VPN-ASA5505 problem
Hi all
I inherited this VPN and get slowly upward. At least users can connect to it now! I had a few problems. Users can connect to the VPN, but cannot ping or access shared files on the server (192.168.2.3), but the VPN users must be able to make full use of the network.
I removed the NAT rule.
#no nat (inside) 1 0.0.0.0 0.0.0.0)
And after removing that, VPN users have been able to navigate and access to internal resources. However, users in the office now had no internet. I went and added the rule of return and returned internet.
Believe it is related to the split tunneling, what can I do to activate full VPN access and still have internet at Headquarters?
ASA Version 7.2 (4)
!
ciscoasa hostname
domain default.domain.invalid
activate mI3N1CPoxB4FJhZg encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
209.124.X.X 255.255.255.252 IP address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
Server DNS 192.168.2.3 Group
DNS server-group DefaultDNS
domain default.domain.invalid
the Exchange25 object-group network
access-list standard split allow 192.168.2.0 255.255.255.0
access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
out_in of access allowed any ip an extended list
outside_access_in list extended access permit tcp any eq smtp host 192.168.2.3 eq smtp
outside_access_in list extended access permit tcp any host 192.168.2.3 eq https
outside_access_in list extended access permit tcp any host 192.168.2.3 eq www
outside-access allowed extended access list tcp no matter what interface outside eq 7000
outside-access allowed extended access list tcp no matter what interface outside eq 3389
outside-access allowed extended access list tcp no matter what interface outside eq 587
outside-access allowed extended access list tcp no matter what interface outside eq https
LAN_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.2.31 - 192.168.2.60
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access LAN_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
public static tcp (indoor, outdoor) interface 192.168.2.3 smtp smtp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 7000 192.168.2.80 7000 netmask 255.255.255.255
public static interface 3389 192.168.2.3 (indoor, outdoor) tcp 3389 netmask 255.255.255.255
public static interface 587 587 netmask 255.255.255.255 tcp (indoor, outdoor) 192.168.2.3
public static tcp (indoor, outdoor) interface https 192.168.2.3 https netmask 255.255.255.255
Access-group out_in in interface outside
Route outside 0.0.0.0 0.0.0.0 209.124.192.45 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
Enable http server
http 0.0.0.0 255.255.255.255 outside
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-SHA
map mymap 65000-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 192.168.2.3
!
attributes of Group Policy DfltGrpPolicy
No banner
WINS server no
value of server DNS 192.168.2.3
DHCP-network-scope no
VPN-access-hour no
VPN - 5 concurrent connections
VPN-idle-timeout 30
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
allow password-storage
disable the IP-comp
Re-xauth disable
Group-lock no
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
TMA.local value by default-field
Split-dns no
Disable dhcp Intercept 255.255.255.255
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout 10
disable the IP-phone-bypass
disable the leap-bypass
disable the NEM
Dungeon-client-config backup servers
MSIE proxy server no
MSIE-proxy method non - change
Internet Explorer proxy except list - no
Disable Internet Explorer-proxy local-bypass
disable the NAC
NAC-sq-period 300
NAC-reval-period 36000
NAC-by default-acl no
address pools no
enable Smartcard-Removal-disconnect
the firewall client no
rule of access-client-none
WebVPN
url-entry functions
HTML-content-filter none
Home page no
4 Keep-alive-ignore
gzip http-comp
no filter
list of URLS no
value of customization DfltCustomization
port - forward, no
port-forward-name value access to applications
SSO-Server no
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information
SVC no
SVC Dungeon-Installer installed
SVC keepalive no
generate a new key SVC time no
method to generate a new key of SVC no
client of dpd-interval SVC no
dpd-interval SVC bridge no
deflate compression of SVC
internal TMAgroup group strategy
attributes of Group Policy TMAgroup
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split
gene AzJFyGPWta7durW9 encrypted privilege 15 password username
username admin privilege 15 encrypted password hLjunphNGLvrgsRP
username TMAen encrypted password ojCI79mnpWOehEZC
tunnel-group TMAgroup type ipsec-ra
attributes global-tunnel-group TMAgroup
address vpnpool pool
Group Policy - by default-TMAgroup
IPSec-attributes tunnel-group TMAgroup
pre-shared-key *.
!
