VPN IPSec passthrough ASA 5505 (v9.2.4) - connected but no access

Hello

Here's my situation:

I am trying to connect a client IPSec VPN via an ASA 5505 to an other ASA 5505. In fact, I can make the connection to the VPN but all accesses are blocked (ping or IP access).

When I use a router ISP directly or at home, I have no problem (ping and IP access follow the firewall rules). Connection and access are allowed.

Schema:

I have attached both the configuration for this post

I've recently updated 8.2.5 ASA 8.4.6 and 9.2.4. An another ASA 5505 v8.2.5 works well in both way (via ASA VPN connection) and the VPN through ASA1 this ASA.

I have tried many solution to solve the problem (nat/ipsec static inspection), but I failed to solve it. I tried to see asp in ASA1 drop, but I was right to drop only "nat-xlate-failed".

Thanks for your help because I'm going crazy...

Olivier,

PS: Sorry for my English...

Advertisement

Hi Olivier,.

Could enable you icmp on the ASA inspection?

Use this command and check:

fixup protocol icmp

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

Tags: Cisco Security

Similar Questions

  • Ipsec/ipad ASA 5505 configuration

    Hey had a few problems when configuring IPSEC/VPN on the asa 5505. I want to connect from the ipad with built in IPSec client...

    Get these errors when I run the debug crypto isakmp

    Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username = Haq, IP = x.x.x.x, Tunnel rejected: conflicting protocols specified by tunnel-group and political group

    Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username = Haq, IP = x.x.x.x, fault QM WSF (P2 struct & 0xd5d5f3d8, mess id 0x295bc3a).

    Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username is Haq, IP = x.x.x.x, withdrawal homologous of correlator table failed, no match!

    There are a lot of site-to-site vpn and ipsec vpn profiles configuration and these works very well... ?

    Here is the config running sh run crypto:

    Crypto ipsec transform-set of des-esp esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac 3DES-TRANS

    mode crypto ipsec transform-set 3DES-TRANS transport

    Crypto ipsec transform-set AES aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-md5-hmac 3des

    Crypto ipsec transform-set esp-3des esp-sha-hmac IPAD-IPSEC

    Crypto ipsec transform-set IPAD IPSEC transport mode

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic Plandent 10 set transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-256-MD5 OF THE 3des 3DES-TRANS

    Crypto dynamic-map Plandent 10 the duration value of security-association seconds 84600

    cryptographic kilobytes 300000 of life of the set - the security of Plandent 10 of the dynamic-map association

    set of 5 IPAD-card dynamic-map crypto IPAD-IPSEC transform-set

    Crypto 5 IPAD-card dynamic-plan the duration value of security-association seconds 28800

    cryptographic kilobytes 4608000 life of the set - the association of security of the IPAD-card dynamic-map 5

    card crypto PD_VPN 10 corresponds to the address ToGoteborg

    card crypto PD_VPN 10 set peer PixGoteborg

    card crypto PD_VPN 10 the transform-set value OF

    card crypto PD_VPN set 10 security-association life seconds 84600

    card crypto PD_VPN 10 set security-association kilobytes of life 4608000

    card crypto PD_VPN 20 corresponds to the address ToMalmo

    card crypto PD_VPN 20 set peer PixMalmo

    card crypto PD_VPN 20 the transform-set value OF

    card crypto PD_VPN 20 defined security-association life seconds 84600

    card crypto PD_VPN 20 set security-association kilobytes of life 4608000

    card crypto PD_VPN 30 corresponds to the address ToPlanmeca

    PD_VPN 30 value crypto map peer ASA_HKI ASA_HKI_BACKUP

    PD_VPN 30 value transform-set AES crypto card

    card crypto PD_VPN 30 defined security-association life seconds 86400

    card crypto PD_VPN 30 set security-association kilobytes of life 4608000

    card crypto PD_VPN 100-isakmp dynamic ipsec Plandent

    PD_VPN interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 10

    preshared authentication

    aes encryption

    sha hash

    Group 2

    lifetime 28800

    crypto ISAKMP policy 30

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 86400

    Anyone have tips and tricks on what may be the problem here, will be really appreciated

    Thank you

    Shane

    Karsten, Shane,

    Honestly thos MAY be from miconfig TG/GP, but I would check the full debugging of:

    ------

    debugging cry isakmp 127

    Debug aaa 100 Commons

    -------

    The reason for being quite a few questions, we saw some time where users were pushing class or group-AAA lock (which is the substitution of CLI).

