VPN client: What ports and protocols?

Anyone know which ports and protocols are used by the cisco VPN client? (Telco needs this info, because the VPN client does not work in its network)

I know of UDP/500 (ISAKMP)

Erik

Erik,

In addition to ISAKMP, Protocol ESP 50 you and, possibly, NAT - T which is UDP/4500.

Andy

Tags: Cisco Security

Similar Questions

Cisco VPN Client - what are the ports I need to open the 1841?

Hello. As it says on the Tin really, what are the ports I need to allow my access on our 1841 list to allow the Cisco VPN client on through it?

Ta

UDP 500 (isakmp)

UDP 4500 (nat - t)

Protocol ESP 50

Internet access with VPN Client to ASA and full effect tunnel

I'm trying to migrate our concentrator at our new 5520 s ASA. The concentrator has been used only for VPN Client connections, and I have not the easiest road. However, I, for some reason, can't access to internet through our business network when I've got profiles with lots of tunneling.

I've included the configuration file, with many public IP information and omitted site-to-site tunnels. I left all the relevant stuff on tunnel-groups and group strategies concerning connectivity of VPN clients. The range of addresses that I use for VPN clients is 172.16.254.0/24. The group, with what I'm trying to access the internet "adsmgt" and the complete tunnel to our network part is fine.

As always, any help is appreciated. Thank you!

Hüseyin... good to see you come back.. bud, yes try these Hüseyin sugesstiong... If we looked to be ok, we'll try a different approach...

IM thinking too, because complete tunnel is (no separation) Jim ASA has to go back for the outbound traffic from the internet, a permit same-security-traffic intra-interface, instruction should be able to do it... but Jim start by Hüseyin suggestions.

Rgds

Jorge

Remote IPSec VPN - client Windows 7 and ASA 5505

Hello

I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.

Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.

In the log, I see the warnings of this type:

TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)

I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.

Thank you for your help.

Petar Koraca

That's what you would have needed on versions 8.3 and earlier versions:

permit same-security-traffic intra-interface

Global 1 interface (outside)

NAT (outside) 1 192.168.150.0 255.255.255.0

However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)

permit same-security-traffic intra-interface

network of the NETWORK_OBJ_192.168.150.0_24 object

dynamic NAT interface (outdoors, outdoor)

Give it a shot and let me know how it goes.

IPSec site to site VPN cisco VPN client routing problem and

Hello

I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

There are on the shelves, there is no material used cisco - routers DLINK.

Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

Can someone help me please?

Thank you

Peter

RAYS - not cisco devices / another provider

Cisco 1841 HSEC HUB:

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

ISAKMP crypto key x xx address no.-xauth

!

the group x crypto isakmp client configuration

x key

pool vpnclientpool

ACL 190

include-local-lan

!

86400 seconds, duration of life crypto ipsec security association

Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

!

Crypto-map dynamic dynmap 10

Set transform-set 1cisco

!

card crypto ETH0 client authentication list userauthen

card crypto isakmp authorization list groupauthor ETH0

client configuration address card crypto ETH0 answer

ETH0 1 ipsec-isakmp crypto map

set peer x

Set transform-set 1cisco

PFS group2 Set

match address 180

card ETH0 10-isakmp ipsec crypto dynamic dynmap

!

!

interface FastEthernet0/1

Description $ES_WAN$

card crypto ETH0

!

IP local pool vpnclientpool 192.168.200.100 192.168.200.150

!

!

overload of IP nat inside source list LOCAL interface FastEthernet0/1

!

IP access-list extended LOCAL

deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

IP 192.168.7.0 allow 0.0.0.255 any

!

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

!

How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

DE:

access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

TO:

access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

Also change the ACL 190 split tunnel:

DE:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

TO:

access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

Hope that helps.

What are TCP/UDP ports must be open for version 4.8 of the VPN Client?

What are TCP/UDP ports must be open for Cisco VPN Client version 4.8 working?

Thank you

Normally, you need the following ports and Protocol:

UDP 500

UDP 4500

ESP

In this case, you are using IPSec over TCP, you must open the port TCP 10000 or any other port that you want to use for (its configurable) IPSec connections.