!
context of prompt hostname
Cryptochecksum:78c4838558d030ac964d2c331deed909
: end
Hello
Please add the following to your configuration:
nonat_inside ip access list allow any 192.168.2.0 255.255.255.0
NAT (inside) 0-list of access nonat_inside
You must keep the "nat (inside) 1 0.0.0.0 0.0.0.0 ' so that your users access to the Internet.
"Nat (inside) 0 nonat_inside access-list" allows to bypass the above rule only for traffic destined to the VPN pool.
In addition, it is to you if you want to use split tunneling or not.
More information on tunneling split:
ASA/PIX: Allow the tunneling split for the VPN Clients on the example of Configuration of ASA
Let me know.
Portu.
Please note all useful posts
Tags: Cisco Security
Similar Questions
-
With tunnel VPN ASA5505 problem
The business needs is for a VLAN again on site to go directly back to an internet service to site B.
Site A and B are connected by a service of WES MB 100.
A site is a site of campus with about 25 switches. Him become VLAN on the site is for the engineer access only, so they can access their companys remote access service. This VLAN must stay back so there is very little potential of a trade-off on the live network.
The solution that I just put in place is to place an ASA5505 as the dhcp server for him VLAN become to Site A. All clients on that VLAN become get a 192.168.100.x address. The external interface on the ASA5505 to Site A is put on the live network to allow a site VPN tunnel to be put in place between the ASA5505 and the Internet - an another ASA5505 firewall
The Site A ASA5505 was put in place with inside and outside interfaces with the same level of security. 192.168.100.x subnet is exempt from NAT. Traffic is configured to transmit via the interfaces with the same level of security and the tunnel of L2L is coming.
But I can not all connectivity to the internet from any host on the 192.168.100.x VLAN.
This is made more complex because the external interfaces on both of the ASA are the corporate network...
The default route to the Site B ASA5505 is 87.xx.xx.1, the ISP router.
The Site B ASA5505 connects directly to the ISP router.
Site has ASA5505
--------------------
access-list no. - nat extended ip 192.168.100.0 allow 255.255.255.0 any
Access access-list ON scope ip 192.168.100.0 allow 255.255.255.0 any
NAT (inside) - access list 0 no - nat
Access-Group No. - nat inside interface
Route outside 0.0.0.0 0.0.0.0 10.0.99.254 1
Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac
vpn-traffic 10 crypto card matches the address OUT access
card crypto vpn-traffic 10 peers set ##Site B IP address #.
card crypto vpn-traffic 10 game of transformation-AES-256
vpn-traffic outside crypto map interface
tunnel-group ##Site B IP address # type ipsec-l2l
tunnel-group ##Site B IP address # ipsec - attributes
pre-shared-key *.
Site B ASA5505
-------------------
permit same-security-traffic intra-interface
access-list no. - nat extended ip 192.168.100.0 allow 255.255.255.240 all
outside_access_in of access allowed any ip an extended list
Global (inside) 1 interface
NAT (inside) - access list 0 no - nat
NAT (outside) 1 192.168.100.0 255.255.255.0
Access-Group No. - nat inside interface
Access-group outside_access_in in interface outside
Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac
Crypto ipsec transform-set esp-aes-256 set1, esp-sha-hmac
card crypto vpn-traffic 10 correspondence address wootton hall
card crypto vpn-traffic 10 peers set ##Site an IP #.
crypto-vpn 10 transform-set set1 traffic map
vpn-traffic outside crypto map interface
I spent some time on it and really need some advice form experts out there!
Can you help me to know where I have gone wrong?
Dan
There are some parts of the configuration that you have published to that surprise me, such as the assignment of the default route on the inside interface. But these things are not at the heart of your problem. I agree that the core of your problem is probably the sheep access list. If I understand your needs, what you need is 192.168.100.0 is not translated by going to meets B, and is translated by going to the Internet. But your translation says access list never 192.168.100.0 since your access list as another destination:
access-list no. - nat extended ip 192.168.100.0 allow 255.255.255.0 any
My suggestion is to rewrite this access list and change the destination of the 'all' to be addresses behind B (LAN to B).
HTH
Rick
-
My ASA5505Plus to connect to the internet and a laptop, the laptop can access the internet.
a VPN client connect to the ASA but cannot access internal or external IPs
I see that the default gateway is wrong, but cannot find how to change it:
********************************
The connection-specific DNS suffix. :
... Description: Cisco Systems VPN card
Physical address.... : 00-05-9A-3C-78-00
DHCP active...: No.
