VPN client: What ports and protocols?
Anyone know which ports and protocols are used by the cisco VPN client? (Telco needs this info, because the VPN client does not work in its network)
I know of UDP/500 (ISAKMP)
Erik
Erik,
In addition to ISAKMP, Protocol ESP 50 you and, possibly, NAT - T which is UDP/4500.
Andy
Tags: Cisco Security
Similar Questions
-
Cisco VPN Client - what are the ports I need to open the 1841?
Hello. As it says on the Tin really, what are the ports I need to allow my access on our 1841 list to allow the Cisco VPN client on through it?
Ta
UDP 500 (isakmp)
UDP 4500 (nat - t)
Protocol ESP 50
-
Internet access with VPN Client to ASA and full effect tunnel
I'm trying to migrate our concentrator at our new 5520 s ASA. The concentrator has been used only for VPN Client connections, and I have not the easiest road. However, I, for some reason, can't access to internet through our business network when I've got profiles with lots of tunneling.
I've included the configuration file, with many public IP information and omitted site-to-site tunnels. I left all the relevant stuff on tunnel-groups and group strategies concerning connectivity of VPN clients. The range of addresses that I use for VPN clients is 172.16.254.0/24. The group, with what I'm trying to access the internet "adsmgt" and the complete tunnel to our network part is fine.
As always, any help is appreciated. Thank you!
Hüseyin... good to see you come back.. bud, yes try these Hüseyin sugesstiong... If we looked to be ok, we'll try a different approach...
IM thinking too, because complete tunnel is (no separation) Jim ASA has to go back for the outbound traffic from the internet, a permit same-security-traffic intra-interface, instruction should be able to do it... but Jim start by Hüseyin suggestions.
Rgds
Jorge
-
Remote IPSec VPN - client Windows 7 and ASA 5505
Hello
I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.
Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.
In the log, I see the warnings of this type:
TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)
I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.
Thank you for your help.
Petar Koraca
That's what you would have needed on versions 8.3 and earlier versions:
permit same-security-traffic intra-interface
Global 1 interface (outside)
NAT (outside) 1 192.168.150.0 255.255.255.0
However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.150.0_24 object
dynamic NAT interface (outdoors, outdoor)
Give it a shot and let me know how it goes.
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
What are TCP/UDP ports must be open for version 4.8 of the VPN Client?
What are TCP/UDP ports must be open for Cisco VPN Client version 4.8 working?
Thank you
Normally, you need the following ports and Protocol:
UDP 500
UDP 4500
ESP
In this case, you are using IPSec over TCP, you must open the port TCP 10000 or any other port that you want to use for (its configurable) IPSec connections.
-Kanishka
-
Only permitted in specific protocol like RDP remote VPN client
Hi, is it possible allow or restrict vpn clients to a specific protocol such as RDP to the authorized network (internal)? Most of the samples in Cisco allows the IP Protocol on the access list of the network of the boarding school for the IP pool which is then translated as Nat (0). I tried to only allow the RDP Protocol in this access list and it does not work.
Thank you.
Hi vivi, unfortunately vpn-filter is not posible in codes 6.x, this feature was introduced in the code 7.x and higher. You need to upgrade code 7.x or higher.
http://www.Cisco.com/en/us/docs/security/ASA/asa70/command/reference/TZ.html#wp1281154
On the other hand if you already have a group of tunnel for the vpn clients and you want to limit all this tunnel RDP group only and nothing else you do with your current code with an acl, not permit ip address but permit tcp and tcp port number port on vpn network host of destination... but this policy applies to all users of RA for this group of tunnel... no practice... as supposed using vpn-filters by user who allows to better control the individual users on the same group of tunnel without affecting others.
Concerning
-
Connect pc with win 7 to an instrument THEN use the com port and the PPP protocol
Dear all,
I need to make a connecting series between a pc with win 7 and one instrument.
To achieve this I have to use the com port and Protocol PPP. In win xp is possible but I'm not able to find the same in win7
concerning
Diego
Hi Diego,.
Thanks for posting your query in Microsoft Community Forum.
According to the description of the issue, I recommend you post your query in the TechNet Forums. TechNet is watched by other computing professionals who would be more likely to help you.
TechNet Forum
http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro
Hope this information is useful.
-
VPN clients hairpining through a tunnel from site to site
I have a 8.2 (5) ASA 5510 in Site1 and a 8.2 (1) ASA 5505 Site2 they are configured with a tunnel from site to site.
