VPN to PIX access problem.

Similar Questions

• Login problem VPN on PIX on the side of the inside of the n/w

  I am tring to connect to the vpn server (pix) outside my laptop within the network.

  I have routed ip vpn on pix515 and fine ping pix.but not able to ping of 3550 switch and computer laptop.

  How to get the vpn ip Switch? as I don't know the mask of the ip...

  I would also like to know... is their something extra that I need on pix or 3550?

  Hello!

  -What is the default gateway of your laptop?

  -You do any kind of NAT on the PIX? What is NAT PAT, static or normal?

  -Can you ping the inside of the PIX of the laptop?

  There could be several problems to solve here.

  (1) first of all, make sure that your laptop has access to the internet

  (2) If you want to ping him make sure internet you have an ACL on the PIX like the one below:

  i.e.

  Allow Access - list icmp an entire TEST

  TEST group access in the interface outside

  Also make sure you have no access list applied inside the PIX

  -Now, can you connect at all?

  -When you connect to? Another PIX? Router? Hub?

  If you pass by PAT make sure that you have this command on the PIX:

  "fixup protocol esp-ike.

  Please let me know if you can answer my questions, in this way, it would be easier to help you.

  Frank

• Client VPN on PIX needs to access DMZ

  VPN clients 3.5 ending PIX 6.X cannot access hosts on a PIX DMZ interface. Journal reports of error that there is no 'translation group available outside' for the subnet of the VPN Client (from the vpngroup pool).

  I should add the VPN client subnet to a nat (outside) device?

  Can I add it to the nat inside?

  Can I just add static to the DMZ hosts within the subnet interface because VPN clients can access the inside hosts?

  (I have the subnets in the nat 0 sheep ACL)

  Thanks and greetings

  JT

  You'll need to add is nat 0. You say in your () you have an acl sheep, for the perimeter network or the inside interface? You use the same access list to the sheep inside and dmz? You should separate if you use separate access list. Is your pool of client on a different subnet than your home network and dmz? It must be something like this:

  Customer IP local pool 192.168.1.1 - 192.168.1.254

  IP, add inside 10.10.10.1 255.255.255.0

  Add 10.10.20.1 dmz IP 255.255.255.0

  access-list sheep by 10.10.10.0 ip 255.255.255.0 192.168.1.0 255.255.255.0

  nonatdmz list of access by IP 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

  NAT (inside) 0 access-list sheep

  NAT (dmz) 0-list of access nonatdmz

  If this is correct then clear x, wr mem, reload. I hope this helps.

  Kurtis Durrett

  PS

  If he did not, only can recommend the upgrade your client and pix because that is exactly how it should look, and if its does not work you are facing an additional feature you want.

• Termination of the client PIX VPN and Internet access from the same interface

  Hello

  VPN remote users connect to PIX (7.2) outside interface, but need to have these clients to access the Internet through the PIX outside interface as well. Need this because PIX IPs is registered and allowed access to some electronic libraries. One way would be to set up a proxy within the network and vpn users have access to the Internet through the proxy, but can it be done without proxy?

  Yes, public internet on a stick

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

• VPN for PIX 515 allowing access to a single host

  I have already setup on my PIX 515 a VPN connection, which allows the user to connect to our network via a cisco VPN client to access network resources.

  I want to configure now is an another VPN connection that external users can use but would only allow access to a host.

  E.g. I would like to VPN in my site but would be allowed to access the 10.1.1.1 on my network.

  How can I do this? What I have to install VPNGROUP another and somehow an access list to allow only traffic to a host of configuration. Can anyone help with the correct syntax for the PIX.

  Thank you

  Scott

  You will now have a bunch of commands "vpngroup" in your PIX, simply go into config mode and add more commands 'vpngroup' but with a different groupname. The VPN client then uses this group name to connect to the PIX.

  Another way to allow only access to a host for this PIX is to split tunnelling on this group, as well as in the tunnel of split ACL set only as a host.