    M.

  • VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

    I tried to set up a simple customer vpn using this document

    http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

    VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

    6.3 (5) PIX version

    interface ethernet0 car

    Auto interface ethernet1

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the encrypted password of VmHKIhnF4Gs5AWk3

    VmHKIhnF4Gs5AWk3 encrypted passwd

    hostname VOIPLABPIX

    domain voicelab.com

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside 208.x.x.11 255.255.255.0

    IP address inside 172.10.2.2 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

    history of PDM activate

    ARP timeout 14400

    NAT (inside) - 0 102 access list

    Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

    Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    http 172.0.0.0 255.0.0.0 inside

    http 0.0.0.0 0.0.0.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

    Crypto-map dynamic map2 10 set transform-set trmset1

    map map1 10 ipsec-isakmp crypto dynamic map2

    client authentication card crypto LOCAL map1

    map1 outside crypto map interface

    ISAKMP allows outside

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 encryption aes-256

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address voicelabpool pool cuclab

    vpngroup dns 204.x.x.10 Server cuclab

    vpngroup cuclab by default-field voicelab.com

    vpngroup split tunnel 101 cuclab

    vpngroup idle 1800 cuclab-time

    vpngroup password cuclab *.

    Telnet timeout 5

    SSH 208.x.x.11 255.255.255.255 outside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 172.10.1.2 255.255.255.255 inside

    SSH timeout 60

    Console timeout 0

    username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

    Terminal width 80

    Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

    : end

    Try to turn on NAT - T

    PIX (config) #isakmp nat-traversal 20

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

    HTH

  • ASA: VPN IPSEC Tunnel from 5505(ver=8.47) to 5512 (ver = 9.23)

    Hi-

    We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
    We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).

    Networks:

    Local: 192.168.1.0 (answering machine)
    Distance: 192.168.54.0 (initiator)

    See details below on our config:

    SH run card cry

    card crypto outside_map 2 match address outside_cryptomap_ibfw
    card crypto outside_map 2 pfs set group5
    outside_map 2 peer XX crypto card game. XX.XXX.XXX
    card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
    crypto map outside_map 2 set ikev2 AES256 ipsec-proposal

    outside_map interface card crypto outside

    Note:
    Getting to hit numbers below on rules/ACL...

    SH-access list. I have 54.0

    permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
    permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
    access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671

    SH run | I have access-group
    Access-group outside_access_out outside interface

    NOTE:
    WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...

    HS cry his ikev1

    IKEv1 SAs:

    HIS active: 2
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 2

    1 peer IKE: XX. XX.XXX.XXX
    Type: L2L role: answering machine
    Generate a new key: no State: MM_ACTIVE
    2 IKE peers: XXX.XXX.XXX.XXX
    Type: L2L role: answering machine
    Generate a new key: no State: MM_ACTIVE

    SH run tunnel-group XX. XX.XXX.XXX
    tunnel-group XX. XX.XXX.XXX type ipsec-l2l
    tunnel-group XX. XX.XXX.XXX General-attributes
    Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
    tunnel-group XX. XX.XXX.XXX ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.

    SH run | I have political ikev1

    ikev1 160 crypto policy
    preshared authentication
    aes-256 encryption
    Group 5
    life 86400

    SH run | I Dynamics
    NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
    NAT source auto after (indoor, outdoor) dynamic one interface

    NOTE:
    To from 5512 at 5505-, we can ping a host on the remote network of ASA local

    # ping inside the 192.168.54.20
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
    !!!!!
    Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 ms

    Determination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?

    The IPSEC tunnel check - seems OK?

    SH crypto ipsec his
    Interface: outside
    Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXX

    outside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
    local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
    current_peer: XX. XX.XXX.XXX

    #pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
    #pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
    Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
    PMTU time remaining: 0, political of DF: copy / df
    Validation of ICMP error: disabled, TFC packets: disabled
    current outbound SPI: CDC99C9F
    current inbound SPI: 06821CBB

    SAS of the esp on arrival:
    SPI: 0x06821CBB (109190331)
    transform: aes-256-esp esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
    slot: 0, id_conn: 339968, crypto-card: outside_map
    calendar of his: service life remaining (KB/s) key: (3914789/25743)
    Size IV: 16 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0xFFFFFFFF to 0xFFFFFFFF
    outgoing esp sas:
    SPI: 0xCDC99C9F (3452542111)
    transform: aes-256-esp esp-sha-hmac no compression
    running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
    slot: 0, id_conn: 339968, crypto-card: outside_map
    calendar of his: service life remaining (KB/s) key: (3913553/25743)
    Size IV: 16 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    --> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...

