VPN upward, but cannot ping through

Hello

Have a problem where two places trying to connect. first location has a cisco 861 and a uc500 for the phone system. The second location uses a UC520 for phones and the router. Here are the configurations of the 861 and the UC520. Any help would be greatly appereciated!

Cisco 861

Current configuration: 7635 bytes

version 15.0

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

boot-start-marker

boot-end-marker

logging buffered 51200 warnings

No aaa new-model

iomem 10 memory size

PCTime-5 timezone clock

PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00

Crypto pki trustpoint TP-self-signed-1477458744

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1477458744

revocation checking no

rsakeypair TP-self-signed-1477458744

TP-self-signed-1477458744 crypto pki certificate chain

quit smoking

IP source-route

IP cef

no ip domain search

IP domain name

8.8.8.8 IP name-server

IP-server names 8.8.4.4

license udi pid CISCO861-K9 sn fff

username admin

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key xxx address 2.2.2.140 No.-xauth

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac TS

Profile of crypto ipsec SDM_Profile1

game of transformation-ESP-3DES-SHA

MYmap 1 ipsec-isakmp crypto map

defined by peer 1.1.1.140

game of transformation-ESP-3DES-SHA

match address SDM_1

interface FastEthernet0

interface FastEthernet1

interface FastEthernet2

interface FastEthernet3

interface FastEthernet4

IP 1.1.1.130 255.255.255.240

Check IP unicast reverse path

NAT outside IP

IP virtual-reassembly

full duplex

automatic speed

crypto mymap map

interface Vlan1

Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW

10.1.1.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

IP forward-Protocol ND

IP http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4

IP nat inside source static tcp 10.1.1.23 80 1.1.1.133 80 extensible

IP nat inside source static 10.1.1.23 1.1.1.133

IP route 0.0.0.0 0.0.0.0 1.1.1.129

SDM_1 extended IP access list

Note CCP_ACL category = 20

ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

IP 172.16.4.0 allow 0.0.0.255 10.0.0.0 0.0.0.255

IP 172.16.4.0 allow 0.0.0.255 172.16.6.0 0.0.0.255

IP 172.16.4.0 allow 0.0.0.255 192.168.2.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

Note rule IPSec

VPN-TRAFFIC extended IP access list

Note CCP_ACL category = 16

ip licensing 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

Licensing ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

Note CCP_ACL the access list 1 = 16 category

access-list 1 permit 0.0.0.0 255.255.255.0

access-list 1 permit one

access-list 23 allow 10.1.1.0 0.0.0.255

access-list 23 allow one

Access-list 100 category CCP_ACL = 2 Note

Note access-list 100 IPSec rule

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access ip-list 100 permit a whole

access-list 100 permit ip 0.0.0.0 255.255.255.0 any

access-list 100 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 deny ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 100 deny ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 100 deny ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

Note access-list 101 category CCP_ACL = 4

access-list 101 permit ip 172.16.4.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.6.0 0.0.0.255

access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 172.16.4.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

not run cdp

allowed SDM_RMAP_1 1 route map

corresponds to the IP 100

control plan

------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco UC520

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

address 1.1.1.130 Panasonic key crypto isakmp xauth No.

Configuration group customer isakmp crypto EZVPN_GROUP_1

key 8888

DNS 64.132.94.250 216.136.95.1

pool SDM_POOL_1

ACL 105

Save-password

10 Max-users

ISAKMP crypto sdm-ike-profile-1 profile

match of group identity EZVPN_GROUP_1

list of authentication of client Foxtrot_sdm_easyvpn_xauth_ml_1

Foxtrot_sdm_easyvpn_group_ml_1 of ISAKMP authorization list.

client configuration address respond

virtual-model 1

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Profile of crypto ipsec SDM_Profile1

game of transformation-ESP-3DES-SHA

isakmp-profile sdm-ike-profile-1 game

MYmap 1 ipsec-isakmp crypto map

defined by peer 1.1.1.130

game of transformation-ESP-3DES-SHA

match address 100

Similar Questions

Client VPN connects but cannot ping all hosts

Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients. I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX. Can someone tell me what Miss me in my setup?

Thanks for your help.

Chi - pix # sh conf
: Saved
: Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname chi - pix
.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside pppoe setroute
IP address inside 192.168.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.11.1 - 10.10.11.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 list-access internet-traffic 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
Crypto-map dynamic dynmap 10 GvnPix-set transform-set
toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
toGvnPix interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool chiclient
vpngroup dns 192.168.5.1 Server chiclient
vpngroup wins 192.168.5.1 chiclient-Server
vpngroup chiclient com default domain
vpngroup split tunnel 101 chiclient
vpngroup idle 1800 chiclient-time
vpngroup password chiclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
VPDN group chi request dialout pppoe
VPDN group chi net localname
VPDN group chi ppp authentication pap
VPDN username password net *.
dhcpd address 192.168.5.2 - 192.168.5.33 inside
dhcpd dns xx
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 100
Cryptochecksum:
Chi - pix #.

On the PIX configuration seems correct.

I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?

How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.

VPN connects but cannot ping or access resources

I hope this is an easy fix and it's something that I am missing. I've been looking at this for several hours.

Scenario:

I Anyconnect Essentials so I use the SSL connection

I changed my domain name and external IP in my setup, I write.

