VPN Local lan access

I have set up a cisco 861 as a vpn server. Could I help you if someone can tell what is the problem? Clients can connect, but cannot access local resources from lan for subnet 10.0.10.0

Building configuration...

Current configuration: 9770 bytes
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec localtime

Show time-zone
Log service timestamps datetime localtime show msec.

time zone
encryption password service
sequence numbers service
!
hostname RT861W
!
boot-start-marker
start the flash c860-universalk9 - mz.124 - 24.T3.bin system
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 warnings
recording console critical
enable secret 5 xxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone IS - 4
clock save interval 24
!
Crypto pki trustpoint TP-self-signed-3796206546
enrollment selfsigned
name of the object cn = IOS-Self-signed-certificate-

3796206546
revocation checking no
rsakeypair TP-self-signed-3796206546
!
!
chain pki crypto TP-self-signed certificates.

3796206546
certificate self-signed 01
30820259 308201 2 A0030201 02020101 300 D 0609

2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 31312F30

2 536967 6E65642D 43657274
69666963 33373936 32303635 6174652D 3436301E

170 3130 30363130 32323534
33395A 17 0D 323030 31303130 30303030 305A 3031

06035504 03132649 312F302D
65642 43 65727469 5369676E 656C662D 4F532D53

66696361 74652 33 37393632
3630819F 30363534 300 D 0609 2A 864886 F70D0101

01050003 818 0030 81890281
81009C 68 0509FEBA BA0D4251 52AA3F1C DBB7CACB

138D0D3D 8017AB75 04AABD97
16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6

EB32858B 4385DE6C 3ED11616
2B997D14 C6C86431 9A 956161 2D0581F4 767D60E1

82FF426A 911D503E 8995A69B
6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464

E6DA7E06 44F94B16 3EA57809
5B 710203 010001 HAS 3 8180307E 300F0603 551D 1301

01FF0405 FF302B06 30030101
11 04243022 82205254 38363157 2E636F6C 03551D

6C696E73 2E316661 6D696C79
756E6974 65642E63 6F6D301F 0603551D 23041830

1680142C 21E7314B D28AFE1A
26115A1B F53AFB03 1 060355 1D0E0416 0ED1A830

04142C 21 E7314BD2 8AFE1A26
115A1BF5 3AFB030E D1A8300D A 06092, 86 4886F70D

01010405 00038181 008CC48F
6A1BFB52 0F268B05 B977AE8E CA450936 8272 D 889

B46DE9FB 5680782C 59DA2354
04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22

C7BED922 73C35C32 54696F37
89E424C2 561FFF54 99573AC6 713E58D8 E3B67064

295 4331 845FCDEC F6CD8017 D
58006 58 F94A8771 78217788 FE63AA11 0E5DF6B1

1A8D0111 CDD87A1D CC
quit smoking
no ip source route
no ip free-arps
chip-Relay IP dhcp
ignore the IP dhcp bootp
DHCP excluded-address IP 10.0.1.1 10.0.1.10
DHCP excluded-address IP 10.0.10.1 10.0.10.10
!
dhcp VLAN_10 IP pool
Network 10.0.10.0 255.255.255.224
router by default - 10.0.10.1
Domain xxxxxx
10.0.10.1 DNS server
!
dhcp VLAN_1 IP pool
Network 10.0.1.0 255.255.255.224
default router 10.0.1.1
Domain xxxxxx
10.0.1.1 DNS server
!
!
IP cef
inspect the IP log drop-pkt
IP inspect high 1100 max-incomplete
IP inspect 1100 max-incomplete bass
IP inspect a high minute 1100
IP inspect a minute low 1100
inspect the IP udp idle time 60
inspect the IP dns-timeout 10
inspect the name firewall tcp timeout IP 3600
inspect the name firewall udp timeout 15 IP
inspect the name firewall ftp queue time 3600 IP
inspect the name firewall rcmd timeout IP 3600
IP inspect alert firewall smtp name on timeout 3600
inspect the name firewall sqlnet timeout IP 3600
inspect the IP name firewall tftp timeout 30
inspect the name firewall icmp time 15 IP
inspect the name firewall ssh timeout 15 IP
IP inspect name Connection Firewall audit trail on
inspect the name webster firewall IP
IP inspect skinny firewall name
inspect the router IP firewall name
inspect the IP firewall cifs name
inspect the name cuseeme firewall IP
IP inspect the dns name of the firewall
inspect the name realaudio firewall IP
inspect the name firewall rtsp IP
inspect the name streamworks firewall IP
inspect the name vdolive firewall IP
inspect the IP sip firewall name
inspect the name firewall pop3 alert on reset IP
inspect the name ftps firewall IP
inspect the name isakmp firewall IP
inspect the IP name of firewall ipsec-msft
inspect the name ntp FIREWALL IP
inspect the IP name firewall imap
inspect the name imaps firewall IP
inspect the name imap3 FIREWALL IP
inspect the name pop3s firewall IP
no ip bootp Server
IP domain name xxxxxxxxx
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name-server IP 208.67.222.222
IP-server names 208.67.220.220
name of the IP-server 74.128.19.102
name of the IP-server 74.128.17.114
!
!
notify licensing agent