-Kanishka

Only permitted in specific protocol like RDP remote VPN client

Hi, is it possible allow or restrict vpn clients to a specific protocol such as RDP to the authorized network (internal)? Most of the samples in Cisco allows the IP Protocol on the access list of the network of the boarding school for the IP pool which is then translated as Nat (0). I tried to only allow the RDP Protocol in this access list and it does not work.

Thank you.

Hi vivi, unfortunately vpn-filter is not posible in codes 6.x, this feature was introduced in the code 7.x and higher. You need to upgrade code 7.x or higher.

http://www.Cisco.com/en/us/docs/security/ASA/asa70/command/reference/TZ.html#wp1281154

On the other hand if you already have a group of tunnel for the vpn clients and you want to limit all this tunnel RDP group only and nothing else you do with your current code with an acl, not permit ip address but permit tcp and tcp port number port on vpn network host of destination... but this policy applies to all users of RA for this group of tunnel... no practice... as supposed using vpn-filters by user who allows to better control the individual users on the same group of tunnel without affecting others.

Concerning

Connect pc with win 7 to an instrument THEN use the com port and the PPP protocol

Dear all,

I need to make a connecting series between a pc with win 7 and one instrument.

To achieve this I have to use the com port and Protocol PPP. In win xp is possible but I'm not able to find the same in win7

concerning

Diego

Hi Diego,.

Thanks for posting your query in Microsoft Community Forum.

According to the description of the issue, I recommend you post your query in the TechNet Forums. TechNet is watched by other computing professionals who would be more likely to help you.

TechNet Forum

http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro

Hope this information is useful.

VPN clients hairpining through a tunnel from site to site

I have a 8.2 (5) ASA 5510 in Site1 and a 8.2 (1) ASA 5505 Site2 they are configured with a tunnel from site to site.

Each site has VPN clients that connect and I would like to allow customers to access on both sides across the site-to-site tunnel servers.

I enabled same-security-traffic permit intra-interface I also added the remote networks to access list who made the split tunneling.

I think I'm doing something wrong with nat, but I don't know, any help would be greatly appreciated.

Site1 Clients1 (172.17.2.0/24) (10.0.254.0/24)

ASA Version 8.2 (5)

!

hostname site1

names of

DNS-guard

!

interface Ethernet0/0

nameif outside

security-level 0

IP address site1 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

IP 172.17.2.1 255.255.255.0

!

interface Ethernet0/2

Shutdown

nameif DMZ

security-level 0

IP 10.10.10.1 255.255.255.0

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 0

IP 192.168.1.1 255.255.255.0

management only

!

passive FTP mode

permit same-security-traffic intra-interface

VPN - UK wide ip 172.17.2.0 access list allow 255.255.255.0 172.18.2.0 255.255.255.0

access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 192.168.123.0 255.255.255.0

access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0

access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0

Notice of inside_nat0_outbound access-list us Client Server UK

access extensive list ip 10.0.254.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0

access extensive list ip 192.168.123.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0

access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0

Split_Tunnel_List list standard access allowed 192.168.123.0 255.255.255.0

Split_Tunnel_List of access note list UK VPN Client pool

Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0

outside-2 extended access list permit tcp any any eq smtp

outside-2 extended access list permit tcp any any eq 82

outside-2 extended access list permit tcp any any eq 81

outside-2 extended access list permit tcp everything any https eq

outside-2 extended access list permit tcp any any eq imap4

outside-2 extended access list permit tcp any any eq ldaps

outside-2 extended access list permit tcp any any eq pop3

outside-2 extended access list permit tcp any any eq www

outside-2 extended access list permit tcp any any eq 5963

outside-2 extended access list permit tcp any any eq ftp

outside-2 allowed extended access list tcp any any eq ftp - data

outside-2 extended access list permit tcp any any eq 3389

list of access outside-2 extended tcp refuse any any newspaper

2-outside access list extended deny ip any any newspaper

outside-2 extended access list deny udp any any newspaper

allow VPN CLIENTS to access extended list ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0

allow VPN CLIENTS to access extended list ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0

allow VPN CLIENTS to access extended list 192.168.123.0 ip 255.255.255.0 10.0.254.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0

