VPN authentication and wireless through ACS 5.4

Similar Questions

• How do .1x port based authentication access network through ACS

  How .1x port based authentication access network through ACS.

  Hello

  802. 1 x can authenticate the host or by the name of username/password, or either through the MAC address of the clients (PC, printers etc.). This process is called agentless network access that can be done via Mac Auth Bypass.

  In this process, the switchport 802.1 x would send the address MAC PC's connected to the server radius for authentication. If the radius server has the MAC address in its database, authentication will be successful and the PC would be granted network access.

  To check the configuration on GBA 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser...

  To check the configuration on a CBS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro...

  Kind regards

  Kush

• Authentication PEAP wireless across the VPN tunnel

  We use routers for Cisco 871 VPN connectivity series. I'm testing the 871W for VPN and wireless connectivity. I am able to get the VPN but have problems with authentication using PEAP and authentication through active directory wireless. The problem is that my router is unable, because of the VPN connection, "talk" directly to my authentication server using the LAN ip address. I can get the authentication works if I pass the traffic through the internet, drill a hole in my firewall to complete the authentication process. This isn't my preferred method. What can I do to work around may lists VPN access that prevent my direct connectivity to my server?

  Are you able to ping to the ip address of the radius through the tunnel server?

  Try adding this:

  radius of the IP source-interface BVI1

  * Please rate if helped.

  -Kanishka

• Windows 7 slow login / delay authentication question user wireless via ACS 5.8

  Just set up a new ACS 5.8 farm (only 2 servers) here and which I hope someone here can shed light on the difficulties.

  The new ACS server is set up to correctly authenticate administration network device and I am currently working on the definition of profiles for our wireless users authentication and business laptops.

  Being new to this version of ACS (we will migrate manually ACS 4) I followed an excellent example of this task described in a video on this site: http://www.labminutes.com/sec0044_ise_1_1_wireless_dot1x_machine_auth_peap

  I managed to have a Windows XP sp3 client authenticate properly, first with the authentication of the computer, then the authentication of users... and the domain logon process takes place in a short period of time< 1min="" and="" the="" user="" gets="" all="" their="" networked="" drives="" via="" the="" domain="" login="">

  However, I'm fighting to get our Windows 7 clients to authenticate properly.  It seems that the machine authentication does not work as expected (I can ping the laptop test from another machine on the network while the test machine is sitting at the login screen; and I see Authentication host recorded in the papers of authentication Radius ACS).  But, when a domain user logs in with his credentials, the connection process takes 4-5 minutes before an event to authenticate the user is entered in the register authentication Radius ACS, after which the login process completes, except that the domain logon script does not work and the user does not receive the drive mappings.

  Can someone point me in the right direction here?  I would be grateful any entry on this.

  Thanks in advance,

  John

  I had a similar problem with Wireless 802.1 x Win 7 clients unable to connect unless they had cached credentials of the AD.  Authenticate in the machine, but the user would take a lot of time if the Windows credentials have been cached.

  I could solve the problem by expanding the ACL of the air space used during the user authentication to include all DC in the environment.

• IPSec VPN authentication problem against AD by RADIUS/ISA

  As background, I have a VPN IPSec authentication against the local database upward and running with access to my internal network and work with zero issues.

  So I would move offshore to the local database authentication and boince it is outside my ad.  I am running 2003 server so I configure ISA Server RADIUS and think I have it properly configured.  It is registered in the AD, I added my asa as a customer radius, customized remote access and connection request policies.

  The test of authentication in the ASDM he succeeds with all users who need.

  During the test through my client vpn on a remote computer, I get the connection terminated by a peer, no reason given.

  It is said of the event on the domain controller logs

  -l' user domain - user % name % has had access.

  directly after this, there is an entry

  -VPN-RADIUS-GP is denied access

  where VPN-RADIUS-GP is the name of the tunnel group policy in my ASA.

  Ive tried a lot of literature and a few forums and have not yet find any explanation as to why this would happen as username trying to authenticate to the ISA

  Anyone have any ideas?

  Thank you

  Mac

  group-policy VPN-Radius-GP external server-group VPN_Radius_Auth password aaaaaaaaaaaaaaaaaaaaaa

  It is a group-foreign policy, by definition, that it is defined on the AAA server group policy, so the ASA sends a radius access request to retrieve the attributes of group policy.

  See for example http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1133706

  If this isn't what you want, then just remove the group policy and use internal (as the "q101 VPN GP" you).

  HTH

  Herbert

• Slow speeds E3200 use wired and wireless

  Hello

  I'm trying to understand why my E3200 is (for lack of a better word) 'throttling' my internet speed.