http://10.0.10.11:9710 / clm/servlet/HttpListenServlet

dummy dummy 2.0
!
!
username privilege 15 secret 5 xxxx xxxxxx
username xxxxx xxxxx secret 5
!
!
crypto ISAKMP policy 3
BA aes 256
preshared authentication
Group 2
ISAKMP crypto nat keepalive 3600
!
ISAKMP crypto client configuration group xxxxx
key xxxxxx
DNS 10.0.10.5
domain xxxxxxxx
pool vpnpool
include-local-lan
netmask 255.255.255.224
!
!
Crypto ipsec transform-set esp esp - aes 256 RIGHT-

model of hmac-SHA-lzs
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client authentication

userauthen
card crypto clientmap isakmp authorization list

groupauthor
client configuration address map clientmap crypto

initiate
client configuration address map clientmap crypto

answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
Crypto ctcp port 6000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
Bridge IRB
!
!
!
interface Loopback0
IP 10.100.100.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
switchport mode trunk
!
interface FastEthernet4
WAN description $ FW_OUTSIDE$
address IP dhcp client id FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
stream IP output
inspect the firewall on IP
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
wlan-ap0 interface
description of the Service interface module to manage the

Embedded AP
IP unnumbered Vlan1
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP virtual-reassembly
ARP timeout 0
!
interface GigabitEthernet0 Wlan
description of the Service interface module to manage the

Embedded AP
switchport mode trunk
!
interface Vlan1
VLAN_1 description $ FW_INSIDE$
IP 10.0.1.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface Vlan10
VLAN_10 description $ FW_INSIDE$
IP 10.0.10.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface BVI1
Description $FW_INSIDE$
in the form of address IP WAPB dhcp host name
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
no ip-cache cef route
no ip route cache
!
router RIP
version 1
10.0.0.0 network
!
IP local pool vpnpool 197.0.0.1 197.0.0.5
no ip forward-Protocol nd
IP route 0.0.0.0 0.0.0.0 dhcp
IP route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
!
The dns server IP
IP nat inside source list 1 interface FastEthernet4

Overload
IP nat inside source list 2 interface FastEthernet4

Overload
IP nat inside source static tcp 10.0.10.3 3389

interface FastEthernet4 3389
IP nat inside source static tcp 10.0.10.3 1723

interface FastEthernet4 1723
IP nat inside source static tcp 10.0.10.3 80

interface FastEthernet4 80
!
record 10.0.10.1
access-list 1 permit 10.0.1.0 0.0.0.31
access-list 2 permit 10.0.10.0 0.0.0.31
access-list 199 permit any one
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp a whole Workbench
access-list 199 permit udp any any eq 3389
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
access-list 199 tcp refuse a whole
access-list 199 tcp 10.0.0.0 refuse 0.255.255.255 everything
access-list 199 tcp 172.16.0.0 refuse 0.15.255.255

any
access-list 199 tcp 192.168.0.0 refuse 0.0.0.255 any
access-list 199 refuse udp 10.0.0.0 0.255.255.255 everything
access-list 199 refuse udp 172.16.0.0 0.15.255.255

any
access-list 199 refuse udp 192.168.0.0 0.0.0.255 any
access-list 199 refuse icmp no echo
access-list 199 deny udp any how any eq 135
access-list 199 deny udp any any eq netbios-ns
access-list 199 deny udp any any eq netbios-ss
access-list 199 deny udp any any eq isakmp
access-list 199 tcp refuse any any eq telnet
access-list 199 tcp refuse any any eq smtp
access-list 199 tcp refuse any any eq nntp
access-list 199 tcp refuse any any eq 135
access-list 199 tcp refuse any any eq 137
access-list 199 tcp refuse any any eq 139
access-list 199 tcp refuse any any eq www
access-list 199 tcp refuse any any eq 443
access-list 199 tcp refuse any any eq 445
access-list 199 refuse an entire ip
not run cdp

!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
bridge 10 Protocol ieee
IP route 10 bridge
connection of the banner ^ CAuthorized access only!
Unplug IMMEDIATELY if you are not authorized

user! ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transportation out all
line vty 0 4
access-class 104 in
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
Server NTP 192.43.244.18
end

Hello

The problem is due to NAT configurations. Please, try the following:

no nat ip within the source list 1 interface FastEthernet4 overload

no nat ip inside the source list 2 interface FastEthernet4 overload

access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7

access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255

access-list 101 permit ip 10.0.0.0 0.0.255.31 all

Internet route map

corresponds to the IP 101

output

IP nat inside source overload map route Internet interface FastEthernet4

This will ensure that the VPN clients can access all internal

resources. However, they will not be able to access to the 10.0.10.3 Server

using its private IP address that you can not use the roadmap, when you use the

keyword "interface." If you have a static IP address assigned to your FastEthernet4

You can then use the interface by the ISP, the configuration below:

access-list 102 refuse host ip 10.0.10.3 197.0.0.0 0.0.0.7

access-list 102 refuse 10.0.10.3 ip host 10.0.0.0 0.0.255.255

access-list 102 permit ip 10.0.10.3 host everything

route server map

corresponds to the IP 101

output

no nat ip inside source static tcp 10.0.10.3 interface FastEthernet4 3389

3389

no nat ip inside the source static tcp 10.0.10.3 1723 interface FastEthernet4

1723

no nat ip inside the 80 tcp static 10.0.10.3 source FastEthernet4 80 interface

IP nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389

route server map

IP nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723

route server map

IP nat inside source static tcp 10.0.10.3 80 'FastEthernet4 ip' 80-route map

Server

I hope this helps.