My VPN connection seems to work very well. In fact, I was able to connect to 3 locations with 3 different external IP address.

1 location, I get IP address 192.168.30.10, as it should. I can ping 192.168.1.1, but not the 192.168.1.6 which is my temporary resource, the firewall is disabled on 192.168.1.6.

2 location, I get an IP of 192.168.30.11, as it should. I was able to ping 192.168.30.10, could not sue 192.168.1.1 as the place closed.

Any help would be appreciated, it's getting late so I hope I gave enough details. I feel so close but yet so far.

See the ciscoasa # running

: Saved

:

ASA Version 8.2 (1)

!

ciscoasa hostname

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 22.22.22.246 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

clock timezone CST - 6

clock to summer time recurring CDT

DNS lookup field inside

DNS domain-lookup outside

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

ICMP-type of object-group ALLOWPING

echo ICMP-object

ICMP-object has exceeded the time

response to echo ICMP-object

Object-ICMP traceroute

Object-ICMP source-quench

ICMP-unreachable object

access-list 10 scope ip allow a whole

10 extended access-list allow icmp a whole

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask 192.168.30.10 - 192.168.30.25 255.255.255.0 IP local pool SSLClientPoolNew

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 192.168.1.0 255.255.255.0

Route outside 0.0.0.0 0.0.0.0 22.22.22.245 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

network-acl 10

WebVPN

SVC request no svc default

AAA authentication LOCAL telnet console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet 0.0.0.0 0.0.0.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd dns 8.8.8.8

dhcpd outside auto_config

!

dhcpd address 192.168.1.5 - 192.168.1.36 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow inside

allow outside

AnyConnect essentials

SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 image

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 2 image

enable SVC

tunnel-group-list activate

internal SSLClientPolicy group strategy

attributes of Group Policy SSLClientPolicy

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

field default value mondomaine.fr

the address value SSLClientPoolNew pools

WebVPN

SVC Dungeon-Installer installed

time to generate a new key of SVC 180

SVC generate a new method ssl key

SVC value vpngina modules

attributes of Group Policy DfltGrpPolicy

VPN-tunnel-Protocol webvpn

username test encrypted password privilege 15 xxxxxxxxxxxxxx

username ljb1 password encrypted xxxxxxxxxxxxxx

type tunnel-group SSLClientProfile remote access

attributes global-tunnel-group SSLClientProfile

Group Policy - by default-SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

enable SSLVPNClient group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:ed683c7f1b86066d1d8c4fff6b08c592

: end

Patrick,

'Re missing you the excemption NAT. Please add the following and try again:

access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0

NAT (inside) 0 access-list sheep

Let us know if you still have problems after that.

Raga

Tunnel upward, but cannot Ping

I've set up a tunnel to an ASA called SALMONARM to a Cisco 1921 called PG-1921.

I raise the tunnel by sending a part of traffic 'interesting '.

PG-1921, I run isakmp crypto to show its, and an entrance to the tunnel is present, with the status ACTIVE.

I do the same on SALMONARM, and once again the tunnel is present, with the MM_ACTIVEState.

So far so good.

I try to send pings from the inside of the SALMONARM network within the network PG-1921 .

Pings do not (time out).

I run the crypto ipsec its peer view SALMONARM, and I see program 0 and 0 decaps.

This seems to suggest that the pings never leave SALMONARM ASA.

I believe that I was NAT exemption and an ACL to allow traffic for the remote network from internal.

Here's the configs...
SALMONARM (ASA): http://pastebin.com/raw.php?i=vYDhfe3r
PG-1921 (1921 Cisco): http://pastebin.com/raw.php?i=L6aYhmc9

The tunnel is crypto map PG_TUNNEL_MAP 11 in the config SALMONARM and crypto map SDM_CMAP_1 5 in the config of PG-1921 .

What might be missing?

You have a router behind the ASA that could have bad roads in there? Are you ping of the SAA itself or a device behind him? Can you add the command 'inside access management' and try to ping of the asa with the command "ping inside x.x.x.x" and see if you get the program then?

Thank you

Mike

Cisco ipsec Vpn connects but cannot communicate with lan

I have a version of cisco 1921 15.2 (4) M3 I install vpn ipsec and may have customers to connect but cannot ping anything inside. A glimpse of what could be wrong with my config would be greatly appreciated. I posted the configuration as well as running a few outings of ipsec. I also tried with multiple operating systems using cisco vpn client and shrewsoft. I am able to connect to the other VPN ipsec running 1921 both of these computers by using a client.