• The ESP vpn remote access problem

  I have vpn for remote access configured on the router from cisco 2901. Everything works well except 2 3g ipad. When I connect with the ipad 3g network it connects, but it is impossible to access the resources of the company. I talked to my phone provider and they told me that they have some problems NAT with ESP. and advised me to force vpn clients to use ports udp 500 and 4500. How do I configure my router to get there?

  Thanks in advance

  Hello

  ISAKMP using UDP 500 port for connection management (Phase 1).

  NAT - T (used when they are peripheral nat between two VPN end points) using UDP 4500 port.

  So now your NAT - T router is configured by default, all you have to do is if you have an ACL on the external interface allow this traffic (Isakamp and NAT T) on some of its latest IOS versions, you do not have to apply the ACL that default VPN traffic (encrypted traffic bypasses the ACL).

  If your condition is performed by default, great right thing! You can leave your phone provider, you are ready for the test.

  Julio

  Do rates all useful posts!

• VPN concentrator + PIX on LAN-> customers can not reach local servers

  Hello

  I have a problem wrt. remote access clients coming via a VPN3000 concentrator and trying to access local servers.

  For the topology:

  The internal network is 10.0.1.0/24. It connects with the outside world, as well as via a PIX DMZ; the PIX has 10.0.1.1 in the internal network.

  On the same LAN (internal), I have the VPN concentrator for the inside address 10.0.1.5. It assigns addresses in the 10.0.100.0/24 range to the

  VPN client-PCs.

  I can sucessfully connect using the VPN client SW to the hub, i.e. remote access clients out addresses

  the 10.0.100.0/24 range.

  The problem: access from VPN clients to internal network is * not * possible; for example, a customer with 10.0.100.1 cannot connect to

  internal to the 10.0.1.28 server.

  To my knowledge, this is a routing problem because the server (10.0.1.28) has no idea on how to reach customers in

  10.0.100.0/24. The only thing that the server is a default static route pointing to the PIX, i.e. 10.0.1.1.

  So I set up a static route on the PIX for 10.0.100.0 pointing to the hub-VPN, that is

  Mylan route 10.0.100.0 255.255.255.0 10.0.1.5 1

  This does not solve my problem though.

  In the PIX logs, I see the entries as follows:

  % 3 PIX-106011: deny entering (no xlate) tcp src trainee: 10.0.1.28 (atlas) / 445 intern dst: 10.0.100.1 (pending) 1064

  The PIX seems to abandon return packages, i.e. traffic from the server back to the client

  To my knowledge, the problem seems to be:

  Short traffic VPN - client-> Concentrator VPN-> Server-> PIX - where it gets moved.

  My reasoning: the PIX only sees the package back, i.e. the package back from the server to the client - and therefore decreasing the

  package because he has not seen the package from the client to the server.

  So here are my questions:

  (o) how do I configure the PIX that I be connectivity between my remote VPN clients (10.0.100.0/24) and

  computers servers on the local network (10.0.1.0/24)?

  (o) someone else you have something like this going?

  PS: Please note that the first obvious idea, installation of static routes on all machines on the local network is not an option here.

  Thank you very much in advance for your help,.

  -ewald

  Hello, PIX the because can not route traffic on the same interface (prior to version 7.0 anyway), I suggest you two places your hub to the outside with the inside of the legs on a zone demilitarized or (if you can not do a makeover of the network) you remove your pool with 10.0.100.0 - addresses and create a pool with 10.0.1.0 - addresses which is a part of the address space. No, NOT all. A little book that it is not used inside.

  Best regards

  Robert Maras

• The VPN Clients need access to the subnet on another router

  Hello

  We have a pix 515e PIX Version 8.0 (2)

  We have two subnet 10.1.x.x/16 and 10.2.x.x/16

  The firewall is on 10.1.x.x and vpn clients can access this subnet.