VPNClient_splittunnel list standard access allowed 192.168.123.0 255.255.255.0

VPNClient_splittunnel of access note list UK VPN Client pool

Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0

VPN-Northwoods extended ip 172.17.2.0 access list allow 255.255.255.0 192.168.123.0 255.255.255.0

Note to outside_nat0_outbound to access list AD 01/05/13

access extensive list ip 10.0.254.0 outside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

MTU 1500 DMZ

management of MTU 1500

mask 10.0.254.25 - 10.0.254.45 255.255.255.0 IP local pool VPNUserPool

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT-control

Global 1 interface (outside)

NAT (outside) 0-list of access outside_nat0_outbound

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 172.17.2.0 255.255.255.0

public static tcp (indoor, outdoor) interface smtp 172.17.2.200 smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 82 172.17.2.253 82 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 81 192.168.123.253 81 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface https 172.17.2.10 https netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 172.17.2.10 imap4 imap4 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 172.17.2.10 pop3 pop3 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface www 172.17.2.19 www netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 5963 172.17.2.108 5963 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ftp 172.17.2.7 ftp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ftp - data 172.17.2.7 ftp - data netmask 255.255.255.255

static (inside, outside) tcp 3389 172.17.2.29 interface 3389 netmask 255.255.255.255

Access-group 2-outside-inside in external interface

Route outside 0.0.0.0 0.0.0.0 74.213.51.129 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

RADIUS protocol AAA-server DCSI_Auth

AAA-server host 172.17.2.29 DCSI_Auth (inside)

key *.

AAA-server protocol nt AD

AAA-server AD (inside) host 172.16.1.211

AAA-server AD (inside) host 172.17.2.29

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp - esp-sha-hmac trans_set

Crypto ipsec transform-set VPN-Client-esp-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map DYN_MAP 20 the value reverse-road

Crypto-map dynamic outside_dyn_map 20 game of transformation-VPN-Client

address for correspondence outside_map 20 card crypto VPN - UK

card crypto outside_map 20 peers set site2

card crypto outside_map 20 transform-set trans_set

address for correspondence outside_map 30 card crypto VPN-Northwoods

card crypto outside_map 30 peers set othersite

trans_set outside_map 30 transform-set card crypto

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

Crypto ca trustpoint _SmartCallHome_ServerCA

Configure CRL

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 2

lifetime 28800

crypto ISAKMP policy 20

preshared authentication

the Encryption

md5 hash

Group 2

lifetime 28800

Telnet timeout 5

SSH timeout 60

Console timeout 0

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal Clients_vpn group strategy

attributes of strategy of group Clients_vpn

value of server DNS 10.0.1.30

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPNClient_splittunnel

domain.local value by default-field

the authentication of the user activation

tunnel-group VPNclient type remote access

tunnel-group VPNclient-global attributes

address pool VPNUserPool

authentication-server-group DCSI_Auth

strategy - by default-group Clients_vpn

tunnel-group VPNclient ipsec-attributes

pre-shared key *.

tunnel-group othersite type ipsec-l2l

othersite group tunnel ipsec-attributes

pre-shared key *.

tunnel-group site2 type ipsec-l2l

tunnel-group ipsec-attributes site2

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

class-map imblock

match any

class-map p2p

game port tcp eq www

class-map P2P

game port tcp eq www

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

type of policy-map inspect im bine

parameters

msn - im yahoo im Protocol game

drop connection

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the pptp

type of policy-card inspect http P2P_HTTP

parameters

matches the query uri regex _default_gator

Journal of the drop connection

football match request uri regex _default_x-kazaa-network

Journal of the drop connection

Policy-map IM_P2P

class imblock

inspect the im bine

class P2P

inspect the http P2P_HTTP

!

global service-policy global_policy

IM_P2P service-policy inside interface

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893

: end

Site2 Clients1 (172.18.2.0/24) (172.255.2.0/24)

ASA Version 8.2 (1)

!

names of

name 172.18.2.2 UKserver

!