Thanks for any assistance

SH run

!
AAA new-model
!
!
AAA authentication login radius_auth local radius group
connection of AAA VPN_AUTHEN group local RADIUS authentication
AAA authorization network_vpn_author LAN
!
!
!
!
!
AAA - the id of the joint session
clock timezone PST - 8 0
clock to summer time recurring PST
!
no ip source route
decline of the IP options
IP cef
!
!
!
!
!
!
no ip bootp Server
no ip domain search
domain IP XXX.local
inspect the high IP 3000 max-incomplete
inspect the low IP 2800 max-incomplete
IP inspect a low minute 2800
IP inspect a high minute 3000
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW esmtp
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
IP inspect name SDM_LOW ssh
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-2909270577
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2909270577
revocation checking no
rsakeypair TP-self-signed-2909270577
!
!
TP-self-signed-2909270577 crypto pki certificate chain
certificate self-signed 01
license udi pid CISCO1921/K9 sn FTX1715818R
!
!
Archives
The config log
Enable logging
size of logging 1000
notify the contenttype in clear syslog
the ADMIN_HOSTS object-group network
71.X.X.X 71.X.X.X range
!
name of user name1 secret privilege 15 4 XXXXXXX

!
redundancy
!
!
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group roaming_vpn
key XXXXX
DNS 192.168.10.10 10.1.1.1
XXX.local field
pool VPN_POOL_1
ACL client_vpn_traffic
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
!
!
crypto dynamic-map VPN_DYNMAP_1 1
Set the security association idle time 1800
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
list of authentication of card crypto SDM_CMAP_1 client VPN_AUTHEN
map SDM_CMAP_1 isakmp authorization list network_vpn_author crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic VPN_DYNMAP_1 ipsec crypto
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 76.W.E.R 255.255.255.248
IP access-group ATT_Outside_In in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the SDM_LOW over IP
IP virtual-reassembly in
load-interval 30
automatic duplex
automatic speed
No cdp enable
No mop enabled
map SDM_CMAP_1 crypto
!
interface GigabitEthernet0/1
no ip address
load-interval 30
automatic duplex
automatic speed
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 1 native
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
property intellectual accounting-access violations
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
10.1.1.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1,200
encapsulation dot1Q 200
IP 10.1.2.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
local IP VPN_POOL_1 192.168.168.193 pool 192.168.168.254
IP forward-Protocol ND
!
IP http server
IP http authentication aaa-authentication of connection ADMIN_AUTHEN
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source map route ATT_NAT_LIST interface GigabitEthernet0/0 overload
IP nat inside source static tcp 192.168.10.10 25 expandable 25 76.W.E.R
IP nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extensible
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 443 443
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 987 987
IP route 0.0.0.0 0.0.0.0 76.W.E.F
!
ATT_Outside_In extended IP access list
permit tcp object-group ADMIN_HOSTS any eq 22
allow any host 76.W.E.R eq www tcp
allow any host 76.W.E.R eq 443 tcp
allow 987 tcp any host 76.W.E.R eq
allow any host 76.W.E.R eq tcp smtp
permit any any icmp echo response
allow icmp a whole
allow udp any any eq isakmp
allow an esp
allow a whole ahp
permit any any eq non500-isakmp udp
deny ip 10.0.0.0 0.255.255.255 everything
deny ip 172.16.0.0 0.15.255.255 all
deny ip 192.168.0.0 0.0.255.255 everything
deny ip 127.0.0.0 0.255.255.255 everything
refuse the ip 255.255.255.255 host everything
refuse the host ip 0.0.0.0 everything
NAT_LIST extended IP access list
IP 10.1.0.0 allow 0.0.255.255 everything
permit ip 192.168.10.0 0.0.0.255 any
deny ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
refuse the 10.1.1.0 ip 0.0.0.255 192.168.168.192 0.0.0.63
deny ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
client_vpn_traffic extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
ip licensing 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
!
radius of the IP source-interface GigabitEthernet0/1.10
Logging trap errors
logging source hostname id
logging source-interface GigabitEthernet0/1.10
!
ATT_NAT_LIST allowed 20 route map
corresponds to the IP NAT_LIST
is the interface GigabitEthernet0/0
!
!
SNMP-server community [email protected] / * /! s RO
Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start
Server enable SNMP traps vrrp
Server SNMP enable transceiver traps all the
Server enable SNMP traps ds1
Enable SNMP-Server intercepts the message-send-call failed remote server failure
Enable SNMP-Server intercepts ATS
Server enable SNMP traps eigrp
Server enable SNMP traps ospf-change of State
Enable SNMP-Server intercepts ospf errors
SNMP Server enable ospf retransmit traps
Server enable SNMP traps ospf lsa
Server enable SNMP traps ospf nssa-trans-changes state cisco-change specific
SNMP server activate interface specific cisco-ospf traps shamlink state change
SNMP Server enable neighbor traps cisco-specific ospf to the State shamlink change
Enable SNMP-Server intercepts specific to cisco ospf errors
SNMP server activate specific cisco ospf retransmit traps
Server enable SNMP traps ospf cisco specific lsa
SNMP server activate license traps
Server enable SNMP traps envmon
traps to enable SNMP-Server ethernet cfm cc mep-top low-mep Dispatcher loop config
Enable SNMP-Server intercepts ethernet cfm overlap missing mep mep-unknown service-up
Server enable SNMP traps auth framework sec-violation
Server enable SNMP traps c3g
entity-sensor threshold traps SNMP-server enable
Server enable SNMP traps adslline
Server enable SNMP traps vdsl2line
Server enable SNMP traps icsudsu
Server enable SNMP traps ISDN call-information
Server enable SNMP traps ISDN layer2
Server enable SNMP traps ISDN chan-not-available
Server enable SNMP traps ISDN ietf
Server enable SNMP traps ds0-busyout
Server enable SNMP traps ds1-loopback
SNMP-Server enable traps energywise
Server enable SNMP traps vstack
SNMP traps enable mac-notification server
Server enable SNMP traps bgp cbgp2
Enable SNMP-Server intercepts isis
Server enable SNMP traps ospfv3-change of State
Enable SNMP-Server intercepts ospfv3 errors
Server enable SNMP traps aaa_server
Server enable SNMP traps atm subif
Server enable SNMP traps cef resources-failure-change of State peer peer-fib-state-change inconsistency
Server enable SNMP traps memory bufferpeak
Server enable SNMP traps cnpd
Server enable SNMP traps config-copy
config SNMP-server enable traps
Server enable SNMP traps config-ctid
entity of traps activate SNMP Server
Server enable SNMP traps fru-ctrl
SNMP traps-policy resources enable server
Server SNMP enable traps-Manager of event
Server enable SNMP traps frames multi-links bundle-incompatibility
SNMP traps-frame relay enable server
Server enable SNMP traps subif frame relay
Server enable SNMP traps hsrp
Server enable SNMP traps ipmulticast
Server enable SNMP traps msdp
Server enable SNMP traps mvpn
Server enable SNMP traps PNDH nhs
Server enable SNMP traps PNDH nhc
Server enable SNMP traps PNDH PSN
Server enable SNMP traps PNDH exceeded quota
Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change
Server enable SNMP traps pppoe
Enable SNMP-server holds the CPU threshold
SNMP Server enable rsvp traps
Server enable SNMP traps syslog
Server enable SNMP traps l2tun session
Server enable SNMP traps l2tun pseudowire status
Server enable SNMP traps vtp
Enable SNMP-Server intercepts waas
Server enable SNMP traps ipsla
Server enable SNMP traps bfd
Server enable SNMP traps gdoi gm-early-registration
Server enable SNMP traps gdoi full-save-gm
Server enable SNMP traps gdoi gm-re-register
Server enable SNMP traps gdoi gm - generate a new key-rcvd
Server enable SNMP traps gdoi gm - generate a new key-fail
Server enable SNMP traps gdoi ks - generate a new key-pushed
Enable SNMP traps gdoi gm-incomplete-cfg Server
Enable SNMP-Server intercepts gdoi ks-No.-rsa-keys
Server enable SNMP traps gdoi ks-new-registration
Server enable SNMP traps gdoi ks-reg-complete
Enable SNMP-Server Firewall state of traps
SNMP-Server enable traps ike policy add
Enable SNMP-Server intercepts removal of ike policy
Enable SNMP-Server intercepts start ike tunnel
Enable SNMP-Server intercepts stop ike tunnel
SNMP server activate ipsec cryptomap add traps
SNMP server activate ipsec cryptomap remove traps
SNMP server activate ipsec cryptomap attach traps
SNMP server activate ipsec cryptomap detach traps
Server SNMP traps enable ipsec tunnel beginning
SNMP-Server enable traps stop ipsec tunnel
Enable SNMP-server holds too many associations of ipsec security
Enable SNMP-Server intercepts alarm ethernet cfm
Enable SNMP-Server intercepts rf
Server enable SNMP traps vrfmib vrf - up low-vrf vnet-trunk-up low-trunk-vnet
Server RADIUS dead-criteria life 2
RADIUS-server host 192.168.10.10
Server RADIUS 2 timeout
Server RADIUS XXXXXXX key
!
!
!
control plan
!
!

