VPN client without access to the internal network
Hi all
I try to get IPsec VPN clients talk to my internal network. Can ping the IP address of internal port, but not the bridge beyond the period of INVESTIGATION, or all the resources on the internal network.
Thoughts?
Hello Tony
You need to check on the following things
1. Split tunnel network
2. "no nat" split tunnel network
What is a network or production test (I hope that the customer have the right configuration of bridge)
Also, if possible please post your config for a better understanding
concerning
Harish
Tags: Cisco Security
Similar Questions
-
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
-
Can connect to the IPSec VPN, but can not see the internal network
I have several users that can connect to our rooms of ussing IPSec VPN on a 5505. I have a user who can connect, but cannot see the internal network. This user is using DSL with a speedstream 4100. However, I have another user with the same configuration that can connect and see the internal network. Newspapers in ASDM show the link, but do not seem to show any errors trying to access internal. Any help will be greatly appreciated. Thank you, Bill.
Add...
ISAKMP nat-traversal crypto
-
The VPN Clients need access to the subnet on another router
Hello
We have a pix 515e PIX Version 8.0 (2)
We have two subnet 10.1.x.x/16 and 10.2.x.x/16
The firewall is on 10.1.x.x and vpn clients can access this subnet.
The firewall can ping 10.2.x.y where x is a server in the other subnet.
On the 10.2.x.x customers out the firewall.
The problem is that vpn clients cannot access the server of 10.2.x.y even if the pix can ping 10.2.x.y and the road for him.
What I need to check that the vpn rules are correct in the pix 515e?
I think it is a rule of exemption nat or something like that not exactly sure.
Everything would be a great help.
Thank you
Hello
For clients VPN access to these subnets, check the following:
1 NAT exemption include these subnets (if not using NAT)... it's the NAT0 ACL command
2. these subnets is included in the split tunneling
3. these subnets have a route to the PIX to send traffic to the VPN client pool.
4. There are no ACLs not applied to the inside interface of the PIX deny this communication.
Federico.
-
Client remote access VPN gets connected without access to the local network
: Saved
:
ASA 1.0000 Version 2
!
hostname COL-ASA-01
domain dr.test.net
turn on i/RAo1iZPOnp/BK7 encrypted password
i/RAo1iZPOnp/BK7 encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 172.32.0.11 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 192.9.200.126 255.255.255.0
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
nameif failover
security-level 0
192.168.168.1 IP address 255.255.255.0 watch 192.168.168.2
!
interface Management0/0
nameif management
security-level 0
192.168.2.11 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
domain dr.test.net
network of the RAVPN object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.200.0_24 object
192.168.200.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.9.200.0_24 object
192.9.200.0 subnet 255.255.255.0
the inside_network object-group network
object-network 192.9.200.0 255.255.255.0
external network object-group
host of the object-Network 172.32.0.25
Standard access list RAVPN_splitTunnelAcl allow 192.9.200.0 255.255.255.0
access-list extended test123 permit ip host 192.168.200.1 192.9.200.190
access-list extended test123 permit ip host 192.9.200.190 192.168.200.1
access-list extended test123 allowed ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0
192.9.200.0 IP Access-list extended test123 255.255.255.0 allow object NETWORK_OBJ_192.9.200.0_24
pager lines 24
management of MTU 1500
Outside 1500 MTU
Within 1500 MTU
failover of MTU 1500
local pool RAVPN 192.168.200.1 - 192.168.200.254 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 66114.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) source Dynamics one interface
NAT (it is, inside) static static source NETWORK_OBJ_192.9.200.0_24 destination NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.9.200.0_24
Route outside 0.0.0.0 0.0.0.0 172.32.0.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = KWI-COL-ASA - 01.dr.test .net, C = US, O = KWI
Configure CRL
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.9.200.0 255.255.255.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 management
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 66.35.45.128 255.255.255.192 outside
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 30
SSH version 2
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
internal RAVPN group policy
RAVPN group policy attributes
value of server WINS 192.9.200.164
value of 66.35.46.84 DNS server 66.35.47.12
VPN-filter value test123
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value test123
Dr.kligerweiss.NET value by default-field
username test encrypted password xxxxxxx
username admin password encrypted aaaaaaaaaaaa privilege 15
vpntest Delahaye of encrypted password username
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address RAVPN pool
Group Policy - by default-RAVPN
IPSec-attributes tunnel-group RAVPN
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory 2
Subscribe to alert-group configuration periodic monthly 2
daily periodic subscribe to alert-group telemetry
aes encryption password
Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea
: end
COL-ASA-01 #.