Kind regards

NT

Tags: Cisco Security

Similar Questions

  • How to grant local LAN access when you are connected via a central-site

    I know how to activate the local LAN access in the properties for the client connection, but I don't know how to allow access to the central site

    Central site is a CISCO 1721 with module as well as IOS IPSEC VPN

    tanks for any help

    Hello

    This feature is only supported when you connect to a VPN3K box, its not available for PIX/IOS as a vpn server, allowing it on the client-side custom has no effect when you connect to a server of PIX/IOS.

    THX

    AFAQ

  • AnyConnect VPN and LAN access

    When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.

    Right?

    After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?

    Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN

    Thank you

    Frank

    Hello

    Yes, by default, all traffic will be sent through the tunnel.

    If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.

  • Local LAN access on peer-to-peer connection

    I'll put up a laptop computer with Windows ME and VPN Client 3.6.3 who faces two remote sites that use the PIX 520 to 6.22. On the first site of the LAN (behind the PIX) uses a NT domain. Here, the laptop is able to connect properly to the domain and map shared drives. On the second site LAN is peer-to-peer (no logon of domain). On this site that the tunnel is created and the laptop can access web services (http, ftp, etc.) on the LAN hosts, but are unable to map shared drives. The WINS server setting seems correct. Are there additional routing or tunneling configuration to allow local access from LAN to LAN to peer? Thank you.

    For Win2k, you will need to telnet to port 445 and no 139.

    NetBEUI will not work through a VPN tunnel. VPNS are an IP-based solution. NetBEUI works only as a broadcast on the local network. Switched Native can handle NetBEUI, but not the VPN tunnel. Sure just that all the hosts that use TCP/IP instead of NetBEUI, and it should work fine.

  • Cisco 877 VPN router LAN access

    I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.

    So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)

    Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.

    In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?

    Appreciate the help:

    version 12.4
    no service button
    horodateurs service debug datetime msec
    Log service timestamps datetime msec localtime
    encryption password service
    !
    hostname My877Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 XXXXXXXXXX
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    connection of local AAA VPN authentication.
    AAA authorization exec default local
    local authorization AAA VPN network
    !
    !
    AAA - the id of the joint session
    clock timezone CST 9 30
    !
    Crypto pki trustpoint TP-self-signed-901674690
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 901674690
    revocation checking no
    rsakeypair TP-self-signed-901674690
    !
    !
    TP-self-signed-901674690 crypto pki certificate chain
    certificate self-signed 01
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    quit smoking
    dot11 syslog
    IP cef
    !
    !
    inspect the IP router-traffic tcp name _OUTBOUND_
    inspect the IP router traffic udp name _OUTBOUND_
    inspect the name _OUTBOUND_ http IP
    inspect the IP name _OUTBOUND_ https
    inspect the IP dns _OUTBOUND_ name
    inspect the IP router traffic icmp name _OUTBOUND_
    no ip domain search
    IP domain name mydomain.com.au
    Name A.B.C.D IP-server
    IP-name x.y.z.w Server
    !
    aes encryption password
    !
    !
    username admin privilege 15 secret 5 #$% ^ & *.
    Admin2 username privilege 15 secret 5 #$% ^ & *.
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    life 3600
    !
    ISAKMP crypto group configuration of VPN client
    key 6 #$%^&_)(*&^%$%^&*(&^$
    DNS 192.168.100.5
    domain mydomain.com.au
    pool VPN
    ACL 100
    Max-users 5
    Max-Connections 1
    netmask 255.255.255.0
    !
    86400 seconds, duration of life crypto ipsec security association
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
    !
    Crypto-map dynamic dynmap 11
    Set transform-set vpn1
    market arriere-route
    !
    !
    list of card crypto dynmap customer VPN authentication
    card crypto dynmap VPN isakmp authorization list
    client configuration address card crypto dynmap initiate
    client configuration address card crypto dynmap answer
    dynmap 11 card crypto ipsec-isakmp dynamic dynmap
    !
    Archives
    The config log
    hidekeys
    !
    !
    !
    type of class-card inspect VPN-match-all traffic
    game group-access 100
    !
    !
    type of policy-card inspect PCB-pol-outToIn
    class type inspect VPN traffic
    inspect
    !
    !
    !
    !
    ATM0 interface
    no ip address
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    route IP cache flow
    No atm ilmi-keepalive
    PVC 8/35
    aal5mux encapsulation ppp Dialer
    Dialer pool-member 1
    !
    DSL-automatic operation mode
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    Description LAN_INTERFACE
    IP 192.168.100.1 address 255.255.255.0
    no ip redirection
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly
    route IP cache flow
    IP tcp adjust-mss 1452
    !
    interface Dialer0
    ADSL description
    the negotiated IP address
    IP access-group 101 in
    Check IP unicast reverse path
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    inspect the _OUTBOUND_ over IP
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    route IP cache flow
    Dialer pool 1
    No cdp enable
    Authentication callin PPP chap Protocol
    PPP chap hostname [email protected] / * /
    PPP chap 7 76478678786 password
    card crypto dynmap
    !
    local pool IP VPN 192.168.200.1 192.168.200.10
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
    IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
    IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
    IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
    IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
    IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
    the IP nat inside source 1 interface Dialer0 overload list
    !
    access-list 1 permit 192.168.100.0 0.0.0.255
    access-list 100 permit ip 192.168.200.0 0.0.0.255 any
    access-list 101 permit tcp any any eq 443 newspaper
    access-list 101 permit tcp any any eq smtp newspaper
    access-list 101 permit tcp any any eq 1352 newspaper
    access-list 101 permit tcp A.B.C.D host any newspaper
    access-list 101 permit tcp host x.y.z.w any log
    access-list 101 permit tcp host r.t.g.u any log
    access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
    access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
    access-list 101 deny ip any any newspaper
    access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
    access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
    Dialer-list 1 ip protocol allow
    not run cdp
    !
    !
    route allowed sheep 11 map
    corresponds to the IP 102
    !
    !
    control plan
    !
    Banner motd ^ C
    Unauthorized access prohibited! ^ C
    !
    Line con 0
    exec-timeout 20 0
    no activation of the modem
    line to 0
    line vty 0 4
    privilege level 15
    entry ssh transport
    !
    max-task-time 5000 Planner
    x.x.x.x SNTP server
    y.y.y.y SNTP server
    end

