VPN established but the customer can not access the internet... Need help.

Hi all

I'm trying to get a functional ASA 5505 appliance but does not always succeed. I managed to get connected to the ASA VPN client, but once connected, vpn client cannot access the internet. I am trying to route traffic from the client to the VPN server so I don't want to split tunneling. Here is the sketch of the testbed of the network:

DNS:210.193.2.66
|
|
Inside   ---------  Outside                         ---------          -------------------
192.168.1.1 |         | 202 *. *. 84 202.*. *. 1.         |          [                  ]
---------------------- ASA |-------------------------------------  GW  |----------[ INTERNET ]
|                   | 5505.                    |                |         |          [                  ]
|                   | --------|                    |                 ---------           -------------------
Host_A                                          | 202.*. *. 83
192.168.1.5                                -------------
| NetGear |
| Router |
--------------
| 192.168.2.1.
|
|
HOST_B |
Physical addr:192.168.2.2
Addr:192.168.3.1 VPN

The ASA 5505 config is as shown below:

Output from the command: 'show running-config '.

: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
activate 0cMYKRmmOdVhcSr4 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 202.*. *. 84 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
inside_nat0_outbound list of allowed ip extended access any 192.168.3.0 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.3.1 - 192.168.3.20 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 202.128.171.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.128 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.20 inside
dhcpd dns 210.193.2.66 210.193.2.34 interface inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
Group Policy Reveal internal
Group Policy attributes Reveal
Protocol-tunnel-VPN IPSec
username password alice tnbrh7ICan8mnq/Y encrypted privilege 0
alice username attributes
Strategy Group-VPN-Reveal
tunnel-group Reveal type remote access
tunnel-group reveal General attributes
address vpnpool pool
Group Policy - by default-Reveal
tunnel-group show ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:bfb0083a8eb2416e9cc27befe3b224d9
: end

a few thoughts

permit same-security-traffic intra-interface

NAT (outside) 1 your pool of vpn client

ASA sysopt connection permit VPN

ASA sysopt connection permit-ipsec

Tags: Cisco Security

Similar Questions

  • InDesign on Mac Lion CS6 - cursor froze on the spot tool. Can not access other tools! Help please!

    InDesign on Mac Lion CS6 - cursor froze on the spot tool. Can not access other tools! Help please!

    I restarted CS6, and I can not yet anything the page. In the average operating system rush job ;(

    [Moved from the living room Forum to forum specific program... MOD]

    Thank you Michael. I will remember that if this happens again. In the end, it fixed itself! After an hour or two of hand frozen, I left for a while and when I got back, everything was very good! I think that there is a first time for everything!

  • I removed Photoshop CS5.5 of my iMac and install it in my mac pro with version 10.10.5 book.  I downloaded but it can not find anywhere.  Need help.

    I put in the serial number for CS5.5 (after download 5.5 is said it is 5.1) and he said this is not valid.

    I found the download.

  • Can not access the updates XP, 0x8024400A error message.

    I reformatted my HARD drive, reloaded XP SP2 Home. Download IE 8. I need XP SP 3, but now I can not access the updates... 0x8024400A error message.

    Help please

    Hello

    Install SP3 by downloading and running from...

    http://www.Microsoft.com/download/en/details.aspx?displaylang=en&ID=24

    You can ignore the text that says it's for network installations and also ignore the text advising windows/microsoft update if a single update of a PC.

    This should move your 0x8024400A problem. So try and get up-to-date with the Windows updates. You will probably have to go through Genuine Windows Validation.

    Tricky

  • Cisco vpn client to connect but can not access to the internal network

    Hi all

    I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network

    Any help would be much appreciated.

    Hi Samir,

    I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    (The link above includes split tunneling, but this is just an option.

    Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.

    Let me know if this can help,

    See you soon,.

    Christian V

  • Data on the iMac, but can not access the files.

    Hi all

    I have a iMac Core 2 Duo (3.33, 21.5 inches) since end 2009, running 10.6.8 Snow Leopard and I'm trying to recover some files that seem to be there, but I can not access it due to an update of the unfinished software.

    A few years back, I tried the Mavericks update using an external hard drive as the boot drive (at that time there I ran 10.6.7 Lion), installation is never ending and I accidentally deleted this file to start on the outside, so I ended up coming back to his moose BONE, 10.6.8 Snow Leopard.