Here is a shot made inside interface which can help as well, I've tried pointing the front door inside the interface on the target device, but I think it was a switch without ip route available on this subject I think which is always send package back to Cisco within the interface
Test of Cape COLLAR-ASA-01 # sho | in 192.168.200
25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request
29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137: udp 68
38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137: udp 68
56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137: udp 68
69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request
98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request
99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137: udp 68
108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137: udp 68
115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137: udp 68
116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request
COL-ASA-01 #.
Any help or pointers greatly appreciated, I have do this config after a long interval on Cisco of the last time I was working it was all PIX so just need to expert eyes to let me know if I'm missing something.
And yes I don't have a domestic network host to test against, all I have is a switch that cannot route and bridge default ip helps too...
Hello
The first thing you should do to avoid problems is to change the pool VPN to something else than the current LAN they are not really directly connected in the same network segment.
You can try the following changes
attributes global-tunnel-group RAVPN
No address RAVPN pool
no mask RAVPN 192.168.200.1 - 192.168.200.254 255.255.255.0 ip local pool
local pool RAVPN 192.168.201.1 - 192.168.201.254 255.255.255.0 IP mask
attributes global-tunnel-group RAVPN
address RAVPN pool
no nat (it is, inside) static source NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 static destination NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
In the above you first delete the VPN "tunnel-group" Pool and then delete and re-create the VPN pool with another network and then insert the same "tunnel-group". NEX will remove the current configuration of the NAT.
the object of the LAN network
192.168.200.0 subnet 255.255.255.0
network of the VPN-POOL object
192.168.201.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination VPN-VPN-POOL
NAT configurations above adds the correct NAT0 configuration for the VPN Pool has changed. It also inserts the NAT rule to the Summit before the dynamic PAT rule you currently have. He is also one of the problems with the configurations that it replaces your current NAT configurations.
You have your dynamic PAT rule at the top of your NAT rules currently that is not a good idea. If you want to change to something else will not replace other NAT configurations in the future, you can make the following change.
No source (indoor, outdoor) nat Dynamics one interface
NAT source auto after (indoor, outdoor) dynamic one interface
NOTICE! PAT dynamic configuration change above temporarily interrupt all connections for users on the local network as you reconfigure the dynamic State PAT. So if you make this change, make sure you that its ok to still cause little reduced in the current internal users connections
Hope this helps
Let me know if it works for you
-Jouni
-
Remote VPN with PIX without access to the local network
Hi @all,
I ve running into problems and I have not found any solution. Can someone check my config?
Facts:
PIX 501 6.3 (3)
4.04 VPN client
Wanted solution: access to HO via VPN
VPN tunnel will be established, I get an IP address, but I can´t the systems behind the pix and the pix of access itself.
To the VPN Client Staticts, I see outgoing packets, but no entrant (if I send a ping to peer behind the pix)
I hope someone can help me
Attached is my config:
PIX 501 and 506/506e pix are not supported in v7 due to the fact that the cpu is not able to deal with the extended features of v7.
PIX 520 is not supported I guess it's because of the fact that the model is discontinued.
-
Lost remote access to the internal network after upgarding PIX to 7.0
I improved our box of PIX 515E Cisco to release 6.3 7.0 (5) and lost connectivity outside of the internal servers through a VPN connection. Any ideas as to why or how this happened?
