: [100]

  Timeout in seconds: [2]

  Extended commands [n]:

  Scan the range of sizes [n]:

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.242.254, wait time is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  And still no traffic sent through the tunnel.

  As I'm not familiar with IPSEC to help or guidelines of troubleshhot would be really appreciated, I've been through a lot of documentation (forums, guides for cisco and other items).

  Best regards

  Florian

  If you try to ping the inside interface try 'management-access to inside' and see if it works.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ASA 8.6 - l2l IPsec tunnel established - not possible to ping

  Hello world

  I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).

  The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.

  I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).

  The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...

  Here is the output of "show run":

  ---------------------------------------------------------------------------------------------------------------------------------------------

  ASA 1.0000 Version 2

  !

  ciscoasa hostname

  activate oBGOJTSctBcCGoTh encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  address IP X.X.X.X 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface GigabitEthernet0/2

  nameif DMZ

  security-level 50

  IP 192.168.2.1 255.255.255.0

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passive FTP mode

  internal subnet object-

  192.168.0.0 subnet 255.255.255.0

  object Web Server external network-ip

  host Y.Y.Y.Y

  Network Web server object

  Home 192.168.2.100

  network vpn-local object - 192.168.2.0

  Subnet 192.168.2.0 255.255.255.0

  network vpn-remote object - 192.168.3.0

  subnet 192.168.3.0 255.255.255.0

  outside_acl list extended access permit tcp any object Web server

  outside_acl list extended access permit tcp any object webserver eq www

  access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0

  dmz_acl access list extended icmp permitted an echo

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 DMZ

  management of MTU 1500

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0

  !

  internal subnet object-

  NAT dynamic interface (indoor, outdoor)

  Network Web server object

  NAT (DMZ, outside) Web-external-ip static tcp www www Server service

  Access-Group global dmz_acl

  Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac

  Crypto ipsec ikev2 proposal ipsec 3des-GNAT

  Esp 3des encryption protocol

  Esp integrity md5 Protocol

  Crypto dynamic-map dynMidgeMap 1 match l2l-address list

  Crypto dynamic-map dynMidgeMap 1 set pfs

  Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set

  Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT

  Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800

  Crypto dynamic-map dynMidgeMap 1 the value reverse-road

  midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap

  midgeMap interface card crypto outside

  ISAKMP crypto identity hostname

  IKEv2 crypto policy 1

  3des encryption

  the md5 integrity

  Group 2

  FRP md5

  second life 86400

  Crypto ikev2 allow outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal midgeTrialPol group policy

  attributes of the strategy of group midgeTrialPol

  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

  enable IPSec-udp

  tunnel-group midgeVpn type ipsec-l2l

  tunnel-group midgeVpn General-attributes

  Group Policy - by default-midgeTrialPol

  midgeVpn group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  remote control-IKEv2 pre-shared-key authentication *.

  pre-shared-key authentication local IKEv2 *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

  : end

  ------------------------------------------------------------------------------------------------------------------------------

  X.X.X.X - ASA public IP

  Y.Y.Y.Y - a web server

  Z.Z.Z.Z - default gateway

  -------------------------------------------------------------------------------------------------------------------------------

  ASA PING:

  ciscoasa # ping DMZ 192.168.3.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:

  ?????

  Success rate is 0% (0/5)

  PING from router (debug on CISCO):

  NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40

  Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40

  -------------------------------------------------------------------------------------------------------------------------------

  ciscoasa # show the road outside

  Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

  i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

  * - candidate by default, U - static route by user, o - ODR

  P periodical downloaded static route

  Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

  C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the

  S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors

  S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors

  -------------------------------------------------------------------------------------------------------------------------------

  Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...

  Please, if you have an idea, let me know! Thank you very much!

  Hello

  I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.

  "The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "

  You ACL: access-list extended dmz_acl to any any icmp echo

  For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.