Line con 0
privilege level 15
connection of authentication radius_auth
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
privilege level 15
connection of authentication radius_auth
entry ssh transport
line vty 5 15
privilege level 15
connection of authentication radius_auth
entry ssh transport
!
Scheduler allocate 20000 1000
NTP-Calendar Update
Server NTP 192.168.10.10
NTP 64.250.229.100 Server
!
end

Router ipsec crypto #sh her

Interface: GigabitEthernet0/0
Tag crypto map: SDM_CMAP_1, local addr 76.W.E.R

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.168.213/255.255.255.255/0/0)
current_peer 75.X.X.X port 2642
LICENCE, flags is {}
#pkts program: 1953, #pkts encrypt: 1953, #pkts digest: 1953
#pkts decaps: 1963, #pkts decrypt: 1963, #pkts check: 1963
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 76.W.E.R, remote Start crypto. : 75.X.X.X
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
current outbound SPI: 0x5D423270 (1564619376)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:
SPI: 0x2A5177DD (709982173)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2115, flow_id: VPN:115 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301748/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x5D423270 (1564619376)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2116, flow_id: VPN:116 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301637/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)

outgoing ah sas:

outgoing CFP sas:

Routing crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
76.W.E.R 75.X.X.X QM_IDLE 1055 ACTIVE

IPv6 Crypto ISAKMP Security Association

In your acl, nat, you will need to refuse your VPN traffic before you allow the subnet at all. Just put all the declarations of refusal before the declarations of licence.

Sent by Cisco Support technique iPhone App

Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

Hello

I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

Please help me I need to find a solution as soon as POSSIBLE!

Thank you in advance.

Hello

Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

After re-configured this way, make sure that this command is also available:

Sysopt connection permit VPN

This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

XXXX--> server IP

AAAA--> VPN IP of the user

Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

Thank you

David Castro,

Connected to the ASA via the "VPN Client" software, but cannot ping devices.

I have a network that looks like this:

I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.

I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).

On the SAA, including the "logging console notifications" value, I notice the following message is displayed:

"% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.