    SH cap CAP

    34 packets captured

    1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
    2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
    3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
    4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
    5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply

    --> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)

    SH cap A2

    42 packets captured

    1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
    2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
    3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
    4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
    5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
    6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
    7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request

    --> Package trace on 5512 does no problem... but we cannot ping from host to host?

    entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20

    Phase: 4
    Type: CONN-SETTINGS
    Subtype:
    Result: ALLOW
    Config:
    class-map default class
    match any
    Policy-map global_policy
    class class by default
    Decrement-ttl connection set
    global service-policy global_policy
    Additional information:
    Direct flow from returns search rule:
    ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
    hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
    IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
    IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
    input_ifc = output_ifc = any to inside,

    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
    Additional information:
    Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
    Direct flow from returns search rule:
    ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
    hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
    IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
    IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
    input_ifc = inside, outside = output_ifc

    ...

    Phase: 14
    Type: CREATING STREAMS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    New workflow created with the 7422689 id, package sent to the next module
    Information module for forward flow...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_inspect_icmp
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat

    Information for reverse flow...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_inspect_icmp
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat

    Result:
    input interface: inside
    entry status: to the top
    entry-line-status: to the top
    output interface: outside
    the status of the output: to the top
    output-line-status: to the top
    Action: allow

    --> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?

    Destination - initiator:
     
    entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
     
    ...
    Phase: 4
    Type: UN - NAT
    Subtype: static
    Result: ALLOW
    Config:
    NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
    Additional information:
    NAT divert on exit to the outside interface
    Untranslate 192.168.1.79/0 to 192.168.1.79/0
    ...

    Summary:
    We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
    But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).

    Please let us know what other details we can provide to help solve, thanks for any help in advance.

    -SP

    Well, I think it is a NAT ordering the issue.

    Basically as static and this NAT rule-

    NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)

    are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.

    To check just run a 'sh nat"and this will show you what order everthing is in.

    The ASA is working its way through the sections.

    You also have this-

    NAT source auto after (indoor, outdoor) dynamic one interface

    which does the same thing as first statement but is in section 3, it is never used.

    If you do one of two things-

    (1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line

    or

    (2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.

    There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.

    It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.

    The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).

    Then you can simply try to rearrange so your static NAT is above it just to see if it works.

    Just in case you want to see the document here is the link-

    https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

    Jon

  • ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

    Hello

    I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

    1 Configure ASA-1 (host name, vlan 1 and vlan 2).

    2. configure a static route

    3. create object network (local and remote)

    4. create the access list

    5. create ikev1 crypto

    6. create tunnel-group

    7 Configure nat

    and I repeat the steps above with the ASA but another change IP.

    Are to correct the above steps?

    Why can I not create an IPSEC VPN between devices?.

    No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

  • ASA 5505 IPSEC VPN connected but cannot access the local network

    ASA: 8.2.5

    ASDM: 6.4.5

    LAN: 10.1.0.0/22

    Pool VPN: 172.16.10.0/24

    Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

    I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

    Here is my setup, wrong set up anything?

    ASA Version 8.2 (5)

    !

    hostname asatest

    domain XXX.com

    activate 8Fw1QFqthX2n4uD3 encrypted password

    g9NiG6oUPjkYrHNt encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 10.1.1.253 255.255.252.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    address IP XXX.XXX.XXX.XXX 255.255.255.240

    !

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS server-group DefaultDNS

    domain vff.com

    vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

    access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

    pager lines 24

    Enable logging

    timestamp of the record

    logging trap warnings

    asdm of logging of information

    logging - the id of the device hostname

    host of logging inside the 10.1.1.230

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA-server protocol nt AD

    AAA-server host 10.1.1.108 AD (inside)

    NT-auth-domain controller 10.1.1.108

    Enable http server

    http 10.1.0.0 255.255.252.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 10.1.0.0 255.255.252.0 inside