interface Vlan1

nameif inside

security-level 100

IP 172.18.2.1 255.255.255.0

!

interface Vlan2

nameif GuestWiFi

security-level 0

IP 192.168.2.1 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

IP address site2 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport trunk allowed vlan 1-2

switchport vlan trunk native 2

switchport mode trunk

Speed 100

full duplex

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

permit same-security-traffic intra-interface

Access extensive list ip 172.18.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0

Access extensive list ip 172.17.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0

Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0

Outside_2_Inside list extended access permit tcp any host otherhost eq smtp

Outside_2_Inside list extended access permit tcp any host otherhost eq pop3

Outside_2_Inside list extended access permit tcp any host otherhost eq imap4

Outside_2_Inside list extended access permit tcp any host otherhost eq www

Outside_2_Inside list extended access permit tcp any host otherhost eq https

Outside_2_Inside list extended access permit tcp any host otherhost eq ldap

Outside_2_Inside list extended access permit tcp any host otherhost eq ldaps

Outside_2_Inside list extended access permit tcp any host otherhost eq nntp

Outside_2_Inside list extended access permit tcp any host otherhost eq 135

Outside_2_Inside list extended access permit tcp any host otherhost eq 102

Outside_2_Inside list extended access permit tcp any host otherhost eq 390

Outside_2_Inside list extended access permit tcp any host otherhost eq 3268

Outside_2_Inside list extended access permit tcp any host otherhost eq 3269

Outside_2_Inside list extended access permit tcp any host otherhost eq 993

Outside_2_Inside list extended access permit tcp any host otherhost eq 995

Outside_2_Inside list extended access permit tcp any host otherhost eq 563

Outside_2_Inside list extended access permit tcp any host otherhost eq 465

Outside_2_Inside list extended access permit tcp any host otherhost eq 691

Outside_2_Inside list extended access permit tcp any host otherhost eq 6667

Outside_2_Inside list extended access permit tcp any host otherhost eq 994

Outside_2_Inside access list extended icmp permitted an echo

Outside_2_Inside list extended access permit icmp any any echo response

Outside_2_Inside list extended access permit tcp any host site2 eq smtp

Outside_2_Inside list extended access permit tcp any host site2 eq pop3

Outside_2_Inside list extended access permit tcp any host site2 eq imap4

Outside_2_Inside list extended access permit tcp any host site2 eq www

Outside_2_Inside list extended access permit tcp any host site2 eq https

Outside_2_Inside list extended access permit tcp any host site2 eq ldap

Outside_2_Inside list extended access permit tcp any host site2 eq ldaps

Outside_2_Inside list extended access permit tcp any host site2 eq nntp

Outside_2_Inside list extended access permit tcp any host site2 eq 135

Outside_2_Inside list extended access permit tcp any host site2 eq 102

Outside_2_Inside list extended access permit tcp any host site2 eq 390

Outside_2_Inside list extended access permit tcp any host site2 eq 3268

Outside_2_Inside list extended access permit tcp any host site2 eq 3269

Outside_2_Inside list extended access permit tcp any host site2 eq 993

Outside_2_Inside list extended access permit tcp any host site2 eq 995

Outside_2_Inside list extended access permit tcp any host site2 eq 563

Outside_2_Inside list extended access permit tcp any host site2 eq 465

Outside_2_Inside list extended access permit tcp any host site2 eq 691

Outside_2_Inside list extended access permit tcp any host site2 eq 6667

Outside_2_Inside list extended access permit tcp any host site2 eq 994

Outside_2_Inside list extended access permit tcp any SIP EQ host site2

Outside_2_Inside list extended access permit tcp any range of 8000-8005 host site2

Outside_2_Inside list extended access permit udp any range of 8000-8005 host site2

Outside_2_Inside list extended access udp allowed any SIP EQ host site2

Outside_2_Inside tcp extended access list deny any any newspaper

Outside_2_Inside list extended access deny udp any any newspaper

VPN - USA 172.255.2.0 ip extended access list allow 255.255.255.0 172.17.2.0 255.255.255.0

access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0

access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.255.2.0 255.255.255.0

access extensive list ip 172.255.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0