I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?

Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac

Hello

You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"

You would probably need

NAT (inside) 0-list of access inside_nat0_outside

He must manage the NAT0

Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.

I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.

-Jouni

established - VPN connection, but cannot connect to the server?

vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4

Thank you

ASA Version 8.2 (1)

!

hostname ciscoasa5505

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.0.3 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 208.0.0.162 255.255.255.248

!

interface Vlan5

Shutdown

prior to interface Vlan1

nameif dmz

security-level 50

IP address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS lookup field inside

DNS server-group DefaultDNS

192.168.0.4 server name

Server name 208.0.0.11

permit same-security-traffic intra-interface

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service TS-780-tcp - udp

port-object eq 780

object-group service Graphon tcp - udp

port-object eq 491

Allworx-2088 udp service object-group

port-object eq 2088

object-group service allworx-15000 udp

15000 15511 object-port Beach

object-group service udp allworx-2088

port-object eq 2088

object-group service allworx-5060 udp

port-object eq sip

object-group service allworx-8081 tcp

EQ port 8081 object

object-group service web-allworx tcp

EQ object of port 8080

allworx udp service object-group

16001 16010 object-port Beach

object-group service allworx-udp

object-port range 16384-16393

object-group service remote tcp - udp

port-object eq 779

object-group service billing1 tcp - udp

EQ object of port 8080

object-group service billing-1521 tcp - udp

port-object eq 1521

object-group service billing-6233 tcp - udp

6233 6234 object-port Beach

object-group service billing2-3389 tcp - udp

EQ port 3389 object

object-group service olivia-3389 tcp - udp

EQ port 3389 object

object-group service olivia-777-tcp - udp

port-object eq 777

netgroup group of objects

network-object host 192.168.0.15

network-object host 192.168.0.4

object-group service allworx1 tcp - udp

8080 description

EQ object of port 8080

allworx_15000 udp service object-group

15000 15511 object-port Beach

allworx_16384 udp service object-group

object-port range 16384-16393

DM_INLINE_UDP_1 udp service object-group

purpose of group allworx_16384

object-port range 16384 16403

object-group service allworx-5061 udp

range of object-port 5061 5062

object-group service ananit tcp - udp

port-object eq 880

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389

outside_access_in list extended access permit tcp any host 208.0.0.164 eq https

outside_access_in list extended access permit tcp any host 208.0.0.164 eq www

outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field

outside_access_in list extended access permit tcp any host 208.0.0.162 eq www

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group

outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777

outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060

outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive

outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000

outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group

outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061

outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group

outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0

Ping list extended access permit icmp any any echo response

inside_access_in of access allowed any ip an extended list

permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0

access-list 1 standard allow 192.168.0.0 255.255.255.0

pager lines 24

Enable logging

logging buffered stored notifications

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool

192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 1 192.168.0.0 255.255.255.0

alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255

public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area

public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255

public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area

public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255

static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1

Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.0.0 255.255.255.0 inside

http 192.168.0.3 255.255.255.255 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt noproxyarp inside

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 108.0.0.97

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

card crypto outside_map 20 match address outside_20_cryptomap

card crypto outside_map 20 set pfs

peer set card crypto outside_map 20 69.0.0.54

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life no

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 1

life no

Telnet timeout 5

SSH timeout 5

Console timeout 0

identifying client DHCP-client interface dmz

dhcpd outside auto_config

!

dhcpd address 192.168.0.20 - 192.168.0.50 inside

dhcpd dns 192.168.0.4 208.0.0.11 interface inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

enable SVC

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

internal group anyconnect strategy

attributes of the strategy group anyconnect

VPN-tunnel-Protocol svc webvpn

WebVPN

list of URLS no

SVC request enable

encrypted olivia Zta1M8bCsJst9NAs password username

username of graciela CdnZ0hm9o72q6Ddj encrypted password

tunnel-group 69.0.0.54 type ipsec-l2l

IPSec-attributes tunnel-group 69.0.0.54

pre-shared-key *.

tunnel-group 108.0.0.97 type ipsec-l2l

IPSec-attributes tunnel-group 108.0.0.97

pre-shared-key *.

tunnel-group anyconnect type remote access

tunnel-group anyconnect General attributes

remote address pool

strategy-group-by default anyconnect

tunnel-group anyconnect webvpn-attributes

Group-alias anyconnect enable

!

Global class-card class

match default-inspection-traffic

!

!

World-Policy policy-map

Global category

inspect the icmp

!

service-policy-international policy global

: end

ASDM location 208.0.0.164 255.255.255.255 inside

ASDM location 192.168.0.15 255.255.255.255 inside

ASDM location 192.168.50.0 255.255.255.0 inside

ASDM location 192.168.1.0 255.255.255.0 inside

don't allow no asdm history

Right now your nat 0 (NAT exemption) follows the access list:

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.

Then try to add an entry to the list of access as:

permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0

It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.

VPN connection is established but cannot ping subnet

Hello, I have a 851 router that I'm trying to learn with, I have a config of work that makes me online and has a basic firewall and dhcp for clients. Then, I wanted to add a VPN using the 851 and the Cisco VPN client.

Using this tutorial "http://www.cisco.com/en/US/customer/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml."