... The IP address: 192.168.200.5
... Subnet mask: 255.255.255.0.
... Default gateway. : 192.168.200.1.
DNS servers...: 4.2.2.2.
************************************
I hope that's why I can't access either the laptop (192.168.200.2), Telnet (192.168.200.4) or through the internet via the customer management. I don't know if that part is configured correctly
configuration see attachment
Ofir,
Try the following
IP local pool VPN_Pool 172.16.20.1 - 172.16.20.254 netmask 255.255.255.0
inside_nat0_outbound 192.168.200.0 ip access list allow 255.255.255.0 172.16.20.0 255.255.255.0
no access list inside_nat0_outbound extended permits all ip 192.168.200.4 255.255.255.252
allow no extended access list inside_nat0_outbound 255.255.255.0 IP 192.168.200.0 192.168.200.0 255.255.255.0
Split_T 192.168.200.0 ip access list allow 255.255.255.0 172.16.20.0 255.255.255.0
tunnel-group test general attributes
address pool VPN_Pool
no address pool test
test group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_T
Crypto isakmp nat-traversal 20
management-access inside
Concerning
-
1
Hello
Seems to me that configurations are for the most part very well. But of course, they may be different from those who has the remote site. We do not know what are the settings on the other site of this connection VPN L2L.
NAT0 has configuration of a line that is not necessary (line below)
permit access list extended ip lan - imp 255.255.255.0 inside_nat0_outbound 1.1.1.0 255.255.255.0
You can use the "package Tracker" on the side of the CLI to check what happens to first traffic
entry Packet-trace inside tcp 1.1.1.100 12345 192.168.1.100 80
I guess the address LAN IP is changed for some reason any so replace the IP addresses above with random IP of the LAN and LAN REMOTE if necessary addresses.
Issue the command above twice. If the second output always stops in VPN Phase DROP then there are a few problems on each side of the connection VPN L2L in configurations.
You can check the output of the following command after issuing the command "packet - trace" above also to check what is happening in phase 1 of the VPN L2L negotiations
ISAKMP crypto to show his
If that runs through then I would start looking for a problem with related configurations "crypto map" configurations.
-Jouni
-
ASA easy VPN connection problem
Hi guys,.
I configured easy VPN between 5510 and 5505. Every thing seems fine, however, if there is no traffic in the tunnel in the next few hours, I can not initial 5510 5505 (customer) traffic. But if I first traffice 5505, there is no problem.
Anyone know why?
Thank you
Hello
This is normal behavior, it is part of the easy vpn functionality. The 5505 will act as a remote for the 5510 vpn client. This isn't like a site to site vpn or both ends know the IP address of the remote peer, and so that each peer can initiate the connection, here the 5510 don't know on the network and 5505 IP when it will connect via the easy VPN.
If you want the tunnel to be put in place at both ends, I would say that you are using a classic site-to-site connection as described here:
http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/ASA5505/quick/guide/SITESITE.html
I hope this helps.
Kind regards
Bastien -
Œuvres ping for the VPN ASA5505 RDP does not work?
I have an ASA5505 VPN remote access facility
I have a server connected directly behind the ASA and I can ping the server without problem.
The reports being encrypted and decrypted packets VPN client
However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.
I also do not see all RDP traffic hit the server (checked by ethereal)
I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.
This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?
% ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session
% ASA-609001 7: built internal local-host: 192.168.100.37
% ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)
I have that configured NAT
NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172
The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?
And decrypt packets increase not when trying to RDP
Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!