    SSH timeout 20

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal group vpntest strategy

    Group vpntest policy attributes

    value of 10.1.1.108 WINS server

    Server DNS 10.1.1.108 value

    Protocol-tunnel-VPN IPSec l2tp ipsec

    disable the password-storage

    disable the IP-comp

    Re-xauth disable

    disable the PFS

    IPSec-udp disable

    IPSec-udp-port 10000

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list vpntest_splitTunnelAcl

    value by default-domain XXX.com

    disable the split-tunnel-all dns

    Dungeon-client-config backup servers

    the address value vpnpool pools

    admin WeiepwREwT66BhE9 encrypted privilege 15 password username

    username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

    the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

    tunnel-group vpntest type remote access

    tunnel-group vpntest General attributes

    address vpnpool pool

    authentication-server-group AD

    authentication-server-group (inside) AD

    Group Policy - by default-vpntest

    band-Kingdom

    vpntest group tunnel ipsec-attributes

    pre-shared-key BEKey123456

    NOCHECK Peer-id-validate

    !

    !

    privilege level 3 mode exec cmd command perfmon

    privilege level 3 mode exec cmd ping command

    mode privileged exec command cmd level 3

    logging of the privilege level 3 mode exec cmd commands

    privilege level 3 exec command failover mode cmd

    privilege level 3 mode exec command packet cmd - draw

    privilege show import at the level 5 exec mode command

    privilege level 5 see fashion exec running-config command

    order of privilege show level 3 exec mode reload

    privilege level 3 exec mode control fashion show

    privilege see the level 3 exec firewall command mode

    privilege see the level 3 exec mode command ASP.

    processor mode privileged exec command to see the level 3

    privilege command shell see the level 3 exec mode

    privilege show level 3 exec command clock mode

    privilege exec mode level 3 dns-hosts command show

    privilege see the level 3 exec command access-list mode

    logging of orders privilege see the level 3 exec mode

    privilege, level 3 see the exec command mode vlan

    privilege show level 3 exec command ip mode

    privilege, level 3 see fashion exec command ipv6

    privilege, level 3 see the exec command failover mode

    privilege, level 3 see fashion exec command asdm

    exec mode privilege see the level 3 command arp

    command routing privilege see the level 3 exec mode

    privilege, level 3 see fashion exec command ospf

    privilege, level 3 see the exec command in aaa-server mode

    AAA mode privileged exec command to see the level 3

    privilege, level 3 see fashion exec command eigrp

    privilege see the level 3 exec mode command crypto

    privilege, level 3 see fashion exec command vpn-sessiondb

    privilege level 3 exec mode command ssh show

    privilege, level 3 see fashion exec command dhcpd

    privilege, level 3 see the vpnclient command exec mode

    privilege, level 3 see fashion exec command vpn

    privilege level see the 3 blocks from exec mode command

    privilege, level 3 see fashion exec command wccp

    privilege see the level 3 exec command mode dynamic filters

    privilege, level 3 see the exec command in webvpn mode

    privilege control module see the level 3 exec mode

    privilege, level 3 see fashion exec command uauth

    privilege see the level 3 exec command compression mode

    level 3 for the show privilege mode configure the command interface

    level 3 for the show privilege mode set clock command

    level 3 for the show privilege mode configure the access-list command

    level 3 for the show privilege mode set up the registration of the order

    level 3 for the show privilege mode configure ip command

    level 3 for the show privilege mode configure command failover

    level 5 mode see the privilege set up command asdm

    level 3 for the show privilege mode configure arp command

    level 3 for the show privilege mode configure the command routing

    level 3 for the show privilege mode configure aaa-order server

    level mode 3 privilege see the command configure aaa

    level 3 for the show privilege mode configure command crypto

    level 3 for the show privilege mode configure ssh command

    level 3 for the show privilege mode configure command dhcpd

    level 5 mode see the privilege set privilege to command

    privilege level clear 3 mode exec command dns host

    logging of the privilege clear level 3 exec mode commands

    clear level 3 arp command mode privileged exec

    AAA-server of privilege clear level 3 exec mode command

    privilege clear level 3 exec mode command crypto

    privilege clear level 3 exec command mode dynamic filters

    level 3 for the privilege cmd mode configure command failover

    clear level 3 privilege mode set the logging of command

    privilege mode clear level 3 Configure arp command

    clear level 3 privilege mode configure command crypto

    clear level 3 privilege mode configure aaa-order server

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

    : end

    Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

    The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

    On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • Client VPN und Cisco asa 5505 tunnel work but no traffic

    Hi all

    I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

    I have the following problem:

    I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

    To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

    Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

    After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

    I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

    What I did wrong. Could someone let me know what I have to do today.