  The firewall can ping 10.2.x.y where x is a server in the other subnet.

  On the 10.2.x.x customers out the firewall.

  The problem is that vpn clients cannot access the server of 10.2.x.y even if the pix can ping 10.2.x.y and the road for him.

  What I need to check that the vpn rules are correct in the pix 515e?

  I think it is a rule of exemption nat or something like that not exactly sure.

  Everything would be a great help.

  Thank you

  Hello

  For clients VPN access to these subnets, check the following:

  1 NAT exemption include these subnets (if not using NAT)... it's the NAT0 ACL command

  2. these subnets is included in the split tunneling

  3. these subnets have a route to the PIX to send traffic to the VPN client pool.

  4. There are no ACLs not applied to the inside interface of the PIX deny this communication.

  Federico.

• Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates

  Hello world

  Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:

  https://supportforums.Cisco.com/message/3688980#3688980

  I had the great help but unfortunatedly my problem is a little different and connection problem.  Here, I summarize once again our configurations:

  hostname pix535 8.0 (4)

  all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:

  interface GigabitEthernet0
  Description to cable-modem
  nameif outside
  security-level 0
  IP 70.169.X.X 255.255.255.0
  OSPF cost 10
  !
  interface GigabitEthernet1
  Description inside 10/16
  nameif inside
  security-level 100
  IP 10.1.1.254 255.255.0.0
  OSPF cost 10
  !
  !
  interface Ethernet2
  Vlan30 description
  nameif dmz2
  security-level 50
  IP 30.30.30.30 255.255.255.0
  OSPF cost 10
  !
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface

  ......

  Global interface 10 (external)
  Global (dmz2) interface 10
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 10 inside8 255.255.255.0
  NAT (inside) 10 Vlan10 255.255.255.0
  NAT (inside) 10 vlan50 255.255.255.0
  NAT (inside) 10 192.168.0.0 255.255.255.0
  NAT (inside) 10 192.168.1.0 255.255.255.0
  NAT (inside) 10 192.168.10.0 255.255.255.0
  NAT (inside) 10 pix-inside 255.255.0.0

  Crypto isakmp nat-traversal 3600

  -------

  Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):

  #1: when the PC uses static NAT, it is good of outgoing VPN:

  54 packets captured
  1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
  2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
  3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
  4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
  5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
  6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
  7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
  8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
  9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
  10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
  11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
  12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
  13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
  14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
  15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
  16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
  17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
  18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
  19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
  20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
  21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
  22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
  23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
  24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
  25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
  26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
  27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
  28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
  29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
  30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
  31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
  32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
  33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
  34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
  35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
  36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
  37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
  38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
  39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
  40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
  41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
  42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
  43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
  44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
  45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
  46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
  47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
  48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
  49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
  50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
  51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
  52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
  53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
  54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0

  #2: same PC with Dynamic NAT, VPN connection fails:

  70 packets captured
  1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
  2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
  3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
  4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
  5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
  6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
  7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
  8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
  9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
  10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
  11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
  12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
  13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
  14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
  15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
  16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
  17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
  18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
  19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
  20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
  21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
  22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
  23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
  24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
  25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
  26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
  27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
  28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
  29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
  30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
  31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
  32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
  33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
  34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
  35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
  36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
  37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
  38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
  39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
  40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
  41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
  42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
  43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
  44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
  45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
  46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
  47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
  48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
  49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
  50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
  51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
  52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
  53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
  54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
  55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
  56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
  57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
  58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
  59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
  60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
  61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
  62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
  63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
  64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
  65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
  66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
  67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
  68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
  69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
  70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
  70 packages shown

  We had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.

  Sean

  Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.