    My877Router #.

    Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.

    Can you please try to connect by a different ISP and see if that makes a difference?

    You can also try to connect from another PC and see if that makes a difference?

    The configuration on the router seems correct to me.

  • No Local Lan access

    Hello

    I set up a VPN of RA for cisco router 871, I am able to connect, but I don't seem to

    to have any network local access and I am not able to connect to the internet.

    Also, I have configured the router as dmvpn sticks, it works as desired.

    If someone has an idea, let know me please, I have attached the running configuration.

    Thank you

    Hello

    I suggest you consult the following configuration guide that describes the split tunneling

    http://www.Cisco.com/en/us/products/HW/routers/ps274/products_configuration_example09186a0080819289.shtml

    What is the single subnet you want to encrypt?

    splitremote extended IP access list
    IP 192.168.254.0 allow 0.0.0.255 any

    If Yes this LCA has not been applied in crypto isakmp client configuration group configuration. See the guide for more details.

    Also your NAT config is incomplete:

    NAT extended IP access list

    The guide also explains how to exclude only the VPN pool using a NAT.

    See the Guide below:


    
    !--- Enables Network Address Translation (NAT)
    
    !--- of the inside source address that matches access list 111
    
    !--- and gets PATed with the FastEthernet IP address.
    

    ip nat inside source list 111 interface FastEthernet1/0 overload
    
    !
    
    
    
    !--- The access list is used to specify which traffic
    
    !--- is to be translated for the outside Internet.

    
    
    
    access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
    
    access-list 111 permit ip any any

    
    Please remember to rate all posts that are helpful.

  • Local Lan access through the ASA5510

    I'm at my wits end trying to figure this. We are trying to replace our good ol 3030 ' with an ASA 5510 vpn purposes. I have setup the ASA as follows:

    E0/0 is the public interface: xxx.xxx.199.10/24

    E0/1 is the private interface: 172.20.72.0/24

    Remote clients obtain an address of 10.12.27.xxx of the SAA.

    The customer get the address very well, but can not access what anyone on the 172.20.72.xxx network. This piece I am missing? Some NAT type?

    William, glad everything worked, remember messages useful rate.

    Concerning

  • ASA + no local lan access

    Hi all

    I have an ASA 5510 configured, when I try to connect to my asa fom the VPN client

    I can connect but can not reach my internal network.

    I have attached the running configuration, if anyone has an idea please let know me.

    Thank you

    This NAT exemption does not seem to be correct, can you please indicate why there is exemption from NAT 2 configured on the inside interface and the other with the keyword 'outside '?

    NAT (inside) 0-list of access inside_nat0_outbound_1
    NAT (inside) 0 inside_nat0_outbound_2 list of outdoor access

    I suggest you remove the second line because it's not really sense:

    no nat (inside) 0 inside_nat0_outbound_2 list of outdoor access

    Then 'clear xlate' to clear the existing translation.

    Secondly, please configure: management-access inside, then once your vpn is connected, see if you can reach 192.0.0.40.

    Finally, if it works, if you try to test with ping, please configure the following:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    and see if you can test the ip address of the router 192.0.0.187.

    Hope that helps.

  • Remote access VPN users unable to see local lan or internet

    We implement an ASA5510. Now our users can connect to the vpn but cannot access the internal Lan or internet.