Comment by Split_Tunnel_List-list of access networks to allow via VPN

Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0

Standard access list Split_Tunnel_List allow 10.0.254.0 255.255.255.0

pager lines 20

Enable logging

monitor debug logging

debug logging in buffered memory

asdm of logging of information

Debugging trace record

Within 1500 MTU

MTU 1500 GuestWiFi

Outside 1500 MTU

IP pool local ClientVPN 172.255.2.100 - 172.255.2.124

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 172.18.2.0 255.255.255.0

NAT (GuestWiFi) 2 192.168.2.0 255.255.255.0

public static tcp (indoor, outdoor) interface smtp smtp UKserver netmask 255.255.255.255

public static tcp (indoor, outdoor) UKserver netmask 255.255.255.255 pop3 pop3 interface

public static tcp (indoor, outdoor) interface imap4 imap4 netmask 255.255.255.255 UKserver

public static tcp (indoor, outdoor) interface www UKserver www netmask 255.255.255.255

public static tcp (indoor, outdoor) https UKserver netmask 255.255.255.255 https interface

public static tcp (indoor, outdoor) interface ldap UKserver ldap netmask 255.255.255.255

public static tcp (indoor, outdoor) interface ldaps ldaps netmask 255.255.255.255 UKserver

public static tcp (indoor, outdoor) interface nntp nntp netmask 255.255.255.255 UKserver

public static 135 135 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 102 102 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 390 390 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 3268 3268 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 3269 3269 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static UKserver netmask 255.255.255.255 993 993 interface tcp (indoor, outdoor)

public static UKserver 995 netmask 255.255.255.255 995 interface tcp (indoor, outdoor)

public static 563 563 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 465 465 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 691 691 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 6667 UKserver 6667 netmask 255.255.255.255 interface tcp (indoor, outdoor)

public static 994 994 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)

Access-group Outside_2_Inside in interface outside

Route outside 0.0.0.0 0.0.0.0 87.224.93.53 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Ray of AAA-server vpn Protocol

AAA-server vpn (inside) host UKserver

key DCSI_vpn_Key07

the ssh LOCAL console AAA authentication

Enable http server

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp - esp-sha-hmac trans_set

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 transform-set trans_set

Crypto dynamic-map DYN_MAP 20 the value reverse-road

address for correspondence outside_map 20 card crypto VPN - USA

card crypto outside_map 20 peers set othersite2 site1

card crypto outside_map 20 transform-set trans_set

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 2

lifetime 28800

crypto ISAKMP policy 20

preshared authentication

the Encryption

md5 hash

Group 2

lifetime 28800

Telnet timeout 5

SSH timeout 25

Console timeout 0

dhcpd dns 8.8.8.8 UKserver

!

dhcpd address 172.18.2.100 - 172.18.2.149 inside

dhcpd allow inside

!

dhcpd address 192.168.2.50 - 192.168.2.74 GuestWiFi

enable GuestWiFi dhcpd

!

no basic threat threat detection

no statistical access list - a threat detection

no statistical threat detection tcp-interception

WebVPN

internal USER_VPN group policy

USER_VPN group policy attributes

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list Split_Tunnel_List

the authentication of the user activation

tunnel-group othersite2 type ipsec-l2l

othersite2 group of tunnel ipsec-attributes

pre-shared-key *.

type tunnel-group USER_VPN remote access

attributes global-tunnel-group USER_VPN

address pool ClientVPN

Authentication-server group (external vpn)

Group Policy - by default-USER_VPN

IPSec-attributes tunnel-group USER_VPN

pre-shared-key *.

tunnel-group site1 type ipsec-l2l

tunnel-group ipsec-attributes site1

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect the rsh

inspect the rtsp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:d000c75c8864547dfabaf3652d81be71

: end

Hello

The output seems to say that traffic is indeed transmitted to connect VPN L2L

Can you PING from hosts on the network 172.18.2.0/24 to the hosts on the network 172.17.2.0/24?

Have you tried several different target hosts on the network you are trying to ping while might exclude us actual devices are not just meeting the specifications these PINGs?

