VPN connection is established but cannot ping subnet
Hello, I have a 851 router that I'm trying to learn with, I have a config of work that makes me online and has a basic firewall and dhcp for clients. Then, I wanted to add a VPN using the 851 and the Cisco VPN client.
Using this tutorial "http://www.cisco.com/en/US/customer/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml."
I was able to get partially to my goal as I can establish a vpn and it shows me 192.168.1.0 as the route secure, but I don't ping or communicate with anything with in the 192.168.1.1 network.
Try this one too.
Instead of using access-list in declaration of NAT, use the route map and see if it solves the problem.
1 deny traffic Ipsec in NAT access list.
access-list 120 refuse 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 allow 192.168.1.0 0.0.0 all
2. create a roadmap
sheep allowed 10 route map
corresponds to the IP 120
3. no nat ip within the source list 1 interface FastEthernet4 overload
4 ip nat inside source map route sheep interface FastEthernet4 overload
5 disable the ip nat translation *.
Then check.
HTH
Sangaré
Tags: Cisco Security
Similar Questions
-
Hello!
I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Help me please! Thank you!
Hello
Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.
Thank you
swap
-
VPN tunnel is up but cannot ping LAN stations
Hello
I'm trying to set up easy vpn server on cisco 881/k9 router.
Using the version of cisco vpn client 5.0, I can connect to the vpn server.
Can get the IP address of the LAN subnet on the vpn client.
On the side of vpn, I can see the vpn session using isakmp crypto #show her
But I can't ping from client vpn to any LAN station.
Someone please check my setup and find out.
This is my first time setting on the router cisco VPN.
Building configuration...
Current configuration: 5938 bytes
!
! Last configuration change at 01:38:31 UTC Thursday, April 21, 2011 by evantage
!
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname FarEastP
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
recording console critical
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-3333835941
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3333835941
revocation checking no
rsakeypair TP-self-signed-3333835941
!
!
TP-self-signed-3333835941 crypto pki certificate chain
certificate self-signed 01
30820240 308201A 9 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 33333333 38333539 6174652D 3431301E 170 3131 30343230 31363434
30355A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 33333338 65642D
33353934 3130819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
810094A 1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A 145915 E67EF01D 350558E3
040B 6379 E6360CB3 4 D 0360DA61 184225 AAB44CA5 6BE23D05 55DAA45A 4647 5 FEB
6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
DD926D88 25 23143 11 C 66750 68267 C 61 C38B62C4 3B16E5AE AC91B2F8 ABA3546D
02 30203 010001A 3 68306630 1 130101 FF040530 030101FF 30130603 0F060355 D
551D 1104 08466172 45617374 50301F06 23 04183016 8014E95E 03551D 0C300A82
66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092 HAS 8648 86F70D01 01040500
03818100 05803840 EFBF9A3B F4D64899 8E03C836 34861307 57193CC5 DA510446
E4081D1A 2CF243BF 41AC9F36 83DAE9DB 9480F154 7CF792A5 76C1452C EEFD8661
8443DC4C 8E507A8F B2ECCAEB CDE26E41 E477E290 79AE5D72 FD81057C B5DCE1C2
36E0F740 65108014 A8992360 92F0423D E14F9240 1D162BC3 EFBB75A2 9E64ABC6 D76BE894
quit smoking
no ip source route
!
!
DHCP excluded-address 192.168.1.1 IP 192.168.1.100
DHCP excluded-address IP 192.168.1.201 192.168.1.254
!
dhcp pool IP CCP-pool1
network 192.168.1.0 255.255.255.0
domain FarEastP
default router 192.168.1.1
DNS-server 192.168.1.2 165.21.83.88
!
!
no ip cef
no ip domain search
name-server IP 192.168.1.2
name of the IP-server 165.21.83.88
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FHK142971LH
!