Each site has VPN clients that connect and I would like to allow customers to access on both sides across the site-to-site tunnel servers.
I enabled same-security-traffic permit intra-interface I also added the remote networks to access list who made the split tunneling.
I think I'm doing something wrong with nat, but I don't know, any help would be greatly appreciated.
Site1 Clients1 (172.17.2.0/24) (10.0.254.0/24)
ASA Version 8.2 (5)
!
hostname site1
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address site1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
nameif DMZ
security-level 0
IP 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 0
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
permit same-security-traffic intra-interface
VPN - UK wide ip 172.17.2.0 access list allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 192.168.123.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
Notice of inside_nat0_outbound access-list us Client Server UK
access extensive list ip 10.0.254.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 192.168.123.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0
Split_Tunnel_List list standard access allowed 192.168.123.0 255.255.255.0
Split_Tunnel_List of access note list UK VPN Client pool
Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0
outside-2 extended access list permit tcp any any eq smtp
outside-2 extended access list permit tcp any any eq 82
outside-2 extended access list permit tcp any any eq 81
outside-2 extended access list permit tcp everything any https eq
outside-2 extended access list permit tcp any any eq imap4
outside-2 extended access list permit tcp any any eq ldaps
outside-2 extended access list permit tcp any any eq pop3
outside-2 extended access list permit tcp any any eq www
outside-2 extended access list permit tcp any any eq 5963
outside-2 extended access list permit tcp any any eq ftp
outside-2 allowed extended access list tcp any any eq ftp - data
outside-2 extended access list permit tcp any any eq 3389
list of access outside-2 extended tcp refuse any any newspaper
2-outside access list extended deny ip any any newspaper
outside-2 extended access list deny udp any any newspaper
allow VPN CLIENTS to access extended list ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
allow VPN CLIENTS to access extended list ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
allow VPN CLIENTS to access extended list 192.168.123.0 ip 255.255.255.0 10.0.254.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0
VPNClient_splittunnel list standard access allowed 192.168.123.0 255.255.255.0
VPNClient_splittunnel of access note list UK VPN Client pool
Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0
VPN-Northwoods extended ip 172.17.2.0 access list allow 255.255.255.0 192.168.123.0 255.255.255.0
Note to outside_nat0_outbound to access list AD 01/05/13
access extensive list ip 10.0.254.0 outside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
mask 10.0.254.25 - 10.0.254.45 255.255.255.0 IP local pool VPNUserPool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (outside) 0-list of access outside_nat0_outbound
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 172.17.2.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp 172.17.2.200 smtp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 82 172.17.2.253 82 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 81 192.168.123.253 81 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface https 172.17.2.10 https netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 172.17.2.10 imap4 imap4 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 172.17.2.10 pop3 pop3 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface www 172.17.2.19 www netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 5963 172.17.2.108 5963 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp 172.17.2.7 ftp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp - data 172.17.2.7 ftp - data netmask 255.255.255.255
static (inside, outside) tcp 3389 172.17.2.29 interface 3389 netmask 255.255.255.255
Access-group 2-outside-inside in external interface
Route outside 0.0.0.0 0.0.0.0 74.213.51.129 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol AAA-server DCSI_Auth
AAA-server host 172.17.2.29 DCSI_Auth (inside)
key *.
AAA-server protocol nt AD
AAA-server AD (inside) host 172.16.1.211
AAA-server AD (inside) host 172.17.2.29
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-sha-hmac trans_set
Crypto ipsec transform-set VPN-Client-esp-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map DYN_MAP 20 the value reverse-road
Crypto-map dynamic outside_dyn_map 20 game of transformation-VPN-Client
address for correspondence outside_map 20 card crypto VPN - UK
card crypto outside_map 20 peers set site2
card crypto outside_map 20 transform-set trans_set
address for correspondence outside_map 30 card crypto VPN-Northwoods
card crypto outside_map 30 peers set othersite
trans_set outside_map 30 transform-set card crypto
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
lifetime 28800
Telnet timeout 5
SSH timeout 60
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Clients_vpn group strategy
attributes of strategy of group Clients_vpn
value of server DNS 10.0.1.30
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPNClient_splittunnel
domain.local value by default-field
the authentication of the user activation
tunnel-group VPNclient type remote access
tunnel-group VPNclient-global attributes
address pool VPNUserPool
authentication-server-group DCSI_Auth
strategy - by default-group Clients_vpn
tunnel-group VPNclient ipsec-attributes
pre-shared key *.