    With hope for your help Dimitri.

    ASA configuration after reset and basic configuration: works to the Internet from within the course.

    : Saved

    : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

    !

    ASA Version 8.2 (2)

    !

    ciscoasa hostname

    activate 2KFQnbNIdI.2KYOU encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    PPPoE client vpdn group home

    IP address pppoe setroute

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    boot system Disk0: / asa822 - k8.bin

    passive FTP mode

    clock timezone THATS 1

    clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

    DNS domain-lookup outside

    DNS server-group DefaultDNS

    Server name 194.25.0.60

    Server name 194.25.0.68

    DM_INLINE_TCP_1 tcp service object-group

    port-object eq www

    EQ object of the https port

    inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

    inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

    inside_access_in list extended access deny ip any any debug log

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

    permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

    homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-625 - 53.bin

    ASDM location 192.168.0.0 255.255.0.0 inside

    ASDM location 192.168.10.0 255.255.255.0 inside

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    inside_access_in access to the interface inside group

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    VPDN group home request dialout pppoe

    VPDN group House localname 04152886790

    VPDN group House ppp authentication PAP

    VPDN username 04152886790 password 1

    dhcpd outside auto_config

    !

    dhcpd address 192.168.1.5 - 192.168.1.36 inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    TFTP server 192.168.1.5 inside c:/tftp-root

    WebVPN

    Group Policy inner residential group

    attributes of the strategy of group home group

    value of 192.168.1.1 DNS server

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list homegroup_splitTunnelAcl

    username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

    user01 username attributes

    VPN-strategy group home group

    tunnel-group home group type remote access

    attributes global-tunnel-group home group

    address homepool pool

    Group Policy - by default-homegroup

    tunnel-group group residential ipsec-attributes

    pre-shared-key ciscotest

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

    : end

    Hello

    Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

    If you connect via VPN, check the following:

    1. the tunnel is established:

    HS cry isa his

    Must say QM_IDLE or MM_ACTIVE

    2 traffic is flowing (encrypted/decrypted):

    HS cry ips its

    3. Enter the command:

    management-access inside

    And check if you can PING the inside ASA VPN client IP.

    4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

    Federico.

  • Impossible to disable Easy VPN remote for ASA 5505 6.4 AMPS

    When installing ASA 5505, we chose Easy VPN remote.  Now, we want to turn it off.  We go to Configuration in ASDM > remote access VPN > Easy VPN remote and try to clear the checkbox enable Easy VPN remote, but it will not uncheck.  How can we disable it?

    ASDM, go in tools--> command line Interface...--> and then enter 'without activating vpnclient'--> the button 'send '.

    Which will disable the Easy VPN remote on the SAA.

    Hope that helps.

  • VPN connects not to Linksys 10/100 4-port VPN Router with ASA 5505

    We are trying to get a new ASA 5505 implemented on our network after the untimely demise of our router from 1841.  One of the functions of the router that we go back to the top and the race is a pair of VPN for employees that we were working outside.  These are site-to-site virtual private networks.

    They worked with the 1841 in place, so I know the other end works.  I just have configuration problems the ASA to match.  I have been through the wizard in ASDM a couple of times, but have yet to have a bit of luck that it connects.

    Attached are the configuration files for the 1841 (with two virtual private networks) and the 5505 (with only 1 VPN in place).  Can someone help me with what I may be missing to get this working?

    A note: I am having trouble with my NAT (another post in the meantime) configurations, but I think they are close enough that I hope that is not interfering with the VPN.

    If I can get one running, the other has an almost identical game, so I should be able to get the second pretty easily.

    Any thoughts?

    Thank you

    Matt James

    Hello Mjames,

    We hope that you do very well, just to confirm the previous post that I answer for you.

    You need to change the NAT 0 configuration

    NAT (outside) 0-list of access outside_nat0_outbound

    This is the rule against the nat for VPN, please change it to:

    NAT (inside) 0-list of access outside_nat0_outbound

    I spent reviewing the configuration of both devices and which seems to be the only problem

    Please evaluate the useful messages.