    Here is the config. Any help or idea would be greatly appreciated. Thank you

    Cryptochecksum: dd11079f e4fe7597 4a8657ba 1e7b287f

    : Saved
    : Written by enable_15 at 11:04:57.005 UTC Wednesday, April 22, 2015
    !
    ASA Version 9.0 (3)
    !
    CP-ASA-TOR1 hostname
    activate m.EmhnDT1BILmiAY encrypted password
    names of
    local pool CPRAVPN 10.10.60.1 - 10.10.60.40 255.255.255.0 IP mask
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    IP 63.250.109.211 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    10.10.10.254 IP address 255.255.255.0
    !
    interface Ethernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    passive FTP mode
    the local object of net network
    10.10.10.0 subnet 255.255.255.0
    net remote object network
    10.10.1.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_10.10.10.0_24 object
    10.10.10.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_10.10.60.0_26 object
    255.255.255.192 subnet 10.10.60.0
    Outside_1_cryptomap to access extended list ip 10.10.10.0 allow 255.255.255.0 net object / distance
    CPRemoteVPN_splitTunnelAcl list standard access allowed 10.10.10.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    management of MTU 1500
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm-731 - 101.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) local static source net net-local destination static net distance net-distance
    NAT (inside, outside) static source NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.60.0_26 NETWORK_OBJ_10.10.60.0_26 non-proxy-arp-search of route static destination
    !
    NAT (inside, outside) source after-service dynamic automatic one interface
    Route outside 0.0.0.0 0.0.0.0 63.250.109.209 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    Enable http server
    http 192.168.1.0 255.255.255.0 management
    http 10.10.10.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 corresponds to the address Outside_1_cryptomap
    card crypto Outside_map 1 set pfs Group1
    card crypto Outside_map 1 set peer 209.171.34.91
    card crypto Outside_map 1 set transform-set ESP-3DES-SHA ikev1
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal CPRemoteVPN group strategy
    attributes of Group Policy CPRemoteVPN
    Server DNS 10.10.10.12 value
    L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
    value of Split-tunnel-network-list CPRemoteVPN_splitTunnelAcl
    carepath.local value by default-field
    Split-dns value carepath.ca
    activate dns split-tunnel-all
    no method of MSIE-proxy-proxy
    the address value CPRAVPN pools
    roys jjiV7E.dmZNdBlFQ encrypted password privilege 0 username
    roys username attributes
    VPN-group-policy CPRemoteVPN
    tunnel-group 209.171.34.91 type ipsec-l2l
    IPSec-attributes tunnel-group 209.171.34.91
    IKEv1 pre-shared-key *.
    type tunnel-group CPRemoteVPN remote access
    attributes global-tunnel-group CPRemoteVPN
    address CPRAVPN pool
    Group Policy - by default-CPRemoteVPN
    IPSec-attributes tunnel-group CPRemoteVPN
    IKEv1 pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:dd11079fe4fe75974a8657ba1e7b287f

    : end

    Hello

    A couple of things set this:

    -crypto isakmp nat-traversal 20

    -management-access inside

    Can you run a packet tracer and attach it here, to see what are the phases that crosses the package.

    David Castro,

    Concerning

  • Blocks VIRTUAL local network access to a tunnel VPN IPSec on WRV200?

    I have two identical WRV200 wireless routers which are connected by a VPN IPSec tunnel.  This goes to my LAN LAN of my parents.  Everything works well.

    But I also have my WRV200 configured for two VLANS.  Vlan1 for my network and secure wireless access.  VLAN2 for a WiFi not secure for customers.

    My problem is that my guest on VLAN2 slips through the VPN devices and access on LAN of my parents.  I'm looking for a way to block to do this.

    I use the version of the software on the two routers (v1.0.39).

    For what it's worth, I know that my receive an IP address in the range 192.168.x.101 DHCP - 199.  I could assign a different range if that helps.  I thought that I could block this beach on the remote router firewall, but I see there is blocking a single IP address at the time, maximum of 8.  Am I missing something?

    Or could I put something weird in the routing tables somewhere to get the IPs guest out of lala land?

    Any suggestions are appreciated.  I can't be the only one in this boat.

    Steve

    Try to check local and remote, vpn under safe group settings if you change the ip address range subnet. Don't include the range of ip addresses of the computers wireless comments so that it will not pass through the vpn tunnel. If there is no ip range option, you must to the subnet of the network in order to control the ip address you want to allow on the vpn tunnel.

  • AnyConnect VPN connected but not in LAN access

    Hello

    I just connfigured an ASA to remote VPN. I think everything works but I do not have access

    for customers in the Local LAN behind the ASA.

    PC <==internet==>outside of the SAA inside<=LAN=> PC

    After AnyConnect has established the connection I can ping inside the Interface of the ASA

    but I can't Ping the PC behind the inside Interface.

    Here is the config of the ASA5505:

    : Saved

    :

    ASA Version 8.2 (1)

    !

    asa5505 hostname

    activate 8Ry2YjIyt7RRXU24 encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 192.168.178.254 255.255.255.0

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    Shutdown

    !

    interface Ethernet0/3

    Shutdown

    !

    interface Ethernet0/4

    Shutdown

    !

    interface Ethernet0/5

    Shutdown

    !

    interface Ethernet0/6

    Shutdown

    !

    interface Ethernet0/7

    Shutdown

    !

    passive FTP mode

    Inside_ICMP list extended access permit icmp any any echo response

    Inside_ICMP list extended access permit icmp any any source-quench

    Inside_ICMP list extended access allow all unreachable icmp

    Inside_ICMP list extended access permit icmp any one time exceed

    access-list outside_cryptomap_2 note ACL traffic von ASA5505 zur ASA5510

    outside_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

    no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

    no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.178.0 255.255.255.0

    tunnel of splitting allowed access list standard 192.168.1.0 255.255.255.0

    pager lines 24

    Within 1500 MTU

    Outside 1500 MTU

    mask 192.168.1.10 - 192.168.1.15 255.255.255.0 IP local pool SSLClientPool

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access no_NAT

    NAT (inside) 1 192.168.1.0 255.255.255.0

    Access-group Inside_ICMP in interface outside

    Route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

    Route outside 192.168.10.0 255.255.255.0 192.168.178.230 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication http LOCAL console