tunnel-group othersite type ipsec-l2l
othersite group tunnel ipsec-attributes
pre-shared key *.
tunnel-group site2 type ipsec-l2l
tunnel-group ipsec-attributes site2
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map p2p
game port tcp eq www
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
type of policy-map inspect im bine
parameters
msn - im yahoo im Protocol game
drop connection
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
type of policy-card inspect http P2P_HTTP
parameters
matches the query uri regex _default_gator
Journal of the drop connection
football match request uri regex _default_x-kazaa-network
Journal of the drop connection
Policy-map IM_P2P
class imblock
inspect the im bine
class P2P
inspect the http P2P_HTTP
!
global service-policy global_policy
IM_P2P service-policy inside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893
: end
Site2 Clients1 (172.18.2.0/24) (172.255.2.0/24)
ASA Version 8.2 (1)
!
names of
name 172.18.2.2 UKserver
!
interface Vlan1
nameif inside
security-level 100
IP 172.18.2.1 255.255.255.0
!
interface Vlan2
nameif GuestWiFi
security-level 0
IP 192.168.2.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
IP address site2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2
switchport vlan trunk native 2
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
permit same-security-traffic intra-interface
Access extensive list ip 172.18.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0
Access extensive list ip 172.17.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0
Outside_2_Inside list extended access permit tcp any host otherhost eq smtp
Outside_2_Inside list extended access permit tcp any host otherhost eq pop3
Outside_2_Inside list extended access permit tcp any host otherhost eq imap4
Outside_2_Inside list extended access permit tcp any host otherhost eq www
Outside_2_Inside list extended access permit tcp any host otherhost eq https
Outside_2_Inside list extended access permit tcp any host otherhost eq ldap
Outside_2_Inside list extended access permit tcp any host otherhost eq ldaps
Outside_2_Inside list extended access permit tcp any host otherhost eq nntp
Outside_2_Inside list extended access permit tcp any host otherhost eq 135
Outside_2_Inside list extended access permit tcp any host otherhost eq 102
Outside_2_Inside list extended access permit tcp any host otherhost eq 390
Outside_2_Inside list extended access permit tcp any host otherhost eq 3268
Outside_2_Inside list extended access permit tcp any host otherhost eq 3269
Outside_2_Inside list extended access permit tcp any host otherhost eq 993
Outside_2_Inside list extended access permit tcp any host otherhost eq 995
Outside_2_Inside list extended access permit tcp any host otherhost eq 563
Outside_2_Inside list extended access permit tcp any host otherhost eq 465
Outside_2_Inside list extended access permit tcp any host otherhost eq 691
Outside_2_Inside list extended access permit tcp any host otherhost eq 6667
Outside_2_Inside list extended access permit tcp any host otherhost eq 994
Outside_2_Inside access list extended icmp permitted an echo
Outside_2_Inside list extended access permit icmp any any echo response
Outside_2_Inside list extended access permit tcp any host site2 eq smtp
Outside_2_Inside list extended access permit tcp any host site2 eq pop3
Outside_2_Inside list extended access permit tcp any host site2 eq imap4
Outside_2_Inside list extended access permit tcp any host site2 eq www
Outside_2_Inside list extended access permit tcp any host site2 eq https
Outside_2_Inside list extended access permit tcp any host site2 eq ldap
Outside_2_Inside list extended access permit tcp any host site2 eq ldaps
Outside_2_Inside list extended access permit tcp any host site2 eq nntp
Outside_2_Inside list extended access permit tcp any host site2 eq 135
Outside_2_Inside list extended access permit tcp any host site2 eq 102
Outside_2_Inside list extended access permit tcp any host site2 eq 390
Outside_2_Inside list extended access permit tcp any host site2 eq 3268
Outside_2_Inside list extended access permit tcp any host site2 eq 3269
Outside_2_Inside list extended access permit tcp any host site2 eq 993
Outside_2_Inside list extended access permit tcp any host site2 eq 995
Outside_2_Inside list extended access permit tcp any host site2 eq 563
Outside_2_Inside list extended access permit tcp any host site2 eq 465
Outside_2_Inside list extended access permit tcp any host site2 eq 691
Outside_2_Inside list extended access permit tcp any host site2 eq 6667
Outside_2_Inside list extended access permit tcp any host site2 eq 994
Outside_2_Inside list extended access permit tcp any SIP EQ host site2
Outside_2_Inside list extended access permit tcp any range of 8000-8005 host site2
Outside_2_Inside list extended access permit udp any range of 8000-8005 host site2
Outside_2_Inside list extended access udp allowed any SIP EQ host site2
Outside_2_Inside tcp extended access list deny any any newspaper
Outside_2_Inside list extended access deny udp any any newspaper