  I am registered for the 50Mbps data plan my ISP. When I plug my laptop directly to the modem cable (via LAN cable), I see near 50Mbps as internet speed (via speedtest.net). When I connect my router to the cable modem and connect through a LAN cable to the router, the internet speed comes down through a maximum of 26Mbps. NOTE, that I speak still wired and not wireless. With the Wi - Fi speed tests give the same results as well.

  In order to exclude the evidence, I have confirmed that there are not other devices on the network and any other bandwidth hogging applications running while I made these tests.

  Any thoughts on what configs could be twisted to improve the situation?

  All the...

  Spent the last 2 hours on the phone with a Cisco support person. After some fairly elaborate tests, they came to the conclusion that the unit is maybe defective. Fortunately, I'm covered under the hardware warranty, so I'll return it for a replacement.

  Thanks for any ideas for troubleshooting... And other people having similar problems with this model should also probably call assistance...

  See you soon

• Doesn't work VPN wired OK - wireless

  I have a client who asked me to install VPN software on my laptop.  The software works very well in wireless mode when I'm not at home, but it doesn't work at all on my WRT350N - Internet connection.  However, when I connect to the router with a cable, everything works fine. Otherwise, the router is great - really a solid product.

  The strange thing is that the VPN Cisco - and is therefore the router software - go figure. Anyone have any ideas?

  If you are connected to the wireless network and you can navigate the Internet wireless, then ideally your VPN should work if it works wired... Check if you are connected to your wireless network and Internet...

• Cannot VPN in the network through PIX501

  I have a pix 501 at home. When I try to VPN in our network via the VPN client I get authenticated but can't seem to our internal network. When I use my router netgear instead of the PIX I can VPN in and outside the internal network. Do I have to open some ports (if if ports) on the PIX or I have to change some configuration on the VPN client.

  The problem is the PIX does not support IPSec, and PAT up 6.3 code coming out next year. Your VPN tunnel is based on UDP port 500 packets, which the PIX can PAT correctly. After that, all your packages are packages ESP, which is the IP 50 protocol which the PIX cannot PAT. If you have a second IP address from your ISP, you can create a static NAT translation in the PIX for your home PC and it works correctly.

  Alternatively, if your VPN client supports IPSec encapsulation somehow in the TCP or UDP packets, then use it and it will work very well also.

• Routing problem between the VPN Client and the router's Ethernet device

  Hello

  I have a Cisco 1721 in a test environment.

  A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).

  The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.

  The configuration was inspired form the sample Configuration

  "Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"

  and the output of the ConfigMaker configuration.

  Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem

  side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).

  Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive

  (customer has a correct route and return ICMP packets to the router).

  The question now is:

  How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?

  conf of the router is attached - hope that's not too...

  Thanks & cordially

  Thomas Schmidt

  -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

  !

  version 12.2

  horodateurs service debug uptime

  Log service timestamps uptime

  encryption password service

  !

  !

  host name * moderator edit *.

  !

  enable secret 5 * moderator edit *.

  !

  !

  AAA new-model

  AAA authentication login userauthen local

  AAA authorization groupauthor LAN

  !

  ! only for the test...

  !

  username cisco password 0 * moderator edit *.

  !

  IP subnet zero

  !

  audit of IP notify Journal

  Max-events of po verification IP 100

  !

  crypto ISAKMP policy 3

  3des encryption

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group 3000client

  key cisco123

  pool ippool

  !

  ! We do not want to divide the tunnel

  ! ACL 108

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  !

  map clientmap client to authenticate crypto list userauthen

  card crypto clientmap isakmp authorization list groupauthor

  client configuration address map clientmap crypto answer

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  !

  interface Ethernet0

  no downtime

  Description connected to VPN

  IP 192.168.1.1 255.255.255.0

  full-duplex

  IP access-group 101 in

  IP access-group 101 out

  KeepAlive 10

  No cdp enable

  !

  interface Ethernet1

  no downtime

  address 192.168.3.1 IP 255.255.255.0

  IP access-group 101 in

  IP access-group 101 out

  full-duplex

  KeepAlive 10

  No cdp enable

  !

  interface FastEthernet0

  no downtime

  Description connected to the Internet

  IP 172.16.12.20 255.255.224.0

  automatic speed

  KeepAlive 10

  No cdp enable

  !

  ! This access group is also only for test cases!

  !

  no access list 101

  access list 101 ip allow a whole

  !

  local pool IP 192.168.10.1 ippool 192.168.10.10

  IP classless

  IP route 0.0.0.0 0.0.0.0 172.16.12.20

  enable IP pim Bennett

  !

  Line con 0

  exec-timeout 0 0

  password 7 * edit from moderator *.

  line to 0

  line vty 0 4

  !

  end

  ^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-

  Thomas,

  Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.