  Then to initiate router, the ASA Launches echo-reply being blocked again.

  Try to add permit-response to echo as well.

  In addition, you can use both "inspect icmp" in world politics than the ACL.

  If none does not work, you can run another t-shoot with control packet - trace on SAA.

  THX

  MS

• Cannot reach the destination of an IPSec tunnel through another IPSec tunnel

  Hi all

  I have a PIX 515E version 8.0 (2).

  I have two remote sites connected to this PIX via IPSec tunnels.

  Each remote site can reach local networks behind the PIX, but I can't reach remoteSiteB remoteSiteA.

  Thus,.

  SiteA <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.30.8.254

  SiteB <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.138.34.21

  SiteA can ping SiteX

  SiteB can ping SiteX

  SiteA cannot ping SiteB

  SiteB cannot ping SiteA

  If I do not show crypto isakmp ipsec his I see appropriate subnets:

  Tag crypto map: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1

  permit access-list ACLVPN-TO_SITEA ip 10.138.34.16 255.255.255.240 host 10.30.8.254

  local ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

  Remote ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

  current_peer: 104.86.2.4

  Tag crypto map: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1

  access-list ACLVPN-TO_SITEB allowed host ip 10.30.8.254 10.138.34.16 255.255.255.240

  local ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)

  Remote ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)

  current_peer: 216.178.200.200

  Journal messages that seem to point to the problem...

  April 18, 2013 13:27:35: % PIX-4-402116: IPSEC: received a package of ESP (SPI = 0xD51BB13A, sequence number = 0x21A) 104.86.2.4 (user = 104.86.2.4) at 203.166.1.1.  Inside the package décapsulés does not match policy negotiated in the SA.  The package indicates its destination as 10.138.34.21, its source as 10.30.8.254 and its Protocol 6.  SA specifies its local proxy like 10.0.8.0/255.255.255.0/0/0 and his remote_proxy as 10.30.8.254/255.255.255.255/0/0

  My question is really what I have to do something funky to allow traffic to pass between the two tunnels?

  Hello

  This could be much easier if we have seen the real configurations.

  But here are some things to be confirmed in the configurations (some of them you mentioned above, but I still quote once again)

  • Make sure that each firewall, you set the appropriate VPN L2L ACL
  • Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
  • Make sure the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site traffic to enter the Central PIX 'outside' interface and head back on the same interface to Site B. And vice versa.

  To view some actual configurations that may be required provided everything else is ok. (I assume that all devices are Cisco)

  Central PIX

  permit same-security-traffic intra-interface

  A connection to the site

  SITE-A-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 host 10.30.8.254

  SITE-A-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

  Site B connection

  SITE-B-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 10.138.34.16 255.255.255.240

  SITE-B-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

  NAT0

  access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 host 10.30.8.254

  access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  OUTSIDE-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

  OUTSIDE-NAT0 allowed ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

  NAT (outside) 0-list of access OUTSIDE-NAT0

  Site has

  CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.0.8.0 255.255.255.0

  CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240

  the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.0.8.0 255.255.255.0

  the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  Site B

  CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 10.0.8.0 255.255.255.0

  CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254

  the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 10.0.8.0 255.255.255.0

  the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254

  NAT (inside) 0-list of access to the INTERIOR-NAT0

  Hope this helps

  -Jouni

• Intercept-dhcp works to tunnel L2TP through IPsec ASA?

  Hello

  Is there anyone in the world operating a tunnel L2TP through IPsec on Cisco ASA for the native Windows clients and a Tunnel Split Configuration fully functional?