VPN - USA 172.255.2.0 ip extended access list allow 255.255.255.0 172.17.2.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.255.2.0 255.255.255.0
access extensive list ip 172.255.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0
Comment by Split_Tunnel_List-list of access networks to allow via VPN
Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 10.0.254.0 255.255.255.0
pager lines 20
Enable logging
monitor debug logging
debug logging in buffered memory
asdm of logging of information
Debugging trace record
Within 1500 MTU
MTU 1500 GuestWiFi
Outside 1500 MTU
IP pool local ClientVPN 172.255.2.100 - 172.255.2.124
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 172.18.2.0 255.255.255.0
NAT (GuestWiFi) 2 192.168.2.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp smtp UKserver netmask 255.255.255.255
public static tcp (indoor, outdoor) UKserver netmask 255.255.255.255 pop3 pop3 interface
public static tcp (indoor, outdoor) interface imap4 imap4 netmask 255.255.255.255 UKserver
public static tcp (indoor, outdoor) interface www UKserver www netmask 255.255.255.255
public static tcp (indoor, outdoor) https UKserver netmask 255.255.255.255 https interface
public static tcp (indoor, outdoor) interface ldap UKserver ldap netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ldaps ldaps netmask 255.255.255.255 UKserver
public static tcp (indoor, outdoor) interface nntp nntp netmask 255.255.255.255 UKserver
public static 135 135 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 102 102 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 390 390 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 3268 3268 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 3269 3269 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static UKserver netmask 255.255.255.255 993 993 interface tcp (indoor, outdoor)
public static UKserver 995 netmask 255.255.255.255 995 interface tcp (indoor, outdoor)
public static 563 563 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 465 465 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 691 691 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 6667 UKserver 6667 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 994 994 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
Access-group Outside_2_Inside in interface outside
Route outside 0.0.0.0 0.0.0.0 87.224.93.53 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Ray of AAA-server vpn Protocol
AAA-server vpn (inside) host UKserver
key DCSI_vpn_Key07
the ssh LOCAL console AAA authentication
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-sha-hmac trans_set
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 transform-set trans_set
Crypto dynamic-map DYN_MAP 20 the value reverse-road
address for correspondence outside_map 20 card crypto VPN - USA
card crypto outside_map 20 peers set othersite2 site1
card crypto outside_map 20 transform-set trans_set
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
lifetime 28800
Telnet timeout 5
SSH timeout 25
Console timeout 0
dhcpd dns 8.8.8.8 UKserver
!
dhcpd address 172.18.2.100 - 172.18.2.149 inside
dhcpd allow inside
!
dhcpd address 192.168.2.50 - 192.168.2.74 GuestWiFi
enable GuestWiFi dhcpd
!
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
WebVPN
internal USER_VPN group policy
USER_VPN group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
the authentication of the user activation
tunnel-group othersite2 type ipsec-l2l
othersite2 group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group USER_VPN remote access
attributes global-tunnel-group USER_VPN
address pool ClientVPN
Authentication-server group (external vpn)
Group Policy - by default-USER_VPN
IPSec-attributes tunnel-group USER_VPN
pre-shared-key *.
tunnel-group site1 type ipsec-l2l
tunnel-group ipsec-attributes site1
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:d000c75c8864547dfabaf3652d81be71
: end
Hello
The output seems to say that traffic is indeed transmitted to connect VPN L2L
Can you PING from hosts on the network 172.18.2.0/24 to the hosts on the network 172.17.2.0/24?
Have you tried several different target hosts on the network you are trying to ping while might exclude us actual devices are not just meeting the specifications these PINGs?
-Jouni
-
VPN client, lost connection
Hello
I pix506e here... and vpn clients connected.
But suddenly lost connection vpn client 40 minutes and then try to reconnect again but fail. If the vpn client restarts their pc/notebook...yes it can connected to vpn again... but the interruption of the connection again... then restart... and so on... What is the cause of this problem?
Thanks for the help
Tonny
All remote VPN clients are having the same problem or is it limited to just a few. If the problem is seen with only a few, it is quiet possible that the problem is not with the PIX of the customer. In addition, the DPO is enabled or not. DPD will cause tips to know an IPSec connection over, where the SAs flusing, allowing new being negotiate quickly.