If you use the split tunneling, this is probably the question.
Is the bug id: CSCeh69389
This Bug says:
When you upgrade a PIX 6.x to 7.0, if split tunneling is underway
used for remote access clients, then the conversion of config
process will not convert the list of split tunnel command, because
the ACL of splitting 6.x tunnel was allowed to be of type 'expanded '.
whereas in 7.0 the ACL must be ' standard '.
To solve the problem, take the extended ACL and manually convert it to a
Standard ACL, specifying the networks you want encrypted. Times
the new ACL is in the config, it must be applied under the
Group Policy.
EX:
SplitTunnel list standard access allowed 10.1.1.0 255.255.255.0
internal RemoteAccess group strategy
Group Policy attributes RemoteAccess
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SplitTunnel
-
VPN clients cannot access to the vlan
Hello
I just changed my flat lan to a virtual LAN environment multi, but now I need help to get to my VPN back working again as the VPN user can access servers that are not on the vlan 'door '. I've read enough to know that it is probably associated with NAT, but I'm not sure where to put this information.
Does go in the NAT, associated with the E0 interface (outgoing internet gateway), to the vlan10 (vlan router is actually on) or can I create a new one and apply it to the crypto ipsec and isakmp side of things that use VPN users?
My network is configured as such...
VPN client - Router1811 - split trunk - C3550 - 12G - shared - resources multiple C3550s - servers/Wstns
The router subnet 192.168.10.0 as all switches, VLAN is set up through the 12 G and all other switches as vtp "vtp clients", including the router. The user can get to the 10 subnet and any server on it, but not to the"farm" on the subnet 192.168.11.0.
I noticed Federico has been working on something very similar to this... but any help would be appreciated.
Thank you, Don
Hi Don,
Please mark this discussion as resolved if there is no other problem with this VPN.
See you soon,.
Nash.
-
Cisco VPN Client cannot ping from LAN internal IP
Hello
I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.
If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.
Thanks in advance.
: Saved
:
ASA Version 7.2 (2)
!
hostname ciscoasa5510
domain.local domain name
activate the password. 123456789 / encrypted
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group ISP
12.34.56.789 255.255.255.255 IP address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passwd encrypted 123456789
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS server-group DefaultDNS
domain.local domain name
permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
access-list Split_Tunnel_List note the network of the company behind the ASA
Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
internal domain_vpn group policy
attributes of the strategy of group domain_vpn
value of 212.23.3.100 DNS server 212.23.6.100
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
username domain_ra_vpn password 123456789 encrypted
username domain_ra_vpn attributes
VPN-group-policy domain_vpn
encrypted utilisateur.123456789 password username
encrypted utilisateur.123456789 password username
privilege of username user password encrypted passe.123456789 15
encrypted utilisateur.123456789 password username
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card crypto outside_map 20 match address outside_20_cryptomap
peer set card crypto outside_map 20 987.65.43.21
outside_map crypto 20 card value transform-set ESP-3DES-SHA
3600 seconds, duration of life card crypto outside_map 20 set - the security association
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
tunnel-group 987.65.43.21 type ipsec-l2l
IPSec-attributes tunnel-group 987.65.43.21
pre-shared-key *.
tunnel-group domain_vpn type ipsec-ra
tunnel-group domain_vpn General-attributes
address domain_vpn_pool pool
Group Policy - by default-domain_vpn
domain_vpn group of tunnel ipsec-attributes
pre-shared-key *.
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 5
Console timeout 0
VPDN group ISP request dialout pppoe
VPDN group ISP localname [email protected] / * /
VPDN group ISP ppp authentication chap
VPDN username [email protected] / * / password *.
dhcpd dns 212.23.3.100 212.23.6.100
dhcpd lease 691200
dhcpd ping_timeout 500
domain.local domain dhcpd
!
dhcpd address 192.168.10.10 - 192.168.10.200 inside
dhcpd allow inside
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:1234567890987654321
: end
Hello
Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.