I was able to get partially to my goal as I can establish a vpn and it shows me 192.168.1.0 as the route secure, but I don't ping or communicate with anything with in the 192.168.1.1 network.

Try this one too.

Instead of using access-list in declaration of NAT, use the route map and see if it solves the problem.

1 deny traffic Ipsec in NAT access list.

access-list 120 refuse 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 allow 192.168.1.0 0.0.0 all

2. create a roadmap

sheep allowed 10 route map

corresponds to the IP 120

3. no nat ip within the source list 1 interface FastEthernet4 overload

4 ip nat inside source map route sheep interface FastEthernet4 overload

5 disable the ip nat translation *.

Then check.

HTH

Sangaré

Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

Hello

I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

Config

ciscoasa # sh run

: Saved

:

ASA Version 8.0 (3)

!

ciscoasa hostname

activate the 5QB4svsHoIHxXpF password / encrypted

names of

xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

xxx.xxx.xxx.xxx name Mail_Server

xxx.xxx.xxx.xxx IncomingIP name

xxx.xxx.xxx.xxx SAP name

xxx.xxx.xxx.xxx Web server name

xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

isa_server_outside name 192.168.2.2

!

interface Ethernet0/0

nameif outside

security-level 0

address IP IncomingIP 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.253 255.255.255.0

management only

!

passwd 123

passive FTP mode

clock timezone IS 2

clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

TCP_8081 tcp service object-group

EQ port 8081 object

DM_INLINE_TCP_1 tcp service object-group

EQ port 3389 object

port-object eq ftp

port-object eq www

EQ object of the https port

EQ smtp port object

EQ Port pop3 object

port-object eq 3200

port-object eq 3300

port-object eq 3600

port-object eq 3299

port-object eq 3390

EQ port 50000 object

port-object eq 3396

port-object eq 3397

port-object eq 3398

port-object eq imap4

EQ port 587 object

port-object eq 993

port-object eq 8000

EQ port 8443 object

port-object eq telnet

port-object eq 3901

purpose of group TCP_8081

EQ port 1433 object

port-object eq 3391

port-object eq 3399

EQ object of port 8080

EQ port 3128 object

port-object eq 3900

port-object eq 3902

port-object eq 7777

port-object eq 3392

port-object eq 3393

port-object eq 3394

Equalizer object port 3395

port-object eq 92

port-object eq 91

port-object eq 3206

port-object eq 8001

EQ port 8181 object

object-port 7778 eq

port-object eq 8180

port-object 22222 eq

port-object eq 11001

port-object eq 11002

port-object eq 1555

port-object eq 2223

port-object eq 2224

object-group service RDP - tcp

EQ port 3389 object

3901 tcp service object-group

3901 description

port-object eq 3901

object-group service tcp 50000

50000 description

EQ port 50000 object

Enable_Transparent_Tunneling_UDP udp service object-group

port-object eq 4500

access-list connection to SAP Note inside_access_in

inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

access-list inside_access_in note outgoing VPN - PPTP

inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

access-list inside_access_in note outgoing VPN - GRE

inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

Comment from inside_access_in-list of access VPN - GRE

inside_access_in list extended access will permit a full

access-list inside_access_in note outgoing VPN - Client IKE

inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

Note to inside_access_in of outgoing DNS list access

inside_access_in list extended access udp allowed any any eq field

Note to inside_access_in of outgoing DNS list access

inside_access_in list extended access permit tcp any any eq field

Note to inside_access_in to access list carried forward Ports

inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

outside_access_in of access allowed any ip an extended list

outside_access_in list extended access permit tcp any any eq pptp

outside_access_in list extended access will permit a full

outside_access_in list extended access allowed grateful if any host Mail_Server

outside_access_in list extended access permit tcp any host Mail_Server eq pptp

outside_access_in list extended access allow esp a whole

outside_access_in ah allowed extended access list a whole

outside_access_in list extended access udp allowed any any eq isakmp

outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

list of access allowed standard VPN 192.168.2.0 255.255.255.0

corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 603.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global (outside) 2 Mail_Server netmask 255.0.0.0

Global 1 interface (outside)

Global interface (2 inside)

NAT (inside) 0-list of access corp_vpn

NAT (inside) 1 0.0.0.0 0.0.0.0

static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

public static 192.168.2.0 (inside, outside) - corp_vpn access list

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.2.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp - esp-md5-hmac transet

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 set pfs

Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

cryptomap interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 2

life 86400

No encryption isakmp nat-traversal

Telnet 192.168.2.0 255.255.255.0 inside

Telnet 192.168.1.0 255.255.255.0 management

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

dhcpd domain.local domain inside interface

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

Management Server TFTP 192.168.1.123.

internal group mypolicy strategy

mypolicy group policy attributes

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value VPN

Pseudo vpdn password 123

vpdn username attributes

VPN-group-policy mypolicy

type of remote access service

type mypolicy tunnel-group remote access

tunnel-group mypolicy General attributes

address-pool

strategy-group-by default mypolicy

tunnel-group mypolicy ipsec-attributes

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

: end

Thank you very much.

Hello

You probably need

Policy-map global_policy

class inspection_default

inspect the icmp

inspect the icmp error

Your Tunnel of Split and NAT0 configurations seem to.