-
VPN Client connection terminated
I am new to Cisco PIX and I'm having a problem with the removal of the connections. We use a 515e on 6.2 and my laptops use VPN Client 4.0 and Radius to IAS on W2K3 Server. About 30 minutes, a window appears saying "secure VPN connection is completed by a peer. "Reason: (reason unspecified peer). I've combed through the configuration settings and the settings of the Cisco and my connection on the Radius Server and am unable to find anything to help. Any help would be appreciated.
Thank you
Warren
On if the PIX515 you do a 'show vpngroup' which is the ' time max "setting configured for? If it is not configured, you can do a max of vpngroup-time for the clients of the group. You can also set the idle max here too. In troubleshooting, maybe set to 3600 seconds (1 hour) to see if you are disconnected. Then adjust your idle down time (you can set it to 0 if ever you want clients idel time out) and see what happens.
Matt
-
IPsec remote VPN client 5.0.07 Cisco
Hello
I am setting up remote IPsec VPN using ASDM for ASA 5505.
can someone guide me for FOLLOWING;
1 step 6 for ASDM IPsec wizard: name of the cluster: what IP addresses I need to assign here.
my network has inside the IP 192.168.0.1 and outside IP 162.212.232.174
2. VPN client: what would be the IP host?
What is the password and username for authentication group?
Please advice or give me a link that can help me for this set to the top?
I need help with installation of VPN client both ASDM for IPsec Wizard wizard.
Thank you
SAP
Hello
Pool is the range of IP addresses for VPN clients (when connect you to your network). Use a different subnet of your internal networks. ex: 192.168.10.0 255.255.255.0
Host IP: your ASA 5505 public ip: 162.212.232.174
Group information - that you configure on ASA5505 and even he must be configured on the client.
See the link below (research online and you will find a lot of documentation).
http://www.databasemart.com/HOWTO/Cisco_VPN_Remote_Access_Setup_ASA5500.aspx
THX
MS
-
VPN client - multiple connection possibilities?
Hi people,
My basic question is, Cisco VPN Client allows two simultaneous VPN connections at the same time?
I would like to implement the following:
Customer user (remote access VPN via Internet)--> Head Office c/o ASA 5520 pair--> (VPN remote access via Internet)--> pair of Branch Office ASA 5510 S + a/s
For example, to access the Branch Office system, the user must:
1. connect to the peer of Head Office ASA via Cisco VPN Client (the user/password authentication)
Head Office ASA peer gives an 172.16.1.x private IP address and is configured to route all requests for public office ASA IP through its own public IP address.
2. once Head Office VPN is established, the user establishes a SECOND VPN tunnel of the Cisco VPN client (user/password and focused on the cert auth)
I.e. branch sees the VPN connection try from the public IP address of Headquarters and therefore allows the VPN through the ACL traffic and allows the continuation of the VPN negotiations as usual. Customer is given another IP address private, 192.168.10.x.
Basically, I need to limit the remote access VPN branch to make it only accessible from Headquarters public IP address, no public IP address of the user (and therefore the entire internet).
I know this is an unusual configuration, and some will say on the sensitivity of security to allow two simultaneous VPN connections. These are the two networks of trust, strict ACL would be at stake and there is a long history behind this requirement...
Thanks in advance!
Alistair,
You can limit the access of VPN connections to branch by blocking connections on UDP ports 500, 4500 UDP and ESP and allowing him only from your home office. In this way, only the explicitly authorized public IP address of your home office would be able to connect to your remote sites by using an IPSec tunnel.
Now, on the second tunnel I don't think it's possible. As far I am aware you cannot have two connections to VPN at the same time of the same customer. The VPN will not let you do, it's mainly because when you have a VPN Client the VPN map session comes up and you can only one card virtual VPN.
Because I don't think it is possible I would advice to try something like this:
Could provide you the connectivity that you are looking for without needing a second tunnel VPN from the client side.
I hope this helps.
Raga
-
Hello world
I would like to ask for help in order to correct a customer vpn tunnel. I'm not familiar with the AAS, so please do not laugh if I write something stupid
So I inherit one asa, which has two interface used physical and vlan more. Outdoors, office, management and management. I use my computer on the vlan management, and I can reach the computers on the desktop (192.168.12.0/24) and the branch (192.168.10.0/24). I would realize that I connect to thrught houses a vpn, and I should reach the 12.x and 10.x network as I was in these networks (due to the microsoft allowed wirewall to the local network traffic).