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set-3DESSHA FRA esp-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 2 match address outside_cryptomap_2

    peer set card crypto outside_map 2 192.168.178.230

    card crypto outside_map 2 game of transformation-FRA-3DESSHA

    outside_map interface card crypto outside

    Crypto ca trustpoint localtrust

    registration auto

    domain name full cisco - asa5505.fritz.box

    name of the object CN = cisco - asa5505.fritz.box

    sslvpnkeypair key pair

    Configure CRL

    Crypto ca certificate chain localtrust

    certificate fa647850

    3082020b a0030201 30820174 020204fa 0d06092a 64785030 864886f7 0d 010104

    0500304 06035504 03131763 6973636f 617361 35353035 2e667269 2d 3120301e a

    747a2e62 6f783126 30240609 2a 864886 f70d0109 02161763 6973636f 2d 617361

    2e667269 35353035 747a2e62 6f78301e 170d 3132 31303132 31383434 31305a 17

    323231 30313031 38343431 06035504 03131763 6973636f 3120301e 305a304a 0d

    617361 35353035 2e667269 747a2e62 6f783126 2a 864886 30240609 f70d0109 2D

    6973636f 02161763 2d 617361 35353035 2e667269 747a2e62 6f783081 9f300d06

    d6279e1c 8181009f 092a 8648 86f70d01 01010500 03818d 30818902 00 38454fc 9

    705e1e58 762edc35 e64262fb ee55f47b 8d62dda2 102c8a22 c97e395f 2a9c0ebb

    f2881528 beb6e9c3 89d91dda f7fe77a4 2a1fda55 f8d930b8 3310a05f 622dfc8f

    d48ea749 7bbc4520 68 has 06392 d65d3b87 0270e41b 512a4e89 94e60167 e2fa854a

    87ec04fa e95df04f 3ff3336e c7437e30 ffbd90b5 47308502 03010001 300 d 0609

    2a 864886 04050003 81810065 cc9e6414 3c322d1d b191983c 97b474a8 f70d0101

    2e5c7774 9d54d3ec fc4ee92d c72eef27 a79ce95a da83424f b05721c0 9119e7ea

    c5431998 e6cd8272 de17b5ff 5b1839b5 795fb2a0 2d10b479 056478fa 041555dd

    bfe3960a 4fe596ec de54d58b a5fa187e 5967789a a26872ef a33b73ec 7d7673b9

    c8af6eb0 46425cd 2 765f667d 4022c 6

    quit smoking

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    management-access inside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    localtrust point of trust SSL outdoors

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image

    SVC disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 image

    enable SVC

    tunnel-group-list activate

    internal SSLClientPolicy group strategy

    attributes of Group Policy SSLClientPolicy

    VPN-tunnel-Protocol svc

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split tunnel

    the address value SSLClientPool pools

    WebVPN

    SVC Dungeon-Installer installed

    time to generate a new key of SVC 30

    SVC generate a new method ssl key

    SVC request no svc default

    username password asdm privilege Yvx83jxa2WCRAZ/m number 15

    hajo 2w8CnP1hHKVozsC1 encrypted password username

    hajo attributes username

    type of remote access service

    tunnel-group 192.168.178.230 type ipsec-l2l

    IPSec-attributes tunnel-group 192.168.178.230

    pre-shared-key *.

    type tunnel-group SSLClientProfile remote access

    attributes global-tunnel-group SSLClientProfile

    Group Policy - by default-SSLClientPolicy

    tunnel-group SSLClientProfile webvpn-attributes

    enable SSLVPNClient group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:0008564b545500650840cf27eb06b957

    : end

    What wrong with my setup.

    Concerning

    Hans-Jürgen Guenter

    Hello Hans,.

    You should change your VPN pool to be a different subnet within the network, for example: 192.168.5.0/24

    Then configure NAT exemption for traffic between the Interior and the pool of vpn.

    Based on your current configuration, the following changes:

    mask 192.168.5.10 - 192.168.5.15 255.255.255.0 IP local pool SSLClientPool

    no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0

    And then also to enable icmp inspection:

    Policy-map global_policy

    class inspection_default

    inspect the icmp

  • VPN problem when local lan IP is IP LAN Corp.

    Hello

    I'm having a problem to access corporate services when an example of one of our servers IP address matches an IP address of a local host from the local network, accessed from.

    Is there a way to bypass and or solve this problem?

    I use split tunnel, I send you all DNS requests through the tunnel and assigning the DNS name.

    I inherited this network which is a 192.168.0.0/23 with many services on 192.168.1.x that match easily private local lans.

    Hello Michael,

    To resolve the overlap, you need hide the remote with a NAT rule network, so that VPN clients point to an address using a NAT on the SAA.

    Can I know the version of your ASA?

    Thank you.

    Portu.

  • IPSec VPN pix 501 no LAN access

    I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:

    : Saved

    :

    6.3 (3) version PIX

    interface ethernet0 car

    interface ethernet1 100full

    nameif ethernet0 WAN security0

    nameif ethernet1 LAN security99

    enable encrypted password xxxxxxxxxxxxx

    xxxxxxxxxxxxxxxxx encrypted passwd

    host name snowball

    domain xxxxxxxxxxxx.local

    clock timezone PST - 8

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol pptp 1723

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    No fixup not protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    acl_in list of access permit udp any any eq field