-Jouni

VPN client, lost connection

Hello

I pix506e here... and vpn clients connected.

But suddenly lost connection vpn client 40 minutes and then try to reconnect again but fail. If the vpn client restarts their pc/notebook...yes it can connected to vpn again... but the interruption of the connection again... then restart... and so on... What is the cause of this problem?

Thanks for the help

Tonny

All remote VPN clients are having the same problem or is it limited to just a few. If the problem is seen with only a few, it is quiet possible that the problem is not with the PIX of the customer. In addition, the DPO is enabled or not. DPD will cause tips to know an IPSec connection over, where the SAs flusing, allowing new being negotiate quickly.

VPN Client connection terminated

I am new to Cisco PIX and I'm having a problem with the removal of the connections. We use a 515e on 6.2 and my laptops use VPN Client 4.0 and Radius to IAS on W2K3 Server. About 30 minutes, a window appears saying "secure VPN connection is completed by a peer. "Reason: (reason unspecified peer). I've combed through the configuration settings and the settings of the Cisco and my connection on the Radius Server and am unable to find anything to help. Any help would be appreciated.

Thank you

Warren

On if the PIX515 you do a 'show vpngroup' which is the ' time max "setting configured for? If it is not configured, you can do a max of vpngroup-time for the clients of the group. You can also set the idle max here too. In troubleshooting, maybe set to 3600 seconds (1 hour) to see if you are disconnected. Then adjust your idle down time (you can set it to 0 if ever you want clients idel time out) and see what happens.

Matt

IPsec remote VPN client 5.0.07 Cisco

Hello

I am setting up remote IPsec VPN using ASDM for ASA 5505.

can someone guide me for FOLLOWING;

1 step 6 for ASDM IPsec wizard: name of the cluster: what IP addresses I need to assign here.

my network has inside the IP 192.168.0.1 and outside IP 162.212.232.174

2. VPN client: what would be the IP host?

What is the password and username for authentication group?

Please advice or give me a link that can help me for this set to the top?

I need help with installation of VPN client both ASDM for IPsec Wizard wizard.

Thank you

SAP

Hello

Pool is the range of IP addresses for VPN clients (when connect you to your network). Use a different subnet of your internal networks. ex: 192.168.10.0 255.255.255.0

Host IP: your ASA 5505 public ip: 162.212.232.174

Group information - that you configure on ASA5505 and even he must be configured on the client.

See the link below (research online and you will find a lot of documentation).

http://www.databasemart.com/HOWTO/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx

THX

MS

VPN client - multiple connection possibilities?

Hi people,

My basic question is, Cisco VPN Client allows two simultaneous VPN connections at the same time?

I would like to implement the following:

Customer user (remote access VPN via Internet)--> Head Office c/o ASA 5520 pair--> (VPN remote access via Internet)--> pair of Branch Office ASA 5510 S + a/s

For example, to access the Branch Office system, the user must:

1. connect to the peer of Head Office ASA via Cisco VPN Client (the user/password authentication)

Head Office ASA peer gives an 172.16.1.x private IP address and is configured to route all requests for public office ASA IP through its own public IP address.

2. once Head Office VPN is established, the user establishes a SECOND VPN tunnel of the Cisco VPN client (user/password and focused on the cert auth)

I.e. branch sees the VPN connection try from the public IP address of Headquarters and therefore allows the VPN through the ACL traffic and allows the continuation of the VPN negotiations as usual. Customer is given another IP address private, 192.168.10.x.

Basically, I need to limit the remote access VPN branch to make it only accessible from Headquarters public IP address, no public IP address of the user (and therefore the entire internet).

I know this is an unusual configuration, and some will say on the sensitivity of security to allow two simultaneous VPN connections. These are the two networks of trust, strict ACL would be at stake and there is a long history behind this requirement...

Thanks in advance!

Alistair,

You can limit the access of VPN connections to branch by blocking connections on UDP ports 500, 4500 UDP and ESP and allowing him only from your home office. In this way, only the explicitly authorized public IP address of your home office would be able to connect to your remote sites by using an IPSec tunnel.