!
username admin privilege 15 secret 5 $1$ W2eu$ lr. TpEfJuOE1iKQjFPHIT /.
username privilege 15 secret 5 evantage P602 $1$$ 8TeJh5.SCHsY2TGd0.TnD1
username privilege 5 secret 5 sshukla $1$ oflM$ cHZdlpLdWr.nn1UwiCEs7.
username privilege 5 secret 5 rtandon $1$ yGAU$ BxJ6eQqG32WeI2gI4BDWh1
sagrawal privilege 5 secret 5 username $1$ $1Kkz E6NOTt9LCXiGTarAxrc/i1
username secret privilege 5 asarie $5 1. CVw $0ohz3WtLqU8USiMBqxIjA.
username secret privilege 5 rbiyani 5 $1$ KkY / $02lEPCahuIpzoQcXln2yD.
username privilege 5 secret 5 clovejoy $1$ WMbu$ t.er4RPRTnYNNwwkVGMuX.
username privilege 5 secret 5 Lakshmi $1$ ZMC4$ Sjlcmcw2uvhzU9bwEw1Us.
username privilege 5 secret 5 benmansour yPMa $1$$ I.q.7NW2uQo0s5FTHkxZM1
username secret privilege 5 usha 5 $1$ bX1I$ X6X4eSSeq48k0Kq8Qt7Rn.
username privilege 5 secret 5 aditya $1$ w2Vt$ HOz81M2UfLeni.PNUX2aJ.
!
!
synwait-time of tcp IP 10
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
!
ISAKMP crypto group configuration of VPN client
TP!zlflN\2\4go,xtP+xFapuWlKDvr#dVrS6L4TF5NJl2GXugUgv%LfQ+!drgUK key
DNS 192.168.1.2 165.21.83.88
fareastp field
pool SDM_POOL_1
ACL 101
max - 20 users
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map DYNVPN 1
game of transformation-ESP-3DES-SHA
!
!
map clientmap client to authenticate crypto list ciscocp_vpn_xauth_ml_1
card crypto clientmap isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address map clientmap crypto answer
clientmap card crypto 65535-isakmp dynamic ipsec DYNVPN
!
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
WAN description $ ES_WAN$
IP 119.75.60.170 255.255.255.252
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface Vlan1
LAN description
IP 116.12.248.81 255.255.255.240 secondary
IP 192.168.1.1 255.255.255.0
penetration of the IP stream
IP nat inside
IP virtual-reassembly
!
local IP SDM_POOL_1 192.168.1.201 pool 192.168.1.254
local IP POOL_2 10.10.1.2 pool 10.10.1.200
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source static tcp 192.168.1.2 1723 1723 interface FastEthernet4
IP nat inside source static tcp 192.168.1.4 5003 interface FastEthernet4 5003
IP nat inside source static tcp 192.168.1.4 16000 16000 FastEthernet4 interface
IP nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
overload of IP nat inside source list 111 interface FastEthernet4
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 119.75.60.169
!
recording of debug trap
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
endThe VPN pool assigned to the VPN client must be in another unique subnet as internal networks.
Please also post all your ACL to see if NAT and crypto ACL has been set up correctly.
Your NAT ACL must include "deny ip" above all permit declarations.
-
Once the VPN connection is established, cannot ping or you connect other IP devices
Try to get a RV016 installed and work so that people can work from home. You will need to charge customers remote both WIN XP and MAC OS X.
Have the configured router and works fine with the VPN Linksys client for WIN XP users. Can connect, ping, mount the shared disks, print to printers to intellectual property, etc.
Can connect to the router fine with two VPN clients third 3 for Mac: VPN Tracker and IPSecuritas. However, once the connection is established, cannot ping the VPN LinkSYS router or any other IP address on the LAN Office. Turn the firewall on or off makes no difference.
Is there documentation anywhere that describes how the LinksysVPN for Windows Client communicates so these can be replicated in 3rd VPN clients from third parties for the Mac in OS X?