This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.
You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next
Add this
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Hope this helps
Let me know how it goes
-Jouni
-
The VPN Clients cannot access any internal address
Without a doubt need help from an expert on this one...
Attempting to define a client access on an ASA 5520 VPN that was used only as a
Firewall so far. The ASA has been recently updated to Version 7.2 (4).
Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot
ping any address on internal networks, or even the inside interface of the ASA.
(I hope) Relevant details:
(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and
are able to connect.
(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it
appears that the packets are décapsulés and decrypted, but NOT encapsulated or
encrypted (see the output of "sh crypto ipsec his ' home).
(3) by the other related posts, we've added commands associated with inversion of NAT (crypto
ISAKMP nat-traversal 20
crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our
Configuration.
(4) we tried encapsulation TCP and UDP encapsulation with experimental client
profiles: same result in both cases.
(5) if I (attempt) ping to an internal IP address of the connected customer, the
real-time log entries ASA show the installation and dismantling of the ICMP requests to the
the inner target customer.
(6) the capture of packets to the internal address (one that we try to do a ping of the)
VPN client) shows that the ICMP request has been received and answered. (See attachment
shooting).
(7) our goal is to create about 10 VPN client of different profiles, each with
different combinations of access to the internal VLAN or DMZ VLAN. We do not have
preferences for the type of encryption or method, as long as it is safe and it works: that
said, do not hesitate to recommend a different approach altogether.
We have tried everything we can think of, so any help or advice would be greatly
Sanitized the ASA configuration is also attached.
appreciated!
Thank you!
It should be the last step :)
on 6509
IP route 172.16.100.0 255.255.255.0 172.16.20.2
and ASA
no road inside 172.16.40.0 255.255.255.0 172.16.20.2
-
VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK
I tried to set up a simple customer vpn using this document
VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of VmHKIhnF4Gs5AWk3
VmHKIhnF4Gs5AWk3 encrypted passwd
hostname VOIPLABPIX
domain voicelab.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside 208.x.x.11 255.255.255.0
IP address inside 172.10.2.2 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool voicelabpool 172.10.3.100 - 172.10.3.254
history of PDM activate
ARP timeout 14400
NAT (inside) - 0 102 access list
Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1
Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 172.0.0.0 255.0.0.0 inside
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac
Crypto-map dynamic map2 10 set transform-set trmset1
map map1 10 ipsec-isakmp crypto dynamic map2
client authentication card crypto LOCAL map1
map1 outside crypto map interface
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 encryption aes-256
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address voicelabpool pool cuclab
vpngroup dns 204.x.x.10 Server cuclab
vpngroup cuclab by default-field voicelab.com
vpngroup split tunnel 101 cuclab
vpngroup idle 1800 cuclab-time
vpngroup password cuclab *.
Telnet timeout 5
SSH 208.x.x.11 255.255.255.255 outside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 172.10.1.2 255.255.255.255 inside
SSH timeout 60
Console timeout 0
username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2
Terminal width 80
Cryptochecksum:b03a349e1ac9e6022432523bbb54504b
: end
Try to turn on NAT - T
PIX (config) #isakmp nat-traversal 20
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
HTH
-
Cisco ASA 5505 VPN L2TP cannot access the internal network
Hello
I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.
Can you jhelp me to find the problem?
I have Cisco ASA:
within the network - 192.168.1.0
VPN - 192.168.168.0 network
I have the router to 192.168.1.2 and I cannot ping or access this router.