    Julio

  • ASA 5505 AnyConnect 8.2 connect other subnets from site to site

    Hello

    I'm somehwat new Cisco and routing. I have an installation of two ASA 5505 that are configured for the site to site vpn and AnyConnect. The AnyConnect subnet can connect to inside VLANs to the SiteA but I can't for the remote to Site B subnet when you use AnyConnect. Any ideas? I have to add the subnet of 10.0.7.0/24 to the site to site policy? Do I need to set up several NAT rules? Details below.

    Site A: ASA 5505 8.2

    Outside: 173.X.X.X/30

    Inside: 10.0.5.0/24

    AnyConnect: 10.0.7.0/24

    Site b: ASA 5505 8.2

    Outsdie: 173.X.X.X/30

    Inside: 10.0.6.0/24

    The AnyConnect subnet cannot access the network of 10.0.6.0/24.

    Any help would be greatly appreciated! Thank you!

    Hello Kevin,

    You must go back to identity (outdoors, outdoor) identity NAT (essentially for two subnets (Anyconnect and Remote_IPSec).

    And of course to include traffic in the ACL for IPSec crypto and (if used) split with the Anyconnect tunnel.

    Note all useful posts!

    Kind regards

    Jcarvaja

    Follow me on http://laguiadelnetworking.com

  • Cisco ASA 8.4 (3) remote access VPN - client connects but cannot access inside the network

    I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well

    Thank you

    interface Ethernet0/0

    Speed 100

    full duplex

    nameif outside

    security-level 0

    IP x.x.x.x 255.255.255.240

    !

    interface Ethernet0/1

    Speed 100

    full duplex

    nameif inside

    security-level 100

    IP 10.88.10.254 255.255.255.0

    !

    interface Management0/0

    Shutdown

    nameif management

    security-level 0

    no ip address

    !

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    network of the PAT_to_Outside_ClassA object

    10.88.0.0 subnet 255.255.0.0

    network of the PAT_to_Outside_ClassB object

    subnet 172.16.0.0 255.240.0.0

    network of the PAT_to_Outside_ClassC object

    Subnet 192.168.0.0 255.255.240.0

    network of the LocalNetwork object

    10.88.0.0 subnet 255.255.0.0

    network of the RemoteNetwork1 object

    Subnet 192.168.0.0 255.255.0.0

    network of the RemoteNetwork2 object

    172.16.10.0 subnet 255.255.255.0

    network of the RemoteNetwork3 object

    10.86.0.0 subnet 255.255.0.0

    network of the RemoteNetwork4 object

    10.250.1.0 subnet 255.255.255.0

    network of the NatExempt object

    10.88.10.0 subnet 255.255.255.0

    the Site_to_SiteVPN1 object-group network

    object-network 192.168.4.0 255.255.254.0

    object-network 172.16.10.0 255.255.255.0

    object-network 10.0.0.0 255.0.0.0

    outside_access_in deny ip extended access list a whole

    inside_access_in of access allowed any ip an extended list

    11 extended access-list allow ip 10.250.1.0 255.255.255.0 any

    outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1

    mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool

    NAT static NatExempt NatExempt of the source (indoor, outdoor)

    NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search

    NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1

    NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2

    NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3

    NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search

    !

    network of the PAT_to_Outside_ClassA object

    NAT dynamic interface (indoor, outdoor)

    network of the PAT_to_Outside_ClassB object

    NAT dynamic interface (indoor, outdoor)

    network of the PAT_to_Outside_ClassC object

    NAT dynamic interface (indoor, outdoor)

    Access-group outside_access_in in interface outside

    inside_access_in access to the interface inside group

    Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

    dynamic-access-policy-registration DfltAccessPolicy

    Sysopt connection timewait

    Service resetoutside

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto-map dynamic dynmap 10 set pfs

    Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1

    life together - the association of security crypto dynamic-map dynmap 10 28800 seconds

    Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000

    Crypto-map dynamic dynmap 10 the value reverse-road

    card crypto mymap 1 match address outside_1_cryptomap

    card crypto mymap 1 set counterpart x.x.x.x

    card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1

    card crypto mymap 86400 seconds, 1 lifetime of security association set

    map mymap 1 set security-association life crypto kilobytes 4608000

    map mymap 100-isakmp ipsec crypto dynamic dynmap

    mymap outside crypto map interface

    crypto isakmp identity address

    Crypto isakmp nat-traversal 30

    Crypto ikev1 allow outside

    IKEv1 crypto ipsec-over-tcp port 10000

    IKEv1 crypto policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 1

    life 86400

    IKEv1 crypto policy 50

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 86400

    IKEv1 crypto policy 60

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 70

    preshared authentication

    aes-256 encryption

    sha hash

    Group 1

    life 86400

    IKEv1 crypto policy 90

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    Console timeout 0

    management-access inside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal BACKDOORVPN group policy

    BACKDOORVPN group policy attributes

    value of VPN-filter 11

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelall

    BH.UK value by default-field

    type tunnel-group BACKDOORVPN remote access

    attributes global-tunnel-group BACKDOORVPN

    address pool Admin_Pool

    Group Policy - by default-BACKDOORVPN

    IPSec-attributes tunnel-group BACKDOORVPN

    IKEv1 pre-shared-key *.