The connection with IPSecuritas and VPN Tracker is performed using a shared key and a domain name. It is not a conflict of IP address network between the client and the VPN 192.168.0.0/24 network.
VPN Tracker and IPSecuritas are able to connect to the routers CISCO easy VPN with no poblem.
Any ideas on how to get the RV016 to work for non-Windows users?
We found and fixed the problem, so using VPN Tracker or current IPSecuritas on OS X people have access to the LAN via the RV016 machines. The "remote networks" in the screen BASE in VPN Tracker has been set on the entire subnet: 192.168.0.0/255.255.255.0 the in the RV016 has been set to the IP of 192.168.0.1 to 192.168.0.254 range. Even if the addresses are essentially the same, without specifying the full subnet in the RV016 has allowed the connection to do but prevented the VPN client machine to connect because the RV016 would pass all traffic to the Remote LAN. Change the setting of 'local group' in RV016 settings in the screen "VPN/summary/GroupVPN', 'Local Group Zone' for the subnet 192.168.0.0/24 full solved the problem.
-
Connected to the ASA via the "VPN Client" software, but cannot ping devices.
I have a network that looks like this:
I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.
I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).
On the SAA, including the "logging console notifications" value, I notice the following message is displayed:
"% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.
I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?
Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac
Hello
You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"
You would probably need
NAT (inside) 0-list of access inside_nat0_outside
He must manage the NAT0
Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.
I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.
-Jouni
-
VPN connects but cannot ping or access resources
I hope this is an easy fix and it's something that I am missing. I've been looking at this for several hours.
Scenario:
I Anyconnect Essentials so I use the SSL connection
I changed my domain name and external IP in my setup, I write.
My VPN connection seems to work very well. In fact, I was able to connect to 3 locations with 3 different external IP address.
1 location, I get IP address 192.168.30.10, as it should. I can ping 192.168.1.1, but not the 192.168.1.6 which is my temporary resource, the firewall is disabled on 192.168.1.6.
2 location, I get an IP of 192.168.30.11, as it should. I was able to ping 192.168.30.10, could not sue 192.168.1.1 as the place closed.
Any help would be appreciated, it's getting late so I hope I gave enough details. I feel so close but yet so far.
See the ciscoasa # running
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 22.22.22.246 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
ICMP-type of object-group ALLOWPING
echo ICMP-object
ICMP-object has exceeded the time
response to echo ICMP-object
Object-ICMP traceroute
Object-ICMP source-quench
ICMP-unreachable object
access-list 10 scope ip allow a whole
10 extended access-list allow icmp a whole
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.30.10 - 192.168.30.25 255.255.255.0 IP local pool SSLClientPoolNew
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 192.168.1.0 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 22.22.22.245 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl 10
WebVPN
SVC request no svc default
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow inside
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 2 image
enable SVC
tunnel-group-list activate
internal SSLClientPolicy group strategy
attributes of Group Policy SSLClientPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
field default value mondomaine.fr
the address value SSLClientPoolNew pools
WebVPN
SVC Dungeon-Installer installed
time to generate a new key of SVC 180
SVC generate a new method ssl key
SVC value vpngina modules
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol webvpn
username test encrypted password privilege 15 xxxxxxxxxxxxxx
username ljb1 password encrypted xxxxxxxxxxxxxx
type tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
Group Policy - by default-SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:ed683c7f1b86066d1d8c4fff6b08c592
: end
Patrick,
'Re missing you the excemption NAT. Please add the following and try again:
access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
NAT (inside) 0 access-list sheep
Let us know if you still have problems after that.
Raga
-
I tried to restart, tried unplugging the unit for a few minutes and commissioning, try a full restore. Nothing solves the problem.
Curiously, I can connect to my ITunes account successfully each time.
But when I then connecting to ICloud, he asked my password (saving my user id when I connected successfully in ITunes), then it asks to send a verification code to one of my devices (because I enabled two-step verification, and so it seems at this stage to be communicating correctly with the server)-then when I click on enter it instantly evokes a message...