Here is my config:
ASA Version 8.4 (3)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 198.X.X.A 255.255.255.248
!
passive FTP mode
permit same-security-traffic intra-interface
the net-all purpose network
subnet 0.0.0.0 0.0.0.0
network vpn_local object
192.168.168.0 subnet 255.255.255.0
network inside_nw object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access deny ip any any newspaper
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool sales_addresses 192.168.168.1 - 192.168.168.254
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT dynamic interface of net-all source (indoor, outdoor)
NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local
NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search
!
network vpn_local object
dynamic NAT interface (outdoors, outdoor)
network inside_nw object
NAT dynamic interface (indoor, outdoor)
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode
Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1
card crypto 20-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
Crypto isakmp nat-traversal 3600
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
management-access inside
dhcpd address 192.168.1.5 - 192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal sales_policy group policy
attributes of the strategy of group sales_policy
Server DNS 75.75.75.75 value 76.76.76.76
Protocol-tunnel-VPN l2tp ipsec
user name-
user name-
attributes global-tunnel-group DefaultRAGroup
address sales_addresses pool
Group Policy - by default-sales_policy
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.
You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:
Policy-map global_policy
class inspection_default
inspect the icmp
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Termination of the client PIX VPN and Internet access from the same interface
Hello
VPN remote users connect to PIX (7.2) outside interface, but need to have these clients to access the Internet through the PIX outside interface as well. Need this because PIX IPs is registered and allowed access to some electronic libraries. One way would be to set up a proxy within the network and vpn users have access to the Internet through the proxy, but can it be done without proxy?
Yes, public internet on a stick
-
Cisco ASA 5505 remote VPN access to the local network
I have installed two ASA 5505 VPN site to site that works perfectly. Now, I also need to have 1 customer site to remote access VPN with Cisco VPN dialer. I can get the VPN dialer to connect the VPN and get a VPN IP address, but I do not have access to the remote network. can someone take a look and see what I'm missing? I have attached the ASA running config.
Apologize for the misunderstanding.
To access the remote vpn client 10.10.100.x subnet, the vpn-filter ACL is the opposite.
Please please share the following ACL:
FROM: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
outside_cryptomapVPN list of allowed ip extended access any 10.10.20.0 255.255.255.224
TO:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
outside_cryptomapVPN to access extended list ip 10.10.20.0 allow 255.255.255.224 all
Hope that helps.
-
I tried to go in advance and choose "Add TimeCapsule to the existing network", but it keeps defaulting to 'add a new network '.
without having to activate the internal networks?
"Add TimeCapsule to the existing network.
You cannot add a TC in an existing network, if there is.
You must configure the TC for the network.
It keeps default back to "add a new network.
So, it's OK... The TC is part of an existing network or makes a new.
You must connect to the TC network... either wireless or ethernet.
However, you can manually configure the TC simply plug ethernet for example.
See, cable using Time Capsule for Mac for backup only.
The same can be done for the wireless... but a TC is really the bad device for backups if you don't have a network... It's cheaper, faster and more reliable by using a USB key.
Maybe you are looking for
-
Keyboard shortcuts for the buttons works irregularly - why?
When you use the access key for the button attributes, they work sometimes and not others. Three behaviors are observed: -use the accesskey times moves the focus and click on the button (correct behavior) -use the access key moves the focus only - do
-
can't erase what impression. Windows 7, d1320 printer
I a D1320 printer and I have a job in Quebec but it will not print even if it is said printing in QC I tried to remove from Quebec when he did not print and it says delete but does not remove it. Any suggestions?
-
HP ENVY 15-k005sv wifi network adapter is missing
I downgrade my pc of windows 8 for windows 7 Professional 64-bit. I found all the drivers except the one which controls wifi. I need this driver so my pc can recognize the wireless card... Any help please?
-
Windows 7 message Boot error message
Microsoft has recently made an update on my Windows 7. During the upgrade, Windows malicious software removed what she claimed it was a virus. That took place, I constantly get the message: "this file has no program associated with it for performing
-
I need to change an attachment that was sent to my yahoo email account
I have an attachment to email yahoo containing the 1 document with a file name - Office word97 .doc and another who is a flier on a .xls, office excel 97. I need to change the flier and I don't know how. When I open it I can modify it, but when I go