  VPN-udp-class of the class-map

  corresponds to the list of access vpn-udp-acl

  vpn-udp-policy policy-map

  VPN-udp-class

  inspect the amp-ipsec

  type of policy-card inspect dns migrated_dns_map_1

  parameters

  message-length maximum 768

  Policy-map global_policy

  class inspection_default

  inspect the migrated_dns_map_1 dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the http

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the pptp

  inspect the amp-ipsec

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  IP verify reverse path to the outside interface

  Thank you

  Rizwan James

• The VPN Clients cannot access any internal address

  Without a doubt need help from an expert on this one...

  Attempting to define a client access on an ASA 5520 VPN that was used only as a

  Firewall so far. The ASA has been recently updated to Version 7.2 (4).

  Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot

  ping any address on internal networks, or even the inside interface of the ASA.

  (I hope) Relevant details:

  (1) the tunnel seems to be upward. Customers are the authenticated by the SAA and

  are able to connect.

  (2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it

  appears that the packets are décapsulés and decrypted, but NOT encapsulated or

  encrypted (see the output of "sh crypto ipsec his ' home).

  (3) by the other related posts, we've added commands associated with inversion of NAT (crypto

  ISAKMP nat-traversal 20

  crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our

  Configuration.

  (4) we tried encapsulation TCP and UDP encapsulation with experimental client

  profiles: same result in both cases.

  (5) if I (attempt) ping to an internal IP address of the connected customer, the

  real-time log entries ASA show the installation and dismantling of the ICMP requests to the

  the inner target customer.

  (6) the capture of packets to the internal address (one that we try to do a ping of the)

  VPN client) shows that the ICMP request has been received and answered. (See attachment

  shooting).

  (7) our goal is to create about 10 VPN client of different profiles, each with

  different combinations of access to the internal VLAN or DMZ VLAN. We do not have

  preferences for the type of encryption or method, as long as it is safe and it works: that

  said, do not hesitate to recommend a different approach altogether.

  We have tried everything we can think of, so any help or advice would be greatly

  Sanitized the ASA configuration is also attached.

  appreciated!

  Thank you!

  It should be the last step :)

  on 6509

  IP route 172.16.100.0 255.255.255.0 172.16.20.2

  and ASA

  no road inside 172.16.40.0 255.255.255.0 172.16.20.2

• Termination of VPN on Pix behind router IOS with private subnet

  OK, basically, I wonder if it is possible to terminate a VPN connection on a Pix 506 Firewall which is behind a router IOS. The public interface of the Pix 506 have a private on a 29 ip address will IOS within the interface. Network is configured as follows:

  Internet as 10Base T

  | (5 public - X.X.X.34. 38)

  | (In WIC-1ENET)

  | (.34 assigned to interface)

  Cisco 1760

  | (Pomp) | (WIC-4PORTSWITCH)

  | | (10.0.0.1 29 on 1760)

  Net private Pix 506

  (192.168.1.0) (10.0.0.2 29 on Pix)

  Now, two internal interfaces of the 1760 are configured to PAT on the IP of the interface of the 1760 and all internet traffic goes perfectly. None of the access lists are currently applied anywhere on the 1760 and a static translation on the 1760 is configured pour.35 to 10.0.0.2 ('public' ip pix). RDP and other services authorized in the pix access list work perfectly well from the outside world when you enter a.35, but if I try to terminate a VPN from a pix 501 for the pix 506 offsite using the Intellectuelle.35 property, it does not work.

  Is it possible to do this type of work setting.

  I realize I could put an external switch to 1760 and run the public subnet directly and individually in the 1760 and Pix 506, however, I really would prefer not no need to do so if it is possible to avoid it.

  Remove the crypto map to the interface on the PIX and reapply.

• VPN; list of access on the external interface allowing encrypted traffic

  Hi, I have a question about the access list on the external interface of a router 836. We have several routers on our clients site, some are lan2lan, some are client2router vpn.

  My question is; Why should I explicitly put the ip addresses of the client vpn or tunnel lan to the access list. Because the encrypted traffic to already allowing ESPs & isakmp.