Unable to connect
Could not communicate with the server
For more information, visit apple.com/support/icloud.
I also tried logging in ICloud before connecting to ITunes, but get the same error message. ICloud works on all my other devices.
Any suggestions? Thanks for your considered
What version of ATV do you use? This is crucial because they are all running different software.
Try your Apple of a browser logging and disabling two-step verification ID. Then your login the ATV and restore in two steps.
-
Client VPN connects but cannot ping all hosts
Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients. I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX. Can someone tell me what Miss me in my setup?
Thanks for your help.
Chi - pix # sh conf
: Saved
: Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname chi - pix
.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside pppoe setroute
IP address inside 192.168.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.11.1 - 10.10.11.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 list-access internet-traffic 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
Crypto-map dynamic dynmap 10 GvnPix-set transform-set
toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
toGvnPix interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool chiclient
vpngroup dns 192.168.5.1 Server chiclient
vpngroup wins 192.168.5.1 chiclient-Server
vpngroup chiclient com default domain
vpngroup split tunnel 101 chiclient
vpngroup idle 1800 chiclient-time
vpngroup password chiclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
VPDN group chi request dialout pppoe
VPDN group chi net localname
VPDN group chi ppp authentication pap
VPDN username password net *.
dhcpd address 192.168.5.2 - 192.168.5.33 inside
dhcpd dns xx
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 100
Cryptochecksum:
Chi - pix #.On the PIX configuration seems correct.
I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?
How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.
-
Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!
Hello
I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.
Config
ciscoasa # sh run
: Saved
:
ASA Version 8.0 (3)
!
ciscoasa hostname
activate the 5QB4svsHoIHxXpF password / encrypted
names of
xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name
xxx.xxx.xxx.xxx ISA_Server_second_external_IP name
xxx.xxx.xxx.xxx name Mail_Server
xxx.xxx.xxx.xxx IncomingIP name
xxx.xxx.xxx.xxx SAP name
xxx.xxx.xxx.xxx Web server name
xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name
isa_server_outside name 192.168.2.2
!
interface Ethernet0/0
nameif outside
security-level 0
address IP IncomingIP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.253 255.255.255.0
management only
!
passwd 123
passive FTP mode
clock timezone IS 2
clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00
TCP_8081 tcp service object-group
EQ port 8081 object
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq ftp
port-object eq www
EQ object of the https port
EQ smtp port object
EQ Port pop3 object
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
EQ port 50000 object
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
EQ port 587 object
port-object eq 993
port-object eq 8000
EQ port 8443 object
port-object eq telnet
port-object eq 3901
purpose of group TCP_8081
EQ port 1433 object
port-object eq 3391
port-object eq 3399
EQ object of port 8080
EQ port 3128 object
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
Equalizer object port 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
EQ port 8181 object
object-port 7778 eq
port-object eq 8180
port-object 22222 eq
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP - tcp
EQ port 3389 object
3901 tcp service object-group
3901 description
port-object eq 3901
object-group service tcp 50000
50000 description
EQ port 50000 object
Enable_Transparent_Tunneling_UDP udp service object-group
port-object eq 4500
access-list connection to SAP Note inside_access_in
inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in note outgoing VPN - PPTP
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in note outgoing VPN - GRE
inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any
Comment from inside_access_in-list of access VPN - GRE
inside_access_in list extended access will permit a full
access-list inside_access_in note outgoing VPN - Client IKE
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq
Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access udp allowed any any eq field
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access permit tcp any any eq field
Note to inside_access_in to access list carried forward Ports
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
outside_access_in list extended access allowed grateful if any host Mail_Server
outside_access_in list extended access permit tcp any host Mail_Server eq pptp
outside_access_in list extended access allow esp a whole
outside_access_in ah allowed extended access list a whole
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group
list of access allowed standard VPN 192.168.2.0 255.255.255.0
corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 603.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 2 Mail_Server netmask 255.0.0.0
Global 1 interface (outside)
Global interface (2 inside)
NAT (inside) 0-list of access corp_vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside
public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet
static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server
static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside
static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp
static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside
public static 192.168.2.0 (inside, outside) - corp_vpn access list
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac transet
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet
cryptomap 10 card crypto ipsec-isakmp dynamic dynmap
cryptomap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.2.0 255.255.255.0 inside
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain.local domain inside interface
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
Management Server TFTP 192.168.1.123.