    He seems to resemble a new install of Snow Leopard, except my old files (about 350 GB) still live on this subject, but I can not access all of the files, or does not even appear in the Finder.

    Would appreciate any advice or tips on how to do to recover my invisible files. Thank you!

    Do you see the drive in disk utility?

    1. Connect the external drive
    2. If it has external power supply, make sure that that is connected
    3. If the external hard drive has a power button, make sure that it is set to
    4. Goto docking station
    5. Click on finder
    6. Goto menu bar
    7. Click the menu go
    8. Choose utility
    9. Double-click disk utility

    The drive will appear in the left column of the disk utility?

    If the answer is Yes, if you click on the drive, and then click on check, what disk utility say?

  • After the Windows 8.1 update, can not access Internet in Firefox or Chrome, but IE 11 OK.

    After the Windows 8.1 update, can not access Internet in Firefox or Chrome, but IE 11 OK.
    I reinstalled the latest firefox, still cannot access Internet from Firefox.
    Microsoft is ridiculous?

    1. Run cmd.exe as administrator
    2. Type "netsh winsock reset" and then press enter
    3. Restart the PC

  • I can not access my Verizon email on my iPad. I can access the login page, but there is no box to enter the user name. I talked to Verizon support, and they say no problem at their end. Any ideas?

    I can not access my Verizon email on my iPad. I can access the login page, but there is no box to enter the user name. I talked to Verizon support, and they say no problem at their end. Any ideas?

    Macbeth,

    From your description, it appears you are trying to get your mail using Safari to access your e-mail account. Why you do not use the Mail App?

    http://www.Verizon.com/cs/groups/public/documents/adacct/Setup-email-mobile-Devi Ed.pdf

  • I am able to access my desktop to my laptop as part of a homegroup, but can not access the external hard drive that is attached to my office.

    share external hard drive

    I am able to access my desktop to my laptop as part of a homegroup, but can not access the external hard drive that is attached to my office. I want to be able to back up my laptop hard disk external.  Advice please.

    geraintjo

    I do not use homegroups, but 'true' to share, so I don't know how this is supposed to work with homegroups. But usually he should share a drive or folder, first before you can access it from another machine. (for example, click on the drive/folder properties and go to the sharing tab)

  • Computer shows as connected... but we can not access the internet.

    Original title: but alas... internet no.

    Recently, we had this problem where our shows as connected pc... but we can not access the internet.  What I've been able to solve, is that somehow my IP settings change.

    I'm going to "Obtain an IP address automatically" and "Obtain DNS server address automatically", but of course... when the problem occurs again I find that my "Obtain DNS server automatically an address" has been changed to "use the following DNS server address".

    What is causing my computer to change my settings?

    I think you're DIY too.  Normally, your computer and your wireless router assign dynamic IP addresses, and they change periodically - that is part of the security design.

    In your case, the DNS server is the router.

    Most of the time what you describe is your computer is able to find a wireless router but the router doesn't send an IP (its normal function).

    This is usually:

    1. Your Internet service provider is down or your connection to it is broken.  If this is the case there is nothing you can do about it.
    2. Your computer network security key does not match the one in the router.

    1 reset the modem & router.  Follow these instructions precisely: http://canadiantech.info/?page_id=136

    2. If that does not resolve the problem, you must remove this network from your list of networks to manage Windows 7.  Then try to connect again using the network key, you know.

    3. If this does not work, you will need to do a factory reset on the router and re - install the router according to the router set up instructions.

    4. If after all the above does not correct the problem, you must replace your router.

  • I have a cc has photoshop & lightroom, but can not access the mobile app for my ipad, I get a free 30-day trial?

    I have a cc has photoshop & lightroom, but can not access the mobile app for my ipad, I get a free 30-day trial?

    Hi Michael,

    Please try the below mentioned steps to activate Mobile with Lightroom.

    Thank you

    Atul Saini

  • I got a Apple Watch yesterday and since put in place and paired him and everything, but now I can not unlock it or look at anything on the watch because it won't let me.  Any ideas as to what is wrong or what I am doing wrong?

    I got a Apple Watch yesterday and since put in place and paired him and everything, but now I can not unlock it or look at anything on the watch because it won't let me.  Any ideas as to what is wrong or what I am doing wrong?

    Hello

    If you have not already done so, it could be that you want to configure your watch with these settings:

    -On your iPhone, in the application of Eve, go to: My Watch (tab) > General > detection of wrist - it lights up.