  The access list is set to the outgoing interface with: ip access-group 102 to

  Note access-list 102 incoming Internet via ATM0.1

  Note access-list 102 permit IP VPN range

  access-list 102 permit ip 192.123.32.0 0.0.0.255 192.123.33.0 0.0.0.255

  access-list 102 permit ip 14.1.1.0 0.0.0.255 any

  access-list 102 permit esp a whole

  Note access-list 102 Open VPN Ports and other

  access-list 102 permit udp any host x.x.x.x eq isakmp newspaper

  I have to explicitly allow 192.123.32.0 (range of lan on the other side) & 14.1.1.0 (range of vpn client) because if I'm not I won't be able to reach the network.

  The vpn connection is not the problem, all traffic going through it.

  As far as I know, allowing ESPs & isakmp should be sufficient.

  Can anyone clarify this for me please?

  TNX

  Sebastian

  This has been previously answered on this forum. See http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.ee9f970/0#selected_message for more details.

• prevent the SSL VPN user to access ASA cli

  Hello

  I set up multiple users on my ASA in its local database.

  These users are used for the ssl vpn connection, but the problem I have is that users

  also have SSH access. Is it possible to avoid this?

  Thank you

  Hello Raf,

  If you do something like this:

  username xxx attributes

  type of remote access service

  the user should not get access CLI more.

  Kind regards

  Bastien

• VPN Local lan access

  I have set up a cisco 861 as a vpn server. Could I help you if someone can tell what is the problem? Clients can connect, but cannot access local resources from lan for subnet 10.0.10.0

  Building configuration...

  Current configuration: 9770 bytes
  !
  version 12.4
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime msec localtime

  Show time-zone
  Log service timestamps datetime localtime show msec.

  time zone
  encryption password service
  sequence numbers service
  !
  hostname RT861W
  !
  boot-start-marker
  start the flash c860-universalk9 - mz.124 - 24.T3.bin system
  boot-end-marker
  !
  forest-meter operation of syslog messages
  logging buffered 4096 warnings
  recording console critical
  enable secret 5 xxxxxxxx
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login userauthen local
  AAA authorization groupauthor LAN
  !
  !
  AAA - the id of the joint session
  iomem 10 memory size
  clock timezone IS - 4
  clock save interval 24
  !
  Crypto pki trustpoint TP-self-signed-3796206546
  enrollment selfsigned
  name of the object cn = IOS-Self-signed-certificate-

  3796206546
  revocation checking no
  rsakeypair TP-self-signed-3796206546
  !
  !
  chain pki crypto TP-self-signed certificates.

  3796206546
  certificate self-signed 01
  30820259 308201 2 A0030201 02020101 300 D 0609

  2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 31312F30

  2 536967 6E65642D 43657274
  69666963 33373936 32303635 6174652D 3436301E

  170 3130 30363130 32323534
  33395A 17 0D 323030 31303130 30303030 305A 3031

  06035504 03132649 312F302D
  65642 43 65727469 5369676E 656C662D 4F532D53

  66696361 74652 33 37393632
  3630819F 30363534 300 D 0609 2A 864886 F70D0101

  01050003 818 0030 81890281
  81009C 68 0509FEBA BA0D4251 52AA3F1C DBB7CACB

  138D0D3D 8017AB75 04AABD97
  16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6

  EB32858B 4385DE6C 3ED11616
  2B997D14 C6C86431 9A 956161 2D0581F4 767D60E1

  82FF426A 911D503E 8995A69B
  6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464

  E6DA7E06 44F94B16 3EA57809
  5B 710203 010001 HAS 3 8180307E 300F0603 551D 1301

  01FF0405 FF302B06 30030101
  11 04243022 82205254 38363157 2E636F6C 03551D

  6C696E73 2E316661 6D696C79
  756E6974 65642E63 6F6D301F 0603551D 23041830

  1680142C 21E7314B D28AFE1A
  26115A1B F53AFB03 1 060355 1D0E0416 0ED1A830

  04142C 21 E7314BD2 8AFE1A26
  115A1BF5 3AFB030E D1A8300D A 06092, 86 4886F70D

  01010405 00038181 008CC48F
  6A1BFB52 0F268B05 B977AE8E CA450936 8272 D 889

  B46DE9FB 5680782C 59DA2354
  04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22