internal group mypolicy strategy
mypolicy group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN
Pseudo vpdn password 123
vpdn username attributes
VPN-group-policy mypolicy
type of remote access service
type mypolicy tunnel-group remote access
tunnel-group mypolicy General attributes
address-pool
strategy-group-by default mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.
Hello
You probably need
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp error
Your Tunnel of Split and NAT0 configurations seem to.
-Jouni
-
Hello
I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.
is hell config please kindly and I would like to know what might happen.
hostname horse
domain evergreen.com
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
ins-guard
!
interface GigabitEthernet0/0
LAN description
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description CONNECTION_TO_FREEMAN
nameif outside
security-level 0
IP 196.1.1.1 255.255.255.248
!
interface GigabitEthernet0/2
Description CONNECTION_TO_TIGHTMAN
nameif backup
security-level 0
IP 197.1.1.1 255.255.255.248
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
boot system Disk0: / asa844-1 - k8.bin
boot system Disk0: / asa707 - k8.bin
passive FTP mode
clock timezone WAT 1
DNS server-group DefaultDNS
domain green.com
network of the NETWORK_OBJ_192.168.2.0_25 object
Subnet 192.168.2.0 255.255.255.128
network of the NETWORK_OBJ_192.168.202.0_24 object
192.168.202.0 subnet 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any
access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any
Access extensive list permits all ip a OUTSIDE_IN
gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0
gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
backup of MTU 1500
mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
!
network obj_any object
dynamic NAT interface (inside, backup)
Access-group interface inside INSIDE_OUT
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10
Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 100
type echo protocol ipIcmpEcho 212.58.244.71 interface outside
Timeout 3000
frequency 5
monitor als 100 calendar life never start-time now
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
backup of crypto backup_map interface card
Crypto ikev1 allow outside
Crypto ikev1 enable backup
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
!
track 10 rtr 100 accessibility
Telnet 192.168.200.0 255.255.255.0 inside
Telnet 192.168.202.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.202.0 255.255.255.0 inside
SSH 192.168.200.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 15
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group vpntunnel strategy
Group vpntunnel policy attributes
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpntunnel_splitTunnelAcl
field default value green.com
internal vpntunnell group policy
attributes of the strategy of group vpntunnell
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl
field default value green.com
Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password
attributes of user name THE
VPN-group-policy gbnlvpn
tunnel-group vpntunnel type remote access
tunnel-group vpntunnel General attributes
address VPNPOOL pool
strategy-group-by default vpntunnel
tunnel-group vpntunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group vpntunnell remote access
tunnel-group vpntunnell General-attributes
address VPNPOOL2 pool
Group Policy - by default-vpntunnell
vpntunnell group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565
Hello
1 - Please run these commands:
"crypto isakmp nat-traversal 30.
"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.
The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.
Please let me know.
Thank you.
-
Established VPN tunnel between 4.8 Client and 525 PIX but cannot ping
When there is no tunnel that is established, the client can ping all devices onsite / remote. However when the tunnel is established and the client picks up its expected the address pool IP address, the client can ping or local / remote.
Debug trace of icmp on the shows of PIX inside devices responding to pings from the client but the client
does not receive these responses and shows demand exceeded.
VPN client also shows only the transmitted data.
I'm guessing that there is a problem of routing/natting somewhere?
Would really appreciate some help on this? Ask some q If my problem is too vague.
Thanks in advance!