Thank you
Roger
Answer is based on your other thread:
-
ASA5505 problem of asymmetric routing? (I think)
Good evening everyone,
I'm looking for suggestions for a solutoion I met today... I am installing a new router and firewall into an existing network. The router is an Edgewater VOIP router to a cable connection with static IP. The firewall is an ASA5505 (security more). There is a third-party router in the mixture (Cisco 1841) which has a PTP connection goes to another site. I'll try to verbally explain the architecture of the network:
Unfortunately, the existing network was flattened on a 19 on which I'm not allowed to change so:
VLAN 1 = data network (they used a large 19)
VLAN 40 = voice (for VOIP phones)
Edgewater Port 4 > UNTAG 1, tag 40 > ASA5505 Port 0
Edgewater Port WAN > Cable Modem
Edgewater DHCP Server for VLAN 40
ASA5505 Port 0 > UNTAG 1, tag 40 > router Edgewater
1 port ASA5505 > UNTAG 1, tag 40 > Cisco 2950 FE0/4 (set manually vlan the native 1 2950 to work)
2 port ASA5505 > UNTAG 1, tag 40 > Cisco SG300 Gig1
Voice of ASA5505 route 0.0.0.0 0.0.0.0 VLAN40_IP_OF_EDGEWATER
ASA5505 data route 0.0.0.0 0.0.0; 0 VLAN1_IP_OF_EDGEWATER
ASA5505 DHCPD for VLAN 1 (small subnet, the rest is ready for static with a gateway from the Cisco 1841 (infrastructure))
Cisco 2950 4 > UNTAG 1, tag 40 > ASA5505 Port 1
Cisco 2950 GIg1 > UNTAG 1, tag 40 > Cisco 2950 B
DG of Cisco 2950 a = IP of Cisco 1841
Cisco 2950 B Gig1 > UNTAG 1, tag 40 > Gig1 Cisco 2950 (rising MM fiber)
Cisco 2950 B FE11 > UNTAG 1, tag 40 > Cisco 1841 FE0/0
Cisco 2950B DG = IP of Cisco 1841
Cisco 1841 FE0/0 0/0.1 dot1q native 0/0.40 dot1q 40 > FE11 Cisco 2950 B
Road to Cisco 1841 ip 0.0.0.0 0.0.0.0 firewall VLAN 1 Interface IP (Changed to ip route ip VLAN40_NETWORK VLAN40_IP_OF_EDGEWATER and VLAN1_NETWORK VLAN1_IP_TO_ASA5505)
Cisco also has internal IP routes through the private point of connection to another site...
I'm replacing out of their existing connection is a sonicwall firewall and adding a few new POE switches for VOIP phones, VOIP router and an ASA5505. I can't play nice no matter what I tried. It seems that I am running into problems of asymmetric routing (ASA send me some)
Deny TCP (no relation) on the VLAN 1 static and given dhcp VLAN40 DHCP handed the Edgewater works fine, I can browse on without any problem)...
I'm not sure what the best approach is to do this. They need to keep the 1841 for now until a connection VPN of STS can be configured with the ASA5505 to their ASA5510 at the other site (months on the road by their budget). All of their PC is statically allocated and using their default gateway as the C1841.
If you need output all configs I created so far or havy of suggestions on how to solve my problem, I'd love to hear about them. I tried everything short of re - structuring their entire network or deletion of my VOIP router that manages a large number of configurations for VOIP PBX phones.
Thank you!
Jon
Apologies, but this is a very confusing description of how it is configured. A diagram would probably help.
If the new VoIP router's DHCP server for vlan 40 where are the customers compared to this?
You have two lanes on the SAA pointing the VoIP router, what is the reasoning behind this?
Why are you the ASA to the router VoIP trunking?
The VoIP router can hand out DHCP addresses for a network, that it is not directly connected or is it why you extended vlan 40 completely out to the VoIP router?
The router VoIP must give the vlan 40 IPs.
I guess maybe it's to do with my lack of understanding as to exactly what does a VoIP router (as opposed to a normal router).
So maybe you could clarify?
Jon
Jon
-
I use the VPN Client 5.0.06.0110 to connect to my computer at home at my desk, which has an ASA5505. If my immediate network to the client PC connection is lost while the VPN is active, I get a BSOD. There is no problem if my grave DSL or a cable beyond my router is disconnected. He only (and always) will fail if the network cable to the computer running the VPN Client is cut (or if my router loses power), while the link is connected.
I am running:
Windows 7 (all updates installed)
Pentium Core 2
4 GB of ram
Atheros L1 Gigabit 10/100/1000 controller
Any suggestion would be appreciated.