I inherited a vpn configuration which I added my user.
I'm trying to cite only the relevant portion of config:
SSH 192.168.99.0 255.255.255.0 management
access extensive list ip 192.168.99.0 nonat_management allow 255.255.255.0 192.168.99.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0IP local pool ippool 192.168.99.100 - 192.168.99.200
NAT-control
Global 1 interface (outside)NAT (management) - access list 0 nonat_management
nat_management_office list of access 5 NAT (management)
nat_management_branch list of Access 10 NAT (management)192.168.99.50 management - dhcpd addresses 192.168.99.79
enable dhcpd managementL2TP strategy of Group internal
monty password username * == encrypted nt
monty username attributes
Protocol-tunnel-VPN l2tp ipsec
VPN-framed-ip-address 192.168.99.99 255.255.255.0
attributes global-tunnel-group DefaultRAGroup
ippool address pool
Group Policy - by default-l2tp
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authenticationI quote the encryption settings, because I can connect to asa, I think that I have problems with the nat or access rules.
I have an ip local pool 192.168.99.100 - 192.168.99.200, but I have the fixed ip with the vpn-framed-ip-address 192.168.99.99 255.255.255.0
Happened when I connect and try to reach the following computers:
I can reach only a freenas 192.168.12.2, and I see in his journal that I have connected with 192.168.99.99 (vpn-framed-ip-address)
I can't reach the computers on networks, however I have two nat rules, working when I'm in the office network 99.0
access extensive list ip 192.168.99.0 nat_management_branch allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.99.0 nat_management_office allow 255.255.255.0 192.168.12.0 255.255.255.0It seems that these two nat rules do not work with my vpn client.
And it is very important to arrive at the asa with ssh through the tunnel, but I can't.
I don't know if that is the ip address of the vpn client is in the management network, perhaps one should change to another network:
for example 192.168.95.0/24
A vpn asa for Dummies or any help is appreciated.
Thank you very much
Hi Chris,
The following should help:
access-list allowed 192.168.12.0 nonat_office 255.255.255.0 192.168.90.0 255.255.255.0
In this way, returning office subnet pool VPN traffic is exempt from nat. And so you will not get the failure of RPF checking.
In addition, you must change this:
nat_vpn_office to access extended list ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
(incoming traffic on the VPN remote access would come from the VPN pool.) Not your home network.)
You must have:
No nat_vpn_office access list extended ip 10.10.10.0 allow 255.255.255.0 192.168.12.0 255.255.255.0
access extensive list ip 192.168.90.0 nat_vpn_office allow 255.255.255.0 192.168.12.0 255.255.255.0
NAT (outside) 5 nat_vpn_office list of outdoor access
Hope this helps, and sorry for the delay.
-Shrikant
P.S.: Please check the question as answered if it was resolved. Do rates all useful messages. Thank you.
-
Maintenance of the internal DNS after connecting to the VPN Client
We connect to the VPN client, all day and I wanted to know if there is a way to continue to use our internal LAN DNS when you are connected. For example, when I connect to the VPN client, our mail server internal and the dns resolves the public IP address.
Thank you
You can set up the split-dns service, but which can be configured at the vpn your client device, because you only connect with vpn client and normally politicians vpn client get pushed vpn headend unit.
Here is the split-dns command if your customer comes to run ASA firewall, and they allow you to configure:
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/S8.html#wp1404571
Maybe you are looking for
-
iOS 9 until the next feature adds duplicates
Hello everyone. I had this problem using music in iOS 9, pretty much since the day 1 that I started using it. What I've noticed, is that when I want to listen to an album, I will push to add the album to the list of the next and what I've been seeing
-
Looking to design an application to talk to a peripheral part 3 on DeviceNet. I have a cRIO-9035 and LabVIEW 2015 SP1. The module NI 9882 does support loading EDS files?
-
How to fix error 0 x 80092003 in attempts to exploit fix in Windows Vista?
-
EliteBook 8440p: Add USB3.0 to Elitebook 8440p
Hello. New to the Board of Directors. I am the owner of a computer laptop 8440p HPElitebook. I'm looking to upgrade to support USB3.0. I have nothing now. I'm not fluent that tech LT, but I don't see any replaceable units on my system. The + CD-
-
Cannot connect to RASADM.
I created an administrative user as described in the documentation, but when I try to connect to the application the result is ""unknown username ". "The authentication scheme is "DB" (Oracle database). I am able to connect to Oracle as the security