Would it be possible to show the hidden config of the PIX with the public IP addresses? Some things to check
--> ISAKMP Nat traversal
--> Windows Firewall
--> syspot allowed
-
Access remote vpn connects to the 5505 but cannot ping servers
I have a cisco 5505 and trying to set it up with 6.4 AMPS.
My vpn client connects ok to the network but I'm unable to reach one of the servers.
I'm sure it's a simple configuration issue, as I don't have much experience with Cisco Configuration.
Any suggestions on where to find would be very appreciated.
Thanks in advance
Graham
Hi Graham,
Please, add the following command:
Inside_nat0_outbound to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.100.0 255.255.255.0
Thank you.
Portu.
-
Computer laptop Windows 7 can see the desktop of Windows XP, but cannot ping or you connect
I've seen hundreds of threads describing problems similar to mine, but none of the suggested fixes worked in my case so I'm starting a new thread. I bought a new laptop with Windows 7 Home Edition. My setup before the new laptop was as follows:
Cable modem router NetGear WGT624v3---> desktop Windows XP Home Edition SP3--->
I have set up portable Win 7 with the same name of the Office XP Workgroup. The username and password are the same on both. File and printer sharing is enabled on both. The XP desktop laptop Win 7 in the workgroup in my network places. It can successfully ping the laptop Win 7. It can access shared folders on the Win 7 machine with no problems.
My problem is that the connection seems one-sided. Laptop Win 7 will usually display the XP desktop in the network when Windows Explorer opens. It still display the XP desktop in the network map in network and sharing Center. However, I can't map a network drive on the XP desktop by using the name of computer or IP address. I can't even ping the XP desktop. But if I start the Office XP in Safe Mode with networking, the Win 7 laptop can ping and access shared folders on the XP desktop computer.
I tried to disable the firewall on both machines. I confirmed that the appropriate ports are open for sharing files on both machines. Safe mode they suggest the problem lies with Windows XP, but I'm running out of things to try. And the various solutions I've seen in the Strait of similar positions as urban legends.
Hi Meghmala,
Thanks for the great tips. You got me in the right direction. After configuring my XP machine for a clean boot I have to ping, see and access shared files on desktop XP from Win 7 laptop. Then, I have considered the services and startup programs that has been disabled for the clean boot. I found a Cisco VPN service which I had previously used to fix on my office intranet. I disabled this service and the corresponding to my next selective startup startup file. I was still able to connect to the computer to Office XP. I think that the VPN service was the cause of the problem even though I had no open an active VPN session. Thanks again for this problem. I tried to solve this problem for weeks.
-
VPN upward, but cannot ping through
Hello
Have a problem where two places trying to connect. first location has a cisco 861 and a uc500 for the phone system. The second location uses a UC520 for phones and the router. Here are the configurations of the 861 and the UC520. Any help would be greatly appereciated!
Cisco 861
Current configuration: 7635 bytes
!
version 15.0
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
No aaa new-model
iomem 10 memory size
PCTime-5 timezone clock
PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
!
Crypto pki trustpoint TP-self-signed-1477458744
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1477458744
revocation checking no
rsakeypair TP-self-signed-1477458744
!
!
TP-self-signed-1477458744 crypto pki certificate chain
quit smoking
IP source-route
!
!
!
!
IP cef
no ip domain search
IP domain name
8.8.8.8 IP name-server
IP-server names 8.8.4.4
!
!
license udi pid CISCO861-K9 sn fff
!
!
username admin
!
!
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx address 2.2.2.140 No.-xauth
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac TS
!
Profile of crypto ipsec SDM_Profile1
game of transformation-ESP-3DES-SHA
!
!
MYmap 1 ipsec-isakmp crypto map
defined by peer 1.1.1.140
game of transformation-ESP-3DES-SHA
match address SDM_1
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
IP 1.1.1.130 255.255.255.240
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
full duplex
automatic speed
crypto mymap map
!
interface Vlan1
Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW
10.1.1.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP nat inside source static tcp 10.1.1.23 80 1.1.1.133 80 extensible
IP nat inside source static 10.1.1.23 1.1.1.133
1
IP route 0.0.0.0 0.0.0.0 1.1.1.129
!