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group ipsec-attributes x.x.x.x

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    Excellent.

    Evaluate the useful ticket.

    Thank you

    Rizwan James

  • Ipad Cisco ipsec VPN connects but not access to the local network

    Hi guys,.

    I am trying to connect our ipads to vpn to access network resources. IPSec cisco ipad connects but not lan access and cannot ping anything not even not the interfaces of the router.

    If I configure the vpn from cisco on a laptop, it works perfectly, I can ping all and can access resources on the local network if my guess is that the traffic is not going in the tunnel vpn between ipad and desktop.

    Cisco 877.

    My config is attached.

    Any ideas?

    Thank you

    Build-in iPad-client is not useful to your configuration.

    You have three options:

    (1) remove the ACL of your vpn group. Without split tunneling client will work.

    2) migrate legacy config crypto-map style. Here, you can use split tunneling

    3) migrate AnyConnect.

    The root of the problem is that the iPad Gets the split tunneling-information. But instead of control with routing traffic should pass through the window / the tunnel and which traffic is allowed without the VPN of the iPad tries to build a set of SAs for each line in your split-tunnel-ACL. But with the model-virtual, SA only is allowed.

  • Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

    Hello

    I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

    When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

    However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

    VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

    Please help me I need to find a solution as soon as POSSIBLE!

    Thank you in advance.

    Hello

    Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

    No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

    NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

    After re-configured this way, make sure that this command is also available:

    Sysopt connection permit VPN

    This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

    Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

    XXXX--> server IP

    AAAA--> VPN IP of the user

    Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

    Thank you

    David Castro,

  • AnyConnect VPN for Cisco ASA 5505 refused connections

    I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

    interface Vlan2
    mac-address xxxx.xxxx.xxxx
    nameif outside
    security-level 0
    ip address A.A.A.A 255.255.255.240
    !
    access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
    access-list outside_access_in extended permit tcp any host C.C.C.C eq https
    access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
    access-list outside_access_in extended permit tcp any host C.C.C.D eq https
    access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
    access-list outside_access_in extended permit tcp any host C.C.C.D eq www
    access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
    access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
    access-list outside_access_in extended permit gre any host C.C.C.C
    access-list outside_access_out extended permit ip any any
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit ip any interface outside
    access-list inside_access_out extended permit ip any any

    access-group inside_access_in in interface inside
    access-group inside_access_out out interface inside
    access-group outside_access_in in interface outside
    access-group outside_access_out out interface outside

    webvpn
    enable inside
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable

    group-policy DfltGrpPolicy attributes
    dns-server value X.X.X.X
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value
    address-pools value palm
    webvpn
      svc rekey time 30
      svc rekey method ssl
      svc ask enable default webvpn

    policy-map global_policy
    class inspection_default
      inspect pptp
      inspect http
      inspect icmp
      inspect ftp
    !

    When I try to connect, I get this error in the real-time log viewer:

    TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

    Here are the details of the license:

    Licensed features for this platform:
    Maximum Physical Interfaces  : 8
    VLANs                        : 3, DMZ Restricted
    Inside Hosts                 : Unlimited
    Failover                     : Disabled
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    SSL VPN Peers                : 2
    Total VPN Peers              : 10
    Dual ISPs                    : Disabled
    VLAN Trunk Ports             : 0
    Shared License               : Disabled
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    AnyConnect Essentials        : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Phone Proxy Sessions      : 2
    Total UC Proxy Sessions      : 2
    Botnet Traffic Filter        : Disabled

    This platform has a Base license.

    Can someone tell me what I am doing wrong or what access list I'm missing?

    I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

    Hi Matt,

    You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

    WebVPN

    tunnel-group-list activate

    Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

    HTH

    Herbert

Maybe you are looking for


HashFlare