  C7BED922 73C35C32 54696F37
  89E424C2 561FFF54 99573AC6 713E58D8 E3B67064

  295 4331 845FCDEC F6CD8017 D
  58006 58 F94A8771 78217788 FE63AA11 0E5DF6B1

  1A8D0111 CDD87A1D CC
  quit smoking
  no ip source route
  no ip free-arps
  chip-Relay IP dhcp
  ignore the IP dhcp bootp
  DHCP excluded-address IP 10.0.1.1 10.0.1.10
  DHCP excluded-address IP 10.0.10.1 10.0.10.10
  !
  dhcp VLAN_10 IP pool
  Network 10.0.10.0 255.255.255.224
  router by default - 10.0.10.1
  Domain xxxxxx
  10.0.10.1 DNS server
  !
  dhcp VLAN_1 IP pool
  Network 10.0.1.0 255.255.255.224
  default router 10.0.1.1
  Domain xxxxxx
  10.0.1.1 DNS server
  !
  !
  IP cef
  inspect the IP log drop-pkt
  IP inspect high 1100 max-incomplete
  IP inspect 1100 max-incomplete bass
  IP inspect a high minute 1100
  IP inspect a minute low 1100
  inspect the IP udp idle time 60
  inspect the IP dns-timeout 10
  inspect the name firewall tcp timeout IP 3600
  inspect the name firewall udp timeout 15 IP
  inspect the name firewall ftp queue time 3600 IP
  inspect the name firewall rcmd timeout IP 3600
  IP inspect alert firewall smtp name on timeout 3600
  inspect the name firewall sqlnet timeout IP 3600
  inspect the IP name firewall tftp timeout 30
  inspect the name firewall icmp time 15 IP
  inspect the name firewall ssh timeout 15 IP
  IP inspect name Connection Firewall audit trail on
  inspect the name webster firewall IP
  IP inspect skinny firewall name
  inspect the router IP firewall name
  inspect the IP firewall cifs name
  inspect the name cuseeme firewall IP
  IP inspect the dns name of the firewall
  inspect the name realaudio firewall IP
  inspect the name firewall rtsp IP
  inspect the name streamworks firewall IP
  inspect the name vdolive firewall IP
  inspect the IP sip firewall name
  inspect the name firewall pop3 alert on reset IP
  inspect the name ftps firewall IP
  inspect the name isakmp firewall IP
  inspect the IP name of firewall ipsec-msft
  inspect the name ntp FIREWALL IP
  inspect the IP name firewall imap
  inspect the name imaps firewall IP
  inspect the name imap3 FIREWALL IP
  inspect the name pop3s firewall IP
  no ip bootp Server
  IP domain name xxxxxxxxx
  8.8.8.8 IP name-server
  IP-server names 8.8.4.4
  name-server IP 208.67.222.222
  IP-server names 208.67.220.220
  name of the IP-server 74.128.19.102
  name of the IP-server 74.128.17.114
  !
  !
  notify licensing agent

  http://10.0.10.11:9710 / clm/servlet/HttpListenServlet

  dummy dummy 2.0
  !
  !
  username privilege 15 secret 5 xxxx xxxxxx
  username xxxxx xxxxx secret 5
  !
  !
  crypto ISAKMP policy 3
  BA aes 256
  preshared authentication
  Group 2
  ISAKMP crypto nat keepalive 3600
  !
  ISAKMP crypto client configuration group xxxxx
  key xxxxxx
  DNS 10.0.10.5
  domain xxxxxxxx
  pool vpnpool
  include-local-lan
  netmask 255.255.255.224
  !
  !
  Crypto ipsec transform-set esp esp - aes 256 RIGHT-