  Kurtis Durrett

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett

• For wired network and wireless EAP process

  Hello

  I am confused with the EAP process when compared between wired and wireless. As far as I understand that EAP working if wired authentication of 802. 1 x, the client must have an IP address on this subject in advance. In other words, EAP process cannot start without the IP address on the wired client. For the same reason no doubt allow us DHCP traffic switch low impact.

  But when it comes to wireless it looks that the EAP process can function without an address IP is required on the wireless client. My understanding is correct? If Yes, how can EAP process of progress without an IP address on the client because there might be a scenario this RADIUS/ISE server can be available to the client on a network of layer 3 for authentication 802. 1 x.

  Thanks in advance for clarifying this confusion. I'd appreciate also all link to a good document that covers this concept.

  Kind regards

  Quesnel

  EAPOL traffic between switch and host is not on IP and runs before DHCP.

• Cisco ISE 1.3 using 802.1 x authentication for wireless clients

  Hello

  I fell into a strange question attempts to authenticate a user more wireless. I use as PEAP authentication protocol. I have configured my strategy of authentication and authorization, but when I come to authenticate the selected authorization policy are by default that denies access.

  I used the 802. 1 x conditions made up to match the computer authentication, then the user authentication

  AUTHENTICATION OF THE COMPUTER

  football match

  Box

  Wireless

  Group of ads (machine)

  AUTHENTICATING USERS

  football match

  Box

  Wireless

  Ad (USER) group

  has been authenticated = true

  Here are the measures taken to authenticate any ideas would be great.

  Request for access received RADIUS 11001
  11017 RADIUS creates a new session
  15049 evaluating Policy Group
  Service evaluation 15008 selection policy
  15048 questioned PIP
  15048 questioned PIP
  15048 questioned PIP
  15006 set default mapping rule
  11507 extract EAP-response/identity
  12300 prepared EAP-request with PEAP with challenge
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12302 extracted EAP-response containing PEAP challenge-response and accepting as negotiated PEAP
  12318 has successfully PEAP version 0
  12800 first extract TLS record; TLS handshake began
  12805 extracted TLS ClientHello message
  12806 prepared TLS ServerHello message
  12807 prepared the TLS certificate message
  12810 prepared TLS ServerDone message
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  12318 has successfully PEAP version 0
  12812 extracted TLS ClientKeyExchange message
  12804 message retrieved over TLS
  12801 prepared TLS ChangeCipherSpec message
  12802 completed TLS prepared message
  12816 TLS handshake succeeded
  12310 full handshake PEAP completed successfully
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  12313 PEAP inner method started
  11521 prepared EAP-request/identity for inner EAP method
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  11522 extract EAP-Response/Identity for EAP method internal
  11806 prepared EAP-internal method call offering EAP-MSCHAP VERSION challenge
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated
  15041 assessment political identity
  15006 set default mapping rule
  Source sequence 22072 Selected identity
  15013 selected identity Source - AD1
  24430 Authenticating user in Active Directory
  Identity resolution 24325
  24313 is looking to match accounts at the junction
  24315 account in the domain
  24323 identity resolution detected single correspondent account
  Application for CPP 24343 successful logon
  24402 user Active Directory authentication succeeded
  Authentication 22037 spent
  EAP-MSCHAP VERSION 11824 passed authentication attempt
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  11810 extract EAP-response to the internal method containing MSCHAP stimulus / response
  11814 inner EAP-MSCHAP VERSION successful authentication
  11519 prepared EAP-success for the inner EAP method
  12314 PEAP inner method completed successfully
  prepared 12305 EAP-request another challenge PEAP
  11006 returned Challenge RADIUS access
  Request for access received RADIUS 11001
  11018 RADIUS re - use an existing session
  12304 extract EAP-response containing PEAP stimulus / response
  ISE 24423 was not able to confirm the successful previous machine authentication
  15036 assessment authorization policy
  15048 questioned PIP
  15048 questioned PIP
  Looking 24432 user in Active Directory - xxx\zzz Support
  24355 fetch LDAP succeeded
  Recovery of user 24416 of Active Directory groups succeeded
  15048 questioned PIP
  15048 questioned PIP
  15004 Matched rule - default
  15016 selected the authorization - DenyAccess profile
  15039 rejected by authorization profile
  12306 successful PEAP authentication
  11503 prepared EAP-success
  11003 returned RADIUS Access-Reject
  Endpoint 5434 conducted several failed authentications of the same scenario

  Windows will only be machine authentication when you start, then test you can't just disconnect/connect the pc, you will need to restart. The solution is called cisco anyconnect nam and eap-chaining.