-Jouni

Established VPN tunnel between 4.8 Client and 525 PIX but cannot ping

When there is no tunnel that is established, the client can ping all devices onsite / remote. However when the tunnel is established and the client picks up its expected the address pool IP address, the client can ping or local / remote.

Debug trace of icmp on the shows of PIX inside devices responding to pings from the client but the client

does not receive these responses and shows demand exceeded.

VPN client also shows only the transmitted data.

I'm guessing that there is a problem of routing/natting somewhere?

Would really appreciate some help on this? Ask some q If my problem is too vague.

Thanks in advance!

Would it be possible to show the hidden config of the PIX with the public IP addresses? Some things to check

--> ISAKMP Nat traversal

--> Windows Firewall

--> syspot allowed

VPN tunnel is up but cannot ping LAN stations

Hello

I'm trying to set up easy vpn server on cisco 881/k9 router.

Using the version of cisco vpn client 5.0, I can connect to the vpn server.

Can get the IP address of the LAN subnet on the vpn client.

On the side of vpn, I can see the vpn session using isakmp crypto #show her

But I can't ping from client vpn to any LAN station.

Someone please check my setup and find out.

This is my first time setting on the router cisco VPN.

Building configuration...

Current configuration: 5938 bytes
!
! Last configuration change at 01:38:31 UTC Thursday, April 21, 2011 by evantage
!
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname FarEastP
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
recording console critical
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-3333835941
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3333835941
revocation checking no
rsakeypair TP-self-signed-3333835941
!
!
TP-self-signed-3333835941 crypto pki certificate chain
certificate self-signed 01
30820240 308201A 9 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 33333333 38333539 6174652D 3431301E 170 3131 30343230 31363434
30355A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 33333338 65642D
33353934 3130819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
810094A 1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A 145915 E67EF01D 350558E3
040B 6379 E6360CB3 4 D 0360DA61 184225 AAB44CA5 6BE23D05 55DAA45A 4647 5 FEB
6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
DD926D88 25 23143 11 C 66750 68267 C 61 C38B62C4 3B16E5AE AC91B2F8 ABA3546D
02 30203 010001A 3 68306630 1 130101 FF040530 030101FF 30130603 0F060355 D
551D 1104 08466172 45617374 50301F06 23 04183016 8014E95E 03551D 0C300A82
66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092 HAS 8648 86F70D01 01040500
03818100 05803840 EFBF9A3B F4D64899 8E03C836 34861307 57193CC5 DA510446
E4081D1A 2CF243BF 41AC9F36 83DAE9DB 9480F154 7CF792A5 76C1452C EEFD8661
8443DC4C 8E507A8F B2ECCAEB CDE26E41 E477E290 79AE5D72 FD81057C B5DCE1C2
36E0F740 65108014 A8992360 92F0423D E14F9240 1D162BC3 EFBB75A2 9E64ABC6 D76BE894
quit smoking
no ip source route
!
!
DHCP excluded-address 192.168.1.1 IP 192.168.1.100
DHCP excluded-address IP 192.168.1.201 192.168.1.254
!
dhcp pool IP CCP-pool1
network 192.168.1.0 255.255.255.0
domain FarEastP
default router 192.168.1.1
DNS-server 192.168.1.2 165.21.83.88
!
!
no ip cef
no ip domain search
name-server IP 192.168.1.2
name of the IP-server 165.21.83.88
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FHK142971LH
!
!
username admin privilege 15 secret 5 $1$ W2eu$ lr. TpEfJuOE1iKQjFPHIT /.
username privilege 15 secret 5 evantage P602 $1$$ 8TeJh5.SCHsY2TGd0.TnD1
username privilege 5 secret 5 sshukla $1$ oflM$ cHZdlpLdWr.nn1UwiCEs7.
username privilege 5 secret 5 rtandon $1$ yGAU$ BxJ6eQqG32WeI2gI4BDWh1
sagrawal privilege 5 secret 5 username $1$ $1Kkz E6NOTt9LCXiGTarAxrc/i1
username secret privilege 5 asarie $5 1. CVw $0ohz3WtLqU8USiMBqxIjA.
username secret privilege 5 rbiyani 5 $1$ KkY / $02lEPCahuIpzoQcXln2yD.
username privilege 5 secret 5 clovejoy $1$ WMbu$ t.er4RPRTnYNNwwkVGMuX.
username privilege 5 secret 5 Lakshmi $1$ ZMC4$ Sjlcmcw2uvhzU9bwEw1Us.
username privilege 5 secret 5 benmansour yPMa $1$$ I.q.7NW2uQo0s5FTHkxZM1
username secret privilege 5 usha 5 $1$ bX1I$ X6X4eSSeq48k0Kq8Qt7Rn.
username privilege 5 secret 5 aditya $1$ w2Vt$ HOz81M2UfLeni.PNUX2aJ.
!
!
synwait-time of tcp IP 10
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
!
ISAKMP crypto group configuration of VPN client
TP!zlflN\2\4go,xtP+xFapuWlKDvr#dVrS6L4TF5NJl2GXugUgv%LfQ+!drgUK key
DNS 192.168.1.2 165.21.83.88
fareastp field
pool SDM_POOL_1
ACL 101
max - 20 users
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map DYNVPN 1
game of transformation-ESP-3DES-SHA
!
!
map clientmap client to authenticate crypto list ciscocp_vpn_xauth_ml_1
card crypto clientmap isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address map clientmap crypto answer
clientmap card crypto 65535-isakmp dynamic ipsec DYNVPN
!
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
WAN description $ ES_WAN$
IP 119.75.60.170 255.255.255.252
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface Vlan1
LAN description
IP 116.12.248.81 255.255.255.240 secondary
IP 192.168.1.1 255.255.255.0
penetration of the IP stream
IP nat inside
IP virtual-reassembly
!
local IP SDM_POOL_1 192.168.1.201 pool 192.168.1.254
local IP POOL_2 10.10.1.2 pool 10.10.1.200
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source static tcp 192.168.1.2 1723 1723 interface FastEthernet4
IP nat inside source static tcp 192.168.1.4 5003 interface FastEthernet4 5003
IP nat inside source static tcp 192.168.1.4 16000 16000 FastEthernet4 interface
IP nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
overload of IP nat inside source list 111 interface FastEthernet4
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 119.75.60.169
!
recording of debug trap
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
end