  model of hmac-SHA-lzs
  !
  Crypto-map dynamic dynmap 10
  Set transform-set RIGHT
  market arriere-route
  !
  !
  list of card crypto clientmap client authentication

  userauthen
  card crypto clientmap isakmp authorization list

  groupauthor
  client configuration address map clientmap crypto

  initiate
  client configuration address map clientmap crypto

  answer
  10 ipsec-isakmp crypto map clientmap Dynamics dynmap
  !
  Crypto ctcp port 6000
  Archives
  The config log
  hidekeys
  !
  !
  synwait-time of tcp IP 10
  property intellectual ssh time 60
  property intellectual ssh authentication-2 retries
  Bridge IRB
  !
  !
  !
  interface Loopback0
  IP 10.100.100.1 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  !
  Null0 interface
  no ip unreachable
  !
  interface FastEthernet0
  switchport access vlan 10
  !
  interface FastEthernet1
  switchport access vlan 10
  !
  interface FastEthernet2
  switchport access vlan 10
  !
  interface FastEthernet3
  switchport access vlan 10
  switchport mode trunk
  !
  interface FastEthernet4
  WAN description $ FW_OUTSIDE$
  address IP dhcp client id FastEthernet4
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  stream IP output
  inspect the firewall on IP
  NAT outside IP
  IP virtual-reassembly
  automatic duplex
  automatic speed
  clientmap card crypto
  !
  wlan-ap0 interface
  description of the Service interface module to manage the

  Embedded AP
  IP unnumbered Vlan1
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  IP virtual-reassembly
  ARP timeout 0
  !
  interface GigabitEthernet0 Wlan
  description of the Service interface module to manage the

  Embedded AP
  switchport mode trunk
  !
  interface Vlan1
  VLAN_1 description $ FW_INSIDE$
  IP 10.0.1.1 255.255.255.224
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1452
  !
  interface Vlan10
  VLAN_10 description $ FW_INSIDE$
  IP 10.0.10.1 255.255.255.224
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1452
  !
  interface BVI1
  Description $FW_INSIDE$
  in the form of address IP WAPB dhcp host name
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  penetration of the IP stream
  no ip-cache cef route
  no ip route cache
  !
  router RIP
  version 1
  10.0.0.0 network
  !
  IP local pool vpnpool 197.0.0.1 197.0.0.5
  no ip forward-Protocol nd
  IP route 0.0.0.0 0.0.0.0 dhcp
  IP route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
  IP http server
  access-class 2 IP http
  local IP http authentication
  IP http secure server
  !
  The dns server IP
  IP nat inside source list 1 interface FastEthernet4

  Overload
  IP nat inside source list 2 interface FastEthernet4

  Overload
  IP nat inside source static tcp 10.0.10.3 3389

  interface FastEthernet4 3389
  IP nat inside source static tcp 10.0.10.3 1723

  interface FastEthernet4 1723
  IP nat inside source static tcp 10.0.10.3 80

  interface FastEthernet4 80
  !
  record 10.0.10.1
  access-list 1 permit 10.0.1.0 0.0.0.31
  access-list 2 permit 10.0.10.0 0.0.0.31
  access-list 199 permit any one
  access-list 199 permit tcp any any eq 1723
  access-list 199 permit tcp a whole Workbench
  access-list 199 permit udp any any eq 3389
  access-list 199 permit udp any any eq ntp
  access-list 199 permit udp any any gt 1023
  access-list 199 tcp refuse a whole
  access-list 199 tcp 10.0.0.0 refuse 0.255.255.255 everything
  access-list 199 tcp 172.16.0.0 refuse 0.15.255.255