• Client VPN authentication question

  Hi friends,

  I recently started a new company, where the Cisco VPN Client is used by all remote Windows users. I'm not familiar with the customer. I see by our remote access policy that clients authenticate using PAP. This immediately caught my concern.

  My question is if this poses a threat to security? Even if the authentication is not encrypted, it is always the case in a 3DES IPSec tunnel, right? What is the best practice regarding using the VPN client and authentication?

  Thanks in advance!

  Equipment:

  Cisco VPN Client v5 (latest version) on Windows XP SP3

  Microsoft IAS (RADIUS) on W2K3 Server R2 x 64

  Router Cisco 3825

  IOS 12.4.24T Adv IP Services

  If I understand your customer VPN ends on 3825 router. the customer gets the name of username/password prompt after than phase 1 so it may not be clear.

  I hope this helps

  concerning

  -Syed

• Cisco VPN Client and Windows XP VPN Client IPSec to ASA

  I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

  PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

  Config is:

  !

  interface GigabitEthernet0/2.30

  Description remote access

  VLAN 30

  nameif remote access

  security-level 0

  IP 85.*. *. 1 255.255.255.0

  !

  access-list 110 scope ip allow a whole

  NAT list extended access permit tcp any host 10.254.17.10 eq ssh

  NAT list extended access permit tcp any host 10.254.17.26 eq ssh

  access-list extended ip allowed any one sheep

  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

  tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

  flow-export destination inside-Bct 192.168.1.27 9996

  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

  ARP timeout 14400

  global (outside-Baku) 1 interface

  global (outside-Ganja) interface 2

  NAT (inside-Bct) 0 access-list sheep-vpn

  NAT (inside-Bct) 1 access list nat

  NAT (inside-Bct) 2-nat-ganja access list

  Access-group rdp on interface outside-Ganja

  !

  Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

  dynamic-access-policy-registration DfltAccessPolicy

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  Crypto ipsec transform-set newset aes - esp esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

  Crypto ipsec transform-set vpnclienttrans transport mode

  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

  life crypto ipsec security association seconds 214748364

  Crypto ipsec kilobytes of life security-association 214748364

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

  card crypto interface for remote access vpnclientmap

  crypto isakmp identity address

  ISAKMP crypto enable vpntest

  ISAKMP crypto enable outside-Baku

  ISAKMP crypto enable outside-Ganja

  crypto ISAKMP enable remote access

  ISAKMP crypto enable Interior-Bct

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  No vpn-addr-assign aaa

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.192 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside Baku

  SSH 10.254.17.18 255.255.255.255 outside Baku

  SSH 10.254.17.10 255.255.255.255 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside-Ganja

  SSH 10.254.17.18 255.255.255.255 outside-Ganja

  SSH 10.254.17.10 255.255.255.255 outside-Ganja

  SSH 192.168.1.0 255.255.255.192 Interior-Bct

  internal vpn group policy

  attributes of vpn group policy

  value of DNS-server 192.168.1.3

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split tunnel

  BCT.AZ value by default-field

  attributes global-tunnel-group DefaultRAGroup

  raccess address pool

  Group-RADIUS authentication server

  Group Policy - by default-vpn

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  Hello

  For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

  Please see configuration below:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  or

  http://tinyurl.com/5t67hd

  Please see the section of tunnel-group config of the SAA.

  There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

  So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

  Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

  "crypto isakmp nat-traversal.

  Thirdly, change the transformation of the value

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  Let me know the result.

  Thank you

  Gilbert

• NAT VPN tunnel and still access Internet traffic

  Hello

  Thank you in advance for any help you can provide.

  I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet.  However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

  We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT.  It is the only gateway on our network.

  I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

  access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255

  NAT extended IP access list
  refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
  deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  ip permit 192.168.1.0 0.0.0.255 any

  route allowed ISP 10 map
  corresponds to the IP NAT

  IP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
  IP nat inside source list 106 pool EMDVPN
  IP nat inside source map route ISP interface FastEthernet0/1 overload

  When the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully.  However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.

  The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication.  Internet access is not possible.  However, maybe I missed something, or one of you experts can help me.  Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

  Once again, thank you for any help you can give.

  Alex

  Hello

  Rather than use a pool for NAT

  192.168.1.9 - 10.1.0.1 > 192.168.50.x

  ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255

  RM-STATIC-NAT route map permit 10
  corresponds to the IP 102

  IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route

  ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
  ACL 101 by ip 192.168.1.0 0.0.0.255 any
  overload of IP nat inside source list 101 interface FastEthernet0/1

  VPN access list will use the source as 10.1.0.1... *.

  Let me know if it works.

  Concerning

  M