    acl_in list of access permit udp any eq field all

    acl_in list access permit tcp any any eq field

    acl_in tcp allowed access list any domain eq everything

    acl_in list access permit icmp any any echo response

    access-list acl_in allow icmp all once exceed

    acl_in list all permitted access all unreachable icmp

    acl_in list access permit tcp any any eq ssh

    acl_in list access permit tcp any any eq www

    acl_in tcp allowed access list everything all https eq

    acl_in list access permit tcp any host 192.168.5.30 eq 81

    acl_in list access permit tcp any host 192.168.5.30 eq 8081

    acl_in list access permit tcp any host 192.168.5.22 eq 8081

    acl_in list access permit icmp any any echo

    access-list acl_in permit tcp host 76.248.x.x a

    access-list acl_in permit tcp host 76.248.x.x a

    allow udp host 76.248.x.x one Access-list acl_in

    access-list acl_out permit icmp any one

    ip access list acl_out permit a whole

    acl_out list access permit icmp any any echo response

    acl_out list access permit icmp any any source-quench

    allowed any access list acl_out all unreachable icmp

    access-list acl_out permit icmp any once exceed

    acl_out list access permit icmp any any echo

    Allow Access-list no. - nat icmp a whole

    access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

    access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any

    access-list no. - nat permit icmp any any echo response

    access-list no. - nat permit icmp any any source-quench

    access-list no. - nat icmp permitted all all inaccessible

    access-list no. - nat allow icmp all once exceed

    access-list no. - nat permit icmp any any echo

    pager lines 24

    MTU 1500 WAN

    MTU 1500 LAN

    IP address WAN 65.74.x.x 255.255.255.240

    address 192.168.5.1 LAN IP 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool pptppool 172.16.0.2 - 172.16.0.13

    PDM logging 100 information

    history of PDM activate

    ARP timeout 14400

    Global (WAN) 1 interface

    NAT (LAN) - access list 0 no - nat

    NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0

    static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0

    static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0

    acl_in access to the WAN interface group

    access to the LAN interface group acl_out

    Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1

    Timeout xlate 0:05:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    NTP server 72.14.188.195 source WAN

    survey of 76.248.x.x WAN host SNMP Server

    location of Server SNMP Sacramento

    SNMP Server contact [email protected] / * /

    SNMP-Server Community xxxxxxxxxxxxx

    SNMP-Server enable traps

    enable floodguard

    the string 1 WAN fragment

    Permitted connection ipsec sysopt

    Sysopt connection permit-pptp

    Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

    Crypto-map dynamic dynmap 10 transform-set RIGHT

    map mymap 10-isakmp ipsec crypto dynamic dynmap

    client configuration address map mymap crypto initiate

    client configuration address map mymap crypto answer

    card crypto mymap WAN interface

    ISAKMP enable WAN

    ISAKMP nat-traversal 20

    part of pre authentication ISAKMP policy 10

    encryption of ISAKMP policy 10

    ISAKMP policy 10 md5 hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup myvpn address pptppool pool

    vpngroup myvpn Server dns 192.168.5.44

    vpngroup myvpn by default-field xxxxxxxxx.local

    vpngroup split myvpn No. - nat tunnel

    vpngroup idle 1800 myvpn-time

    vpngroup myvpn password *.

    Telnet 192.168.5.0 255.255.255.0 LAN

    Telnet timeout 5

    SSH 192.168.5.0 255.255.255.0 LAN

    SSH timeout 30

    Console timeout 0

    VPDN group pptpusers accept dialin pptp

    VPDN group ppp authentication pap pptpusers

    VPDN group ppp authentication chap pptpusers

    VPDN group ppp mschap authentication pptpusers

    VPDN group ppp encryption mppe 128 pptpusers

    VPDN group pptpusers client configuration address local pptppool

    VPDN group pptpusers customer 192.168.5.44 dns configuration

    VPDN group pptpusers pptp echo 60

    VPDN group customer pptpusers of local authentication

    VPDN username password xxx *.

    VPDN username password xxx *.

    VPDN enable WAN

    dhcpd address 192.168.5.200 - 192.168.5.220 LAN

    dhcpd 192.168.5.44 dns 8.8.8.8

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd enable LAN

    username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

    username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

    Terminal width 80

    Cryptochecksum:xxxxxxxxxxxxxxxxxx

    : end

    I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!
    Thank you very much
    Trevor

    "No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:

    do not allow any No. - nat icmp access list a whole

    No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any

    No No. - nat access list permit icmp any any echo response

    No No. - nat access list permit icmp any any source-quench

    No No. - nat access list permit all all unreachable icmp

    No No. - nat access list do not allow icmp all once exceed

    No No. - nat access list only allowed icmp no echo

    You must have 1 line as follows:

    access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

    Please 'clear xlate' after the changes described above.

    In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.

    Hope that helps.

  • Client VPN connects but not internal LAN access or Ping

    Hi all.

    I'm new on this forum and kindly asking for your help because I'm stuck.

    I have an ADSL router cisco 877 which I configured easy VPN server.
    Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.

    The configuration is below. Please let know us where I was going or what I missed.
    [code]

    Building configuration...