  any
  access-list 199 tcp 192.168.0.0 refuse 0.0.0.255 any
  access-list 199 refuse udp 10.0.0.0 0.255.255.255 everything
  access-list 199 refuse udp 172.16.0.0 0.15.255.255

  any
  access-list 199 refuse udp 192.168.0.0 0.0.0.255 any
  access-list 199 refuse icmp no echo
  access-list 199 deny udp any how any eq 135
  access-list 199 deny udp any any eq netbios-ns
  access-list 199 deny udp any any eq netbios-ss
  access-list 199 deny udp any any eq isakmp
  access-list 199 tcp refuse any any eq telnet
  access-list 199 tcp refuse any any eq smtp
  access-list 199 tcp refuse any any eq nntp
  access-list 199 tcp refuse any any eq 135
  access-list 199 tcp refuse any any eq 137
  access-list 199 tcp refuse any any eq 139
  access-list 199 tcp refuse any any eq www
  access-list 199 tcp refuse any any eq 443
  access-list 199 tcp refuse any any eq 445
  access-list 199 refuse an entire ip
  not run cdp

  !
  control plan
  !
  Bridge Protocol ieee 1
  1 channel ip bridge
  bridge 10 Protocol ieee
  IP route 10 bridge
  connection of the banner ^ CAuthorized access only!
  Unplug IMMEDIATELY if you are not authorized

  user! ^ C
  !
  Line con 0
  no activation of the modem
  telnet output transport
  line to 0
  telnet output transport
  line 2
  no activation-character
  No exec
  preferred no transport
  transport of entry all
  transportation out all
  line vty 0 4
  access-class 104 in
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  Server NTP 192.43.244.18
  end

  Hello

  The problem is due to NAT configurations. Please, try the following:

  no nat ip within the source list 1 interface FastEthernet4 overload

  no nat ip inside the source list 2 interface FastEthernet4 overload

  access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7

  access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255

  access-list 101 permit ip 10.0.0.0 0.0.255.31 all

  Internet route map

  corresponds to the IP 101

  output

  IP nat inside source overload map route Internet interface FastEthernet4

  This will ensure that the VPN clients can access all internal

  resources. However, they will not be able to access to the 10.0.10.3 Server

  using its private IP address that you can not use the roadmap, when you use the

  keyword "interface." If you have a static IP address assigned to your FastEthernet4

  You can then use the interface by the ISP, the configuration below:

  access-list 102 refuse host ip 10.0.10.3 197.0.0.0 0.0.0.7

  access-list 102 refuse 10.0.10.3 ip host 10.0.0.0 0.0.255.255

  access-list 102 permit ip 10.0.10.3 host everything

  route server map

  corresponds to the IP 101

  output

  no nat ip inside source static tcp 10.0.10.3 interface FastEthernet4 3389

  3389

  no nat ip inside the source static tcp 10.0.10.3 1723 interface FastEthernet4

  1723

  no nat ip inside the 80 tcp static 10.0.10.3 source FastEthernet4 80 interface

  IP nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389

  route server map

  IP nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723

  route server map

  IP nat inside source static tcp 10.0.10.3 80 'FastEthernet4 ip' 80-route map

  Server

  I hope this helps.

  Kind regards

  NT

• AnyConnect VPN users cannot access remote subnets?

  I googled this until blue in the face without result.  I don't understand why Cisco this so difficult?  When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices.  What should I do to allow my anyconnect vpn clients access to my remote sites?

  Cisco 5510 8.4

  Hello

  What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

  In addition to routing, you must have configured for each remote site and the VPN pool NAT0

  Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

  object-group network to REMOTE SITES

  object-network 10.10.10.0 255.255.255.0

  object-network 10.10.20.0 255.255.255.0

  object-network 10.10.30.0 255.255.255.0

  object-network 10.10.40.0 255.255.255.0

  network of the VPN-POOL object

  10.10.224.0 subnet 255.255.255.0

  NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

  The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

  Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

  My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

  Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

  -Jouni