SDM_1 extended IP access list
Note CCP_ACL category = 20
ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
IP 172.16.4.0 allow 0.0.0.255 10.0.0.0 0.0.0.255
IP 172.16.4.0 allow 0.0.0.255 172.16.6.0 0.0.0.255
IP 172.16.4.0 allow 0.0.0.255 192.168.2.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
Note rule IPSec
VPN-TRAFFIC extended IP access list
Note CCP_ACL category = 16
ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
Licensing ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
!
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit one
access-list 23 allow 10.1.1.0 0.0.0.255
access-list 23 allow one
Access-list 100 category CCP_ACL = 2 Note
Note access-list 100 IPSec rule
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access ip-list 100 permit a whole
access-list 100 permit ip 0.0.0.0 255.255.255.0 any
access-list 100 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 100 deny ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 100 deny ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255
Note access-list 101 category CCP_ACL = 4
access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
not run cdp
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco UC520
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
address 1.1.1.130 Panasonic key crypto isakmp xauth No.
!
Configuration group customer isakmp crypto EZVPN_GROUP_1
key 8888
DNS 64.132.94.250 216.136.95.1
pool SDM_POOL_1
ACL 105
Save-password
10 Max-users
ISAKMP crypto sdm-ike-profile-1 profile
match of group identity EZVPN_GROUP_1
list of authentication of client Foxtrot_sdm_easyvpn_xauth_ml_1
Foxtrot_sdm_easyvpn_group_ml_1 of ISAKMP authorization list.
client configuration address respond
virtual-model 1
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec SDM_Profile1
game of transformation-ESP-3DES-SHA
isakmp-profile sdm-ike-profile-1 game
!
!
MYmap 1 ipsec-isakmp crypto map
defined by peer 1.1.1.130
game of transformation-ESP-3DES-SHA
match address 100
!
Archives
The config log
Enable logging
size of logging 600
hidekeys
!
!
Telnet IP interface-source BVI100
TFTP IP source-interface Loopback0
!
class-map correspondence-everything sdm_p2p_kazaa
fasttrack Protocol game
match Protocol kazaa2
class-map correspondence-everything sdm_p2p_edonkey
match the edonkey Protocol
class-map correspondence-everything sdm_p2p_gnutella
gnutella Protocol game
class-map correspondence-everything sdm_p2p_bittorrent
bittorrent Protocol game
!
Bridge IRB
!
interface Loopback0
IP 10.1.10.2 255.255.255.252
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0
IP 2.2.2.140 255.255.255.0
NAT outside IP
IP virtual-reassembly
Speed 100
full-duplex
crypto mymap map
!
the integrated-Service-Engine0/0 interface
description Locator is initialized with default IMAP group
BVI100 IP unnumbered
IP nat inside
IP virtual-reassembly
the ip address of the service module 172.16.6.2 255.255.255.0
Service-module ip default gateway - 172.16.6.1
!
type of interface virtual-Template1 tunnel
BVI1 IP unnumbered
ipv4 ipsec tunnel mode
Tunnel SDM_Profile1 ipsec protection profile
!
interface Vlan1
no ip address
IP nat inside
IP virtual-reassembly
Bridge-Group 1
!
interface Vlan100
no ip address
IP nat inside
IP virtual-reassembly
Bridge-group 100
!
interface BVI1
10.0.0.250 IP address 255.255.255.0
10.0.0.6 IP helper-address
IP nat inside
IP virtual-reassembly
!
interface BVI100
IP 172.16.6.1 255.255.255.0
IP nat inside
IP virtual-reassembly
H323-gateway voip interface
H323-gateway voip bind port 172.16.6.1
!
local IP 192.168.2.10 SDM_POOL_1 pool 192.168.2.19
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 2.2.2.1
IP route 172.16.6.2 255.255.255.255 integrated-Service-Engine0/0
!