Now, on the second tunnel I don't think it's possible. As far I am aware you cannot have two connections to VPN at the same time of the same customer. The VPN will not let you do, it's mainly because when you have a VPN Client the VPN map session comes up and you can only one card virtual VPN.

Because I don't think it is possible I would advice to try something like this:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Could provide you the connectivity that you are looking for without needing a second tunnel VPN from the client side.

I hope this helps.

Raga

ASA vpn client

Hello world

I would like to ask for help in order to correct a customer vpn tunnel. I'm not familiar with the AAS, so please do not laugh if I write something stupid

So I inherit one asa, which has two interface used physical and vlan more. Outdoors, office, management and management. I use my computer on the vlan management, and I can reach the computers on the desktop (192.168.12.0/24) and the branch (192.168.10.0/24). I would realize that I connect to thrught houses a vpn, and I should reach the 12.x and 10.x network as I was in these networks (due to the microsoft allowed wirewall to the local network traffic).

I inherited a vpn configuration which I added my user.

I'm trying to cite only the relevant portion of config:

SSH 192.168.99.0 255.255.255.0 management

access extensive list ip 192.168.99.0 nonat_management allow 255.255.255.0 192.168.99.0 255.255.255.0

access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0

IP local pool ippool 192.168.99.100 - 192.168.99.200

NAT-control
Global 1 interface (outside)

NAT (management) - access list 0 nonat_management
nat_management_office list of access 5 NAT (management)
nat_management_branch list of Access 10 NAT (management)

192.168.99.50 management - dhcpd addresses 192.168.99.79
enable dhcpd management

L2TP strategy of Group internal
monty password username * == encrypted nt
monty username attributes
Protocol-tunnel-VPN l2tp ipsec
VPN-framed-ip-address 192.168.99.99 255.255.255.0
attributes global-tunnel-group DefaultRAGroup
ippool address pool
Group Policy - by default-l2tp
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication

I quote the encryption settings, because I can connect to asa, I think that I have problems with the nat or access rules.

I have an ip local pool 192.168.99.100 - 192.168.99.200, but I have the fixed ip with the vpn-framed-ip-address 192.168.99.99 255.255.255.0

Happened when I connect and try to reach the following computers:

I can reach only a freenas 192.168.12.2, and I see in his journal that I have connected with 192.168.99.99 (vpn-framed-ip-address)

I can't reach the computers on networks, however I have two nat rules, working when I'm in the office network 99.0

access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0

It seems that these two nat rules do not work with my vpn client.

And it is very important to arrive at the asa with ssh through the tunnel, but I can't.

I don't know if that is the ip address of the vpn client is in the management network, perhaps one should change to another network:

for example 192.168.95.0/24

A vpn asa for Dummies or any help is appreciated.

Thank you very much

Hi Chris,

The following should help:

access-list allowed 192.168.12.0 nonat_office 255.255.255.0 192.168.90.0 255.255.255.0

In this way, returning office subnet pool VPN traffic is exempt from nat. And so you will not get the failure of RPF checking.

In addition, you must change this:

nat_vpn_office to access extended list ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

(incoming traffic on the VPN remote access would come from the VPN pool.) Not your home network.)

You must have:

No nat_vpn_office access list extended ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0

access extensive list ip 192.168.90.0 nat_vpn_office allow 255.255.255.0 192.168.12.0 255.255.255.0

NAT (outside) 5 nat_vpn_office list of outdoor access

Hope this helps, and sorry for the delay.

-Shrikant

P.S.: Please check the question as answered if it was resolved. Do rates all useful messages. Thank you.

Maintenance of the internal DNS after connecting to the VPN Client

We connect to the VPN client, all day and I wanted to know if there is a way to continue to use our internal LAN DNS when you are connected. For example, when I connect to the VPN client, our mail server internal and the dns resolves the public IP address.

Thank you

You can set up the split-dns service, but which can be configured at the vpn your client device, because you only connect with vpn client and normally politicians vpn client get pushed vpn headend unit.

Here is the split-dns command if your customer comes to run ASA firewall, and they allow you to configure:

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/S8.html#wp1404571

VPN client: What ports and protocols?

Similar Questions

Maybe you are looking for