BTW, here is the description for your reference:
PC restarts if physical link is disrupted when a VPN connection
Symptom:
Restart the computer (the user can also see a Blue Screen Of Death (BSOD) before the reboot, based on the setup of the PC) if the physical link is disrupted when a VPN connection (that is when you see the error message "a network cable is unplugged). This can occur if you run "shutdown" on your PC is connected to the way of the switch, turn off the SOHO router (or switch) the PC is connected to, lose your WiFi connection, or even disconnect the LAN cable to your wired Ethernet port.Conditions:
Loss of physical connection during a VPN connection. -
I use the SSL VPN in time. I just noticed that when I tried to pass by I logged in and tap on connect, but now I get the error: virtual failure of execution of the Passage. I tried another computer that is already running IE9 and I had no problem getting in and using my office remotely over SSL.
IE11 isn't working? or what should I be looking at.
router is the latest firmware.64-bit is IE only.
IE10 and 11 are disasters, when it comes to compatibility and how it manages Active-X controls. I'm not aware of any SSL VPN with IE10/11 suppliers.
You can try Firefox. I can get the java applet to install, but the roads do not work for me.
Contact support directly and express your concerns.
You can always use IPsec client software.
-
Hello
We have a server to remote client, on which we need to connect via VPN. My VPN is able to connect. But any application that needs to connect via VPN does not work. I also can't ping on remote servers. While for others its works very well. I can't understand the problem, I tried to reinstall the VPN client.
I am using windows XP pro and the client VPN CISCO 4.0.3.
Hello
Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the forum TechNet for assistance:
TechNet Windows XP Service Pack 3 (SP3)
Hope the helps of information.
-
VPN connection problem: keep connection
I'm having a problem with the maintenance of VPN connection. I connect okay but the line VPN disconnects after about 2 minutes each time. I use XP Professional V2002, Service Pack 3. I have disabled the WIndows firewall, as I have F-Secure software suite with its active firewall. I connect laptop wireless via a Belkin router. I had no problem for months up until August when suddenly this problem appeared. I have disabled firewall F-secure, but that did not help. I also disabled the firewall on the router, but again without success. Can you please help?
Hi Rashmis,
Thanks for visiting the site of the community of Microsoft Windows XP. The question you have posted is related to VPN issues and would be better suited to the Technet community. Please visit the link below to find a community that will provide the support you want. http://social.technet.Microsoft.com/forums/en/categories/
Shawn - Support Engineer - MCP, MCDST
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think -
Client VPN connectivity problems
I use the cisco VPN client to connect to our network, located behind a 515E. The client is authenticated and gets an ip address but cannot ping or connect with one of the hosts. The connection is to a network of customers that is also behind a 515E. I have successfully connected using the same policy to other places and have had no problem. What confuses me, is that we have used to have a Netscreen firewall before and he had a netscreen vpn client which connected since their network with a problem. Is that something they need for their firewall so that we can get through the traffic?
Try to turn on NAT - T on your pix, by setting up:
ISAKMP nat-traversal 20
and configure the client vpn accordingly:
http://www.Cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client
I think these discussions are useful:
-
A remote user on our network has problems with the Cisco VPN. They are using Win XP, Cisco Client 3.5.2 and connect via a router of Compaq Ipaq into a modem cable. When they VPN in our 3000 VPN concentrator works very well. When they try to VPN in the PIX on our network, it indicates that the client is no longer. If they use a Microsoft VPN to connect to the network with the 3000 (we run both MS and Cisco VPN) with it set to use the remote control, the default gateway, the Cisco VPN will connect to the PIX, see the network behind PIX, ping stuff behind the PIX, but not map a drive. The remote user can ping the PIX of their unVPNed in the remote location. No other user is a problem connecting to the PIX (except those with the bad remote access or broadband satellite which cannot VPN into anything anyway). We have even a few AOLer connect to it. Help me please.
If the compaq ipaq router makes a PAT, that might be the problem. PIX is unable to manage the ipsec clients who crossed pat. The vpn3000 has some mechanism to deal with this. PPTP is different to ipsec.
You must ensure that the ipsec client has its own public routable ip address.
Kind regards
-
VPN Tunnel problem. external interface has private IP
Hi all
I don't know if it is wired or not!
When our ISP provide us an Internet connection our real IP is configured on the ethernet interface, while the serial interfaces have a private IP address.
The problem here is when I'm trying to configure a VPN tunnel to another router.
Anything in the configuration is smooth, except for the part where I put the serial interface is my outside.
The tunnel is still low coz the IP address will be my private (serial interface) during the configuration on the router counterpart is my public IP address.
So I am woundering is there a way I can force the VPN tunnel to take the IP address configured on the side LAN? Or any other work around?