    Current configuration: 4574 bytes
    !
    version 12.4
    no service button
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
    enable password 7 13151601181B54382F
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    AAA authentication login internal_affairs_vpn_1 local
    AAA authorization exec default local
    AAA authorization internal_affairs_vpn_group_1 LAN
    !
    !
    AAA - the id of the joint session
    !
    Crypto pki trustpoint TP-self-signed-2122144568
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2122144568
    revocation checking no
    rsakeypair TP-self-signed-2122144568
    !
    !
    TP-self-signed-2122144568 crypto pki certificate chain
    self-signed certificate 03
    30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
    69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
    31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
    34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
    8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
    F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
    4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
    D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
    30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
    551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
    04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
    0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
    86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
    313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
    E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
    33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
    9142DD9E B6E9D74A 899A 9653
    quit smoking
    dot11 syslog
    IP cef
    No dhcp use connected vrf ip
    DHCP excluded-address IP 10.10.10.1
    !
    IP dhcp pool dhcplan
    Network 10.0.0.0 255.0.0.0
    DNS-server 196.0.50.50 81.199.21.94
    default router 10.10.10.1
    Rental 7
    !
    !
    property intellectual auth-proxy max-nodata-& 3
    property intellectual admission max-nodata-& 3
    name of the IP-server 81.199.21.94
    !
    !
    !
    VPN username password 7 095A5E07
    username fred privilege 15 password 7 1411000E08
    username ciscovpn password 7 01100F175804101F2F
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    ISAKMP crypto client configuration group internal_affairs_vpn
    key *.
    DNS 196.0.50.50 81.199.21.94
    pool ippool
    ACL 108
    !
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
    !
    Crypto-map dynamic internal_affairs_DYNMAP_1 10
    Set transform-set RIGHT
    market arriere-route
    !
    !
    card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
    card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
    client configuration address card crypto internal_affairs_CMAP_1 answer
    ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
    !
    Archives
    The config log
    hidekeys
    !
    !
    !
    Bridge IRB
    !
    !
    interface Loopback0
    2.2.2.2 the IP 255.255.255.255
    !
    ATM0 interface
    no ip address
    ATM vc-per-vp 512
    No atm ilmi-keepalive
    PVC 0/32
    aal5snap encapsulation
    Protocol ip inarp
    !
    DSL-automatic operation mode
    Bridge-Group 1
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description of the local lan interface
    IP 10.10.10.1 255.0.0.0
    IP nat inside
    IP virtual-reassembly
    !
    interface BVI1
    internet interface Description
    IP 197.0.4.174 255.255.255.252
    NAT outside IP
    IP virtual-reassembly
    internal_affairs_CMAP_1 card crypto
    !
    IP local pool ippool 192.168.192.1 192.168.192.200
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 196.0.4.173
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP nat inside source list interface BVI1 NAT overload
    IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
    !
    NAT extended IP access list
    allow an ip
    !
    access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
    !
    !
    !
    control plan
    !
    Bridge Protocol ieee 1
    1 channel ip bridge
    !
    Line con 0
    password 7 0216054818115F3348
    no activation of the modem
    line to 0
    line vty 0 4
    password 7 06160E325F59590B01
    !
    max-task-time 5000 Planner
    end

    Since this is a named ACL, you need to change ACL configuration mode:

    NAT extended IP access list

    Then, make the changes.

    Federico.

  • ASA 5505 VPN established, cannot access inside the network

    Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.

    After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.

    Here is my config:

    ASA Version 8.2 (5)
    !
    hostname asa01
    domain kevinasa01.net
    activate 8Ry2YjIyt7RRXU24 encrypted password
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    switchport access vlan 5
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP address dhcp setroute
    !
    interface Vlan5
    No nameif
    security-level 50
    IP 172.16.1.1 255.255.255.0
    !
    passive FTP mode
    DNS server-group DefaultDNS
    domain kevinasa01.net
    permit same-security-traffic intra-interface
    Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
    inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
    inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
    sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
    access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
    access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
    pager lines 24
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (outside) 1 192.168.254.0 255.255.255.0
    NAT (inside) 0 access-list sheep - in
    NAT (inside) 1 192.168.1.0 255.255.255.0
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Access-group outside_access_in in interface outside
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd outside auto_config
    !
    dhcpd address 192.168.1.5 - 192.168.1.36 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    internal Remote_Kevin group strategy
    attributes of Group Policy Remote_Kevin
    value of server DNS 192.168.1.12 192.168.1.13
    VPN - connections 3
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
    kevinasa01.NET value by default-field
    username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
    username kevin attributes
    VPN-group-policy Remote_Kevin
    type tunnel-group Remote_Kevin remote access
    attributes global-tunnel-group Remote_Kevin
    address-pool
    Group Policy - by default-Remote_Kevin
    IPSec-attributes tunnel-group Remote_Kevin
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
    : end

    Thank you

    Hello

    I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.

    I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.

    The acl must be:

    sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

    For nat (inside), you have 2 lines:

    NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
    NAT (inside) 1 0.0.0.0 0.0.0.0

    Why are you doing this nat (outside)?

    NAT (outside) 1 192.168.254.0 255.255.255.0

    Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)

    Thank you.

    PS: Please do not forget to rate and score as good response if this solves your problem.

Maybe you are looking for

  • Could not find creator AAFC

    I'm doing a ringtone and for each tutorial it says that I have to convert the AAC song. At first I couldn't find in my menu bar. I looked at my import settings and they are exactly this that further discussions and the sites Internet says they should

  • How to start the Library/bookmarks only window?

    Older versions of FF had a command line option in the style of a 'b' after another character. In this case, I could edit and export bookmarks without having to start the main program with all its plug-ins.

  • acquisition of data... read entry with highlighting of execution

    Hi all I'm reading a device entry after generating the tension, and I am confused about the difference in the results when 1. I use the running highlight 2. without highlighting the execution 3. once the beginning vi to generate instead of after vi v

  • Timed Structure of the sequence timing error

    I'm trying to create two RF waves to pulse, at 90 degrees and the other 180 degrees with a second 2 delay after the first impulse. I used this time sequence structure and think that I followed the requrements, but no matter what I change the second p

  • WRT350N V2.0 Firmware 20.0.17

    Hi all I really need a copy of the 20.0.17 for the WRT350N Euro firmware. Can someone point me in the right direction.