    -On your iPhone, in the application of Eve, go to: Watch My > password > code turn on (choose a password Simple or more complex).

    -Also on the password settings screen, select Unlock with iPhone.

    After putting on your wrist, your watch don't unlock then after whatever you do first: unlock your watch manually (by entering the access code) or unlock your iPhone.

    Then, it will remain unlocked (including when the screen is idle) until you remove it from your wrist. When you remove your watch, it locks automatically.

    More information:

    https://help.Apple.com/watch/#/apd748b87e2a

  • Can not access the recovery on M30 partition

    Hi all

    I use a Toshiba M30. Last week, I uninstalled the old version of Norton Antivus to install the new version of Norton Internet Security. After you have uninstalled the NA, I found that my phone does not work normally. I, therefore, formated C pilot. Then, I could not access the recovery partition to reinstall the OS.

    How can I solve this problem?

    Thank you very much.

    CUONG

    Could you please be a little more clear on the problem.

    You try to use the recovery CD? Why did you format drive C? When you say that you can not access the recovery partition, how are you trying to access? through BACK.

    Sorry, but your question isn't very clear and a bit confusing. Thank you very much

  • Satellite L350: Can not access the recovery partition by pressing 0

    Heya

    I can not access the recovery on a Toshiba L350 Manager. I tried pressing 0 (zero, two of them) at first to access HD-recovery, but nothing happens. Is there something obvious that I'm missing?

    The reason why I want to access is:
    I have a l350 Toshiba with a partially installed windows here. For now, he gets the "starting Windows" and "instalation program's services began" (in Norwegian) which stops with a popupbox saying: "the computer unexpectedly inexplicable, or an unexpected error has occurred. The site amenities cannot procceed. To install Windows, you will need to click ok to restart the computer. Start the installation process. ».

    What started the problem was that during the last part of the installation (after Win7 becomes usable, but above all has been installed), escape was pressed, and the computer has been used normally.

    > I can not access the recovery on a Toshiba L350 Manager. I tried pressing 0 (zero, two of them) at first to access HD-recovery, but nothing happens. Is there something obvious that I'm missing?

    I assume you are using a European model for laptop and so you should try it;
    -Press on F8 laptop computer power on.
    -Then choose fix my computer
    -Then Toshiba HDD Recovery.

    This should allow you to start the Toshiba HDD recovery process.

  • Satellite A110-277: can not access the internet wireless

    Hello
    I have a Toshiba Satellite A110-277. We have wireless internet access in our House and it was workin fine, but since a few days I can not access the internet. My laptop is certainly recognizing internet connection wireless, but through IE or Firefox it just does not connect.

    For some reason, he worked briefly through Firefox, but then that stopped. I don't see what anyone, I have done differently, other than (finally) updated Windows Media Player, but why would that cause problems, I don't know!

    I would really appreciate help as soon as POSSIBLE, that the internet is my lifeline to work!
    Thank you
    GcDh

    Hello

    You said
    > My laptop is no doubt recognize the wireless internet, but does not connect via IE or Firefox, it's just
    Hmm, I guess that you can connect to the WLan router and can insert the WiFi encryption key successfully right I'm right?

    How does LAN connection? Can connect you to the internet using the LAN cable?

    Feedback would be appreciated

Maybe you are looking for

  • Where will set the bookmark icloud for Firefox extension?

    After you submit the same question to Mozilla today they came back with the answer that the add-on has been deleted due to problems of instability. I don't want to use IE so really need for this problem to be investigated and fixed so I can download

  • Every time I use hotmail type on screen shrinks.

    Whenever I use Hotmail all type etc. just reduced in size and I can't go back to normal size. Thanks if you can help.

  • number of SN for HP G72 - 250US PC Notebook

    I have a HP G72-250US laptop and am looking for the sn. the tag at the bottom disappeared. Is there nowhere else that I can find?

  • Wrong ID module

    I use a property on the modules node in a cRIO-9180.  Looking at the link C Series Module IDs: http://zone.NI.com/reference/en-XX/help/370984R-01/criodevicehelp/module_ids/ 9201 module should return a 0x70A4.  My 9201 modules return a 0x71A1.  If the

  • warranty on screen

    last week, I bought a new laptop hp2000. But after two days, my laptop screen got broken because of the pressure of the hand on it.please say I can use the warranty to replace broken screen as it was said to me when buying that I provided accidental