IP http server
local IP http authentication
IP http secure server
IP http access path flash: / gui
overload of IP nat inside source list INSIDE_NAT interface FastEthernet0/0
IP nat inside source static tcp 10.0.0.7 80 2.2.2.142 80 extensible
!
INSIDE_NAT extended IP access list
deny ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255
deny ip any 10.1.1.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 172.16.4.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 172.16.6.0 0.0.0.255 192.168.2.0 0.0.0.255
ip permit 10.1.10.0 0.0.0.255 any
Licensing ip 10.0.0.0 0.0.0.255 any
IP 172.16.6.0 allow 0.0.0.255 any
NAT_CUSTOMERS extended IP access list
allow any host 2.2.2.140 eq 4550 tcp
!
access-list 100 permit ip 172.16.6.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 172.16.6.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 allow ip 172.16.4.0 0.0.0.255 any
access-list 105 allow ip 10.1.1.0 0.0.0.255 any
access-list 105 allow ip 192.168.3.0 0.0.0.255 any
Note access-list 105 SDM_ACL category = 4
access-list 105 allow ip 10.1.10.0 0.0.0.3 all
access-list 105 allow ip 10.0.0.0 0.0.0.255 any
access-list 105 allow ip 172.16.6.0 0.0.0.255 any
public RO SNMP-server community
Hi, Marshal.
Good news, I give you 5 stars
Please mark this question as answered.
Good day.
-
Problem with Site-to-Site VPN. VPN tunnel is broken but can ping
OK, so I am trying to understand why I can't not only appears when I sh crypto isakmp his or sh crypto ipsec his. I did the basic to site vpn settings to another and I can't ping on both networks fine no problem. So, when I ping from one pc to the address 172.16.0.0 192.168.0.0 network network there is no problem at all because the pings are very well received. But when I go to sh crypto isakmp sa, there's simply nothing and I can't for the life of understand me why. I watched my sh run for both routers and all seems well, but I guess I could be overlooking something. I would really appreciate if someone could help me to diagnose this problem.
I've attached my plotter file of package and two routers use the binary password. I also have the sh run two routers also attached.
I'm not on any of the router 172.16.0.0/24 only 172.16.0.0/16 and I think that is the question.
In Crypto ACL you have on the router of branch:
!
S2S-VPN-TRAFFIC extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
If it should not be:
!
S2S-VPN-TRAFFIC extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
and coursed mirrored on the main router.
If this isn't the case, you are saying that some ping between 192.168.0.x and 172.16.0.x is going ok. Can you please indicate exactly that one? I could see that you have attached a package tracer, but I couldn't open it.
Maybe you are looking for
-
Is it possible to upgrade the processor of the Satellite A100-906?
Is it true that I can change my CPU in Satellite A100-906? For example, with Intel Core 2 Duo 2.16 Ghz processor?
-
Hello I use LabwindowsCVI8.5 & NI Vision. Recently, I met a problem when I tried to apply a toolwindow on diaplayed of the image by image or canvas block, the toolwindow successfully showed, but could not work. I knew that I can use imaqCreateImage &
-
When I try to open Windows media player it shows that the wmploc.dii file has version no11.0.6002.18111 where 11.0.6002.18311 was expected. and he prmpting to download from the msn help site.please.
-
original title: RunDLL I get the window followed whenever I click on an image or a file: There was a problem starting c:\Users\Jim\AppData\Local\Temp\seitybu\sxxqrbw\wow.dll that the specific module could not be found Can anyone advise on how to fix?
-
The ASA 5510 DMZ configuration
I currently have an ASA 5510 with which I am configuring a HTTP/FTP host on a demilitarized zone. Currently the DMZ host is accessible outside but the hosts on the internal network can not access. I have a dedicated IP address for the host (1.1.1.228