The VPN pool assigned to the VPN client must be in another unique subnet as internal networks.

Please also post all your ACL to see if NAT and crypto ACL has been set up correctly.

Your NAT ACL must include "deny ip" above all permit declarations.

Remote access VPN client to connect but cannot ping inside the host, after that split tunnel is activated (config-joint)

Hello

I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.

is hell config please kindly and I would like to know what might happen.

hostname horse

domain evergreen.com

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

ins-guard

!

interface GigabitEthernet0/0

LAN description

nameif inside

security-level 100

192.168.200.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description CONNECTION_TO_FREEMAN

nameif outside

security-level 0

IP 196.1.1.1 255.255.255.248

!

interface GigabitEthernet0/2

Description CONNECTION_TO_TIGHTMAN

nameif backup

security-level 0

IP 197.1.1.1 255.255.255.248

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

management only

!

boot system Disk0: / asa844-1 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain green.com

network of the NETWORK_OBJ_192.168.2.0_25 object

Subnet 192.168.2.0 255.255.255.128

network of the NETWORK_OBJ_192.168.202.0_24 object

192.168.202.0 subnet 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

Access extensive list permits all ip a OUTSIDE_IN

gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

backup of MTU 1500

mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-645 - 206.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

!

network obj_any object

dynamic NAT interface (inside, backup)

Access-group interface inside INSIDE_OUT

Access-group OUTSIDE_IN in interface outside

Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10

Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 100

type echo protocol ipIcmpEcho 212.58.244.71 interface outside

Timeout 3000

frequency 5

monitor als 100 calendar life never start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

backup of crypto backup_map interface card

Crypto ikev1 allow outside

Crypto ikev1 enable backup

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

!

track 10 rtr 100 accessibility

Telnet 192.168.200.0 255.255.255.0 inside

Telnet 192.168.202.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.202.0 255.255.255.0 inside

SSH 192.168.200.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 15

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntunnel strategy

Group vpntunnel policy attributes

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntunnel_splitTunnelAcl

field default value green.com

internal vpntunnell group policy

attributes of the strategy of group vpntunnell

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl

field default value green.com

Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password

attributes of user name THE

VPN-group-policy gbnlvpn

tunnel-group vpntunnel type remote access

tunnel-group vpntunnel General attributes

address VPNPOOL pool

strategy-group-by default vpntunnel

tunnel-group vpntunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group vpntunnell remote access

tunnel-group vpntunnell General-attributes

address VPNPOOL2 pool

Group Policy - by default-vpntunnell

vpntunnell group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565

Hello

1 - Please run these commands:

"crypto isakmp nat-traversal 30.

"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.

The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.

Please let me know.

Thank you.

Access remote vpn connects to the 5505 but cannot ping servers

I have a cisco 5505 and trying to set it up with 6.4 AMPS.

My vpn client connects ok to the network but I'm unable to reach one of the servers.

I'm sure it's a simple configuration issue, as I don't have much experience with Cisco Configuration.

Any suggestions on where to find would be very appreciated.

Thanks in advance

Graham

Hi Graham,

Please, add the following command:

Inside_nat0_outbound to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.100.0 255.255.255.0

Thank you.

Portu.

Cisco VPN Client anything cannot access through VPN on an ASA5505 8.4

Hello

Completely new to Cisco ASA and the need to get this working ASAP.

8.4 (1) ASA 5505 is the secondary FW and I need to authorize all out and block everything coming, but for the VPN clients. Since a jerk of Cisco, I used the ASDM and it's sorcerers to make this work, which may explain my situation.

192.168.101.0/24 is the local network

192.168.101.5 is the IP of ASA

192.168.101.2 is the primary FW (and the default gateway for servers, I have to access through the VPN)

10.10.101.0/24 is the VPN IP range (this can be what you want, I'm not married to it somehow)

My Cisco VPN Client connects to the ASA and receives 10.10.101.1 IP address, but I get no connectivity to the ASA or any other 192.168.101.x or service server (tried RDP, telnet, ping, etc.)

Configuration file is attached.

Help pretty please!

Thank you.

Did you add a route for the VPN Pool on the main firewall to the ASA?

Best regards

Peer

Sent by Cisco Support technique iPad App

VPN upward, but cannot ping through

Similar Questions

Maybe you are looking for