Building configuration...
Current configuration: 2372 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
boot-start-marker
start the flash c1841-advsecurityk9 - mz.124 - 23.bin system
boot-end-marker
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
isakmp encryption key * address 144.254.x.y
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to144.254.x.y
the value of 144.254.x.y peer
game of transformation-ESP-3DES-SHA
match address VPN_Traffic
!
!
!
interface FastEthernet0/0
address IP 10.55.218.1 255.255.255.0 secondary (My internal subnet)
IP address 196.219.a.b 255.255.255.224 (my public IP)
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
No keepalive
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
!
interface Serial0/0/0
no ip address
frame relay IETF encapsulation
frame-relay lmi-type q933a
!
point-to-point interface Serial0/0/0.16
IP 172.16.133.2 255.255.255.252
NAT outside IP
IP virtual-reassembly
SNMP trap-the link status
dlci 16 frame relay interface
map SDM_CMAP_1 crypto
!
interface Serial0/0/1
no ip address
frame relay IETF encapsulation
ignore the dcd
frame-relay lmi-type q933a
!
point-to-point interface Serial0/0/1.16
IP 172.16.134.2 255.255.255.252
NAT outside IP
IP virtual-reassembly
SNMP trap-the link status
dlci 16 frame relay interface
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Serial0/0/1.16
IP route 0.0.0.0 0.0.0.0 Serial0/0/0.16
!
VPN_Traffic extended IP access list
Note Protect traffic Local to any Destination subnet
Remark SDM_ACL = 4 category
IP 10.55.218.0 allow 0.0.0.255 any
!
Scheduler allocate 20000 1000
end
This should do the trick.
map SDM_CMAP_1 crypto local-address FastEthernet0/0
See you soon
-
ASA 5505 ASDM VPN connection problem
Hello
We are running a version of firewall ASA 5505 8.4 (4) 1. The ASDM version is 6.4 (9).
The problem is when the creation of remote access VPN connection, it works fine for about 2-3 days.
After that, the VPN client cannot connect more and gives the error code 789.
In this case, the VPN clients are clients of Windows 7 from different remote networks with the same problem scenario.
Windows 8.1 clients cannot connect at all and show the same error code...
All connections go through the keys defaultragroup and preshare match on both sides.
When the user to connect attemps I receive the following text in the log of the ASDM:
6 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, P1 retransmit msg sent to the WSF MM5 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, in double Phase 1 detected package. Retransmit the last packet.5 April 10, 2015 10:53:03 IP = 5.240.31.116, encrypted packet received with any HIS correspondent, dropWhen I implemented the remote login through ASDM I followed the instructions according to the following link:The steps were a little different, but almost the same, given that these instructions show an old versionI'm interested in trying the steps according to this link but not sure this will help me solve the problem id:Any help would be appreciated!Thank youHello
If you use local authentication (user name and password on the SAA), so why you would need this threshold?
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
!Remove it and try.
Maybe you are looking for
-
Request failed to build on call Excel.Print report
Software development in LV2009 that uses Report Generation Toolkit for reading/writing Excel models. Program works well in development mode. AppBuilder crashes when the *.exe build when adding NIReport.lvclassReport.vi rint Dig down, I find an arrow
-
Extract numbers in a table of char
Hello I'm with LabWindows/CVI to read data from a serial port. I read the values with ComRdTerm, and they are stored in a char array, the Table looks like this "1024 576 123 756. I need to extract the figures in this table.
-
Stunts by the way of GroupDataModel of c ++ qml problem!
Hello I'm trying to access the data of GroupDataModel of c ++ to qml! I tried, in PHP,. public Q_SLOTS: BB::Cascades:GroupDataModel load_datamodel (const QString & txprofile); in the PRC, BB::Cascades:GroupDataModel ApplicationUI::load_datamodel (con
-
I have a project I want to compile for the Playbook. I wonder how to proceed. When I run this... cd C:\Program Files\Research In Motion\BlackBerry WebWorks Packager for PlayBook\bbwp bbwp C:\Blackberry\myapp /o C:\Blackberry\myapp\build I get... [I
-
I have recently reinstalled Windows 8 on my XPS 14 (L421X) and can not for the love of God seem to properly install a working driver or force W8 to discover the built-in webcam. Does anyone have a direct link to the driver or an alternative resolutio