  I created a tunnel L2TP through IPsec on the ASA 5520 9.1 (6) Version of the software running. My configuration is:

  mask 172.23.32.1 - 172.23.33.255 255.255.252.0 IP local pool VPN_Users

  ROUTING_SPLIT list standard access allowed 192.168.0.0 255.255.0.0
  ROUTING_SPLIT list standard access allowed 172.16.0.0 255.248.0.0

  Crypto ipsec transform-set esp-aes-256 WIN10, esp-sha-hmac ikev1
  transport mode encryption ipsec transform-set WIN10 ikev1
  Crypto ipsec transform-set esp-3des esp-sha-hmac WIN7 ikev1
  Crypto ipsec transform-set transport WIN7 using ikev1
  Dynamic crypto map DYNMAP 10 set transform-set WIN10 WIN7 ikev1
  Crypto dynamic-map DYNMAP 10 the value reverse-road
  card crypto CMAP 99-isakmp dynamic ipsec DYNMAP
  CMAP interface ipsec crypto map

  Crypto isakmp nat-traversal 29
  crypto ISAKMP disconnect - notify
  Ikev1 enable ipsec crypto
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  output
  IKEv1 crypto policy 20
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  output

  internal EIK_USERS_RA group policy
  EIK_USERS_RA group policy attributes
  value of 12.34.56.7 DNS Server 12.34.56.8
  VPN - connections 2
  L2TP ipsec VPN-tunnel-Protocol ikev1
  disable the password-storage
  enable IP-comp
  enable PFS
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list ROUTING_SPLIT
  ad.NYME.Hu value by default-field
  Intercept-dhcp enable
  the authentication of the user activation
  the address value VPN_Users pools
  output

  attributes global-tunnel-group DefaultRAGroup
  authentication-server-group challenger
  accounting-server-group challenger
  Group Policy - by default-EIK_USERS_RA
  IPSec-attributes tunnel-group DefaultRAGroup
  IKEv1 pre-shared-key *.
  tunnel-group DefaultRAGroup ppp-attributes
  No chap authentication
  no authentication ms-chap-v1
  ms-chap-v2 authentication
  output

  Now, the native Windows clients can connect using this group of tunnel:

  our - asa # show remote vpn-sessiondb

  Session type: IKEv1 IPsec

  User name: w10vpn Index: 1
  Assigned IP: 172.23.32.2 public IP address: 12.34.56.9
  Protocol: IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
  License: Another VPN
  Encryption: IKEv1: (1) 3DES IPsecOverNatT: (1) L2TPOverIPsecOverNatT AES256: (1) no
  Hash: IKEv1: (1) IPsecOverNatT SHA1: (1) L2TPOverIPsecOverNatT SHA1: (1) no
  TX Bytes: 1233 bytes Rx: 10698
  Group Policy: Group EIK_USERS_RA Tunnel: DefaultRAGroup
  Connect time: 15:12:29 UTC Friday, April 8, 2016
  Duration: 0: 00: 01:00
  Inactivity: 0 h: 00 m: 00s
  Result of the NAC: unknown
  Map VLANS: VLAN n/a: no

  However, real communication takes place above the tunnel if I 'Gateway on remote network use default'. If I disable this option among the preferences of the IPv4 of the virtual interface of VPN in Control Panel as described in the section 'Configuration of Tunnel of Split' of This DOCUMENT then Windows sends all packets through the channel, because it fails to extract from the ASA routing table. Split routing works perfectly when using legacy Cisco VPN Client with the same group policy, but does not work with L2TP over IPsec.

  As far as I can see, the 'intercept-dhcp' option is inefficient somehow. I even managed to intercept packets of the PPP virtual machine Windows XP interface, and I saw that windows sends its DHCP INFORM requests, but the ASA does not. My question is why?

  -J' made a mistake in the above configuration?

  -Can there be one option somewhere else in my config running that defuses intercept-dhcp?

  - Or is there a software bug in my version of firmware ASA? (BTW, I tried with several versions of different software without success?

  Hi, I have the same problem you have, but I was lucky enough to be able to install version 9.2 (4) on which this feature works very well. I'm suspecting that it is a bug, but I need to dig a little deeper. If I find something interesting I'll share it here.