Wacky VPN access problem of ASA

Hi people,

I am currenty a situation, and I am in real need of advice...

The situation is that, if ASA helps my remote branches to access my home network and its allowing people to visit Internet inside, its not allowing the remote VPN client VPN access... R V to aid VPN client version of Cisco 4.6...

See a presentation of basic network that illustrates our network and configuration of the ASA...

Advice to solve this problem will be greatly appreciated...

Kind regards

Noman Bari

I see what rou are... Please see my attchement...

Please rate if it helps!

Tags: Cisco Security

Similar Questions

VPN access query remote ASA - several group policies for the unique connection profile

Hi all

Two quick questions here that I need to help.

1. in an ASA 5525, is it possible to have several group policies for a single connection profile?

Scenario: A customer is running F5 Firepass to their VPN solution and this device is used by them to have multiple strategies group by the connection profile. We plan to migrate them to ASA (5525) and I don't know if the ASA can support that.

2. in an ASA-5525 for Clientless Remote access VPN, can pass us the page to connect to an external server? For example, if I have a connection with a URL profile setup: "'https://wyz.vpn.com/ ';" for the LDAP/Radius Authentication, but for https://wyz.vpn.com/data and https://wyz.vpn.com/test I want to HTTP based authentication form and this page needs to be sent to an external server that is to say ASA step will manage this page, but rather the first page for this is served by the external server.

Scenario: One of our clients is running F5 Firepass to their VPN solution. On the F5 they have pages of configuration such as the https://wyz.vpn.com/ that the F5 shows to the user when they connect via VPN without client; However if the user types https://wyz.vpn.com/data in the browser, the traffic comes to the F5, but F5 redirects this traffic to an external server (with an external url as well). Then it's this external server that transfers the first page of the user requesting authentication for HTTP form based authentication information.

Thanks in advance to all!

Hello

You can have fallback to LOCAL only primary method.

http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa90/configuration/gu...

HTH

Averroès.

Only way ASA Vpn access

Hello:

I have configured ASA 5505 to acept Cisco VPN Clients on IP-SEC and access internal subnet of tuneling (added a rule exempt NAT too) and the VPN Clients can connect and work without problems.

But no internal network or the ASA I can ping or conect to the VPN Clients.

My configuration:

Internal network: 172.26.1.0 255.255.255.0

The VPN Clients network 172.26.2.0 255.255.255.0

Can you help me?

Here is my configuration:

: Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name ftf.es enable password xxxxxxx encrypted passwd xxxxx encrypted names name 217.125.44.23 IP_publica name 172.26.1.100 Servidor name 192.168.1.3 IP_externa name 192.168.2.3 IP_Externa2 name 172.26.2.0 VPN_Clients ! interface Vlan1 nameif inside security-level 100 ip address 172.26.1.89 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address IP_externa 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 13 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name ftf.es same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service terminal-server tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list FTFVPN_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list FTFVPN_Group_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list outside_access_in extended permit tcp any host IP_externa eq 3389 access-list outside_access_in extended permit object-group TCPUDP any host IP_externa eq www access-list FTF_ADSL2_splitTunnelAcl standard permit any access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 VPN_Clients 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 host 172.26.1.199 access-list outside_nat0_outbound extended permit ip VPN_Clients 255.255.255.0 172.26.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn 172.26.1.180-172.26.1.200 mask 255.255.255.0 ip local pool vpn2 172.26.2.100-172.26.2.200 mask 255.255.255.0 ip local pool vpn3 172.26.3.100-172.26.4.150 mask 255.255.255.0 ip local pool vpn4 172.26.1.240-172.26.1.250 mask 255.255.255.0 ip local pool FTFVPN_Pool 176.26.1.150-176.26.1.170 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 Servidor 3389 netmask 255.255.255.255 static (inside,outside) tcp interface www Servidor www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 172.26.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 60 set pfs group1 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs group1 crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 100 set pfs group1 crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 120 set pfs group1 crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal  20 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 172.26.1.90-172.26.1.217 inside ! webvpn enable outside url-list FTFVLC "DYNAMICS" cifs://172.26.1.100 1 port-forward TEST 3389 172.26.1.100 3389 Terminal Server group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes banner value Bienvenido a la red de FTF dns-server value 172.26.1.100 80.58.32.97 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn split-tunnel-policy tunnelall default-domain value ftf.es group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value vpn2 smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn   functions url-entry   html-content-filter none   homepage none   keep-alive-ignore 4   http-comp gzip   filter none   url-list none   customization value DfltCustomization   port-forward value TEST   port-forward-name value Acceso a aplicaciones   sso-server none   deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information   svc none   svc keep-installer installed   svc keepalive none   svc rekey time none   svc rekey method none   svc dpd-interval client none   svc dpd-interval gateway none   svc compression deflate group-policy FTFVPN_Group internal group-policy FTFVPN_Group attributes dns-server value 172.26.1.100 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value FTFVPN_Group_splitTunnelAcl default-domain value ftf.es address-pools value vpn2 group-policy VPNSSL internal group-policy VPNSSL attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn   functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix username raul password xxxxxx encrypted privilege 0 username raul attributes vpn-group-policy FTFVPN_Group tunnel-group DefaultRAGroup general-attributes address-pool vpn2 default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy VPNSSL tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server Servidor master timeout 5 retry 3 tunnel-group FTFVPN_Group type ipsec-ra tunnel-group FTFVPN_Group general-attributes address-pool vpn2 default-group-policy FTFVPN_Group tunnel-group FTFVPN_Group ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f5e713652d4a2e2623248d7e49086105 : end asdm image disk0:/asdm-524.bin asdm location Servidor 255.255.255.255 inside asdm location IP_publica 255.255.255.255 inside asdm location IP_externa 255.255.255.255 inside asdm location IP_Externa2 255.255.255.255 inside asdm location VPN_Clients 255.255.255.0 inside no asdm history enable

Raul,

I don't see to apply ACLs inside the interface or as vpn-filter that will prevent the PING of the SAA within the intellectual property to the VPN client.

Are you sure that the VPN client does not have the Windows Firewall on or antivirus software that prevents to respond to PING?

Federico.

Remote RDP client VPN access on ASA 5510

Hello.

We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?

Thank you

Hi Salsrinivas,

so to summarize:

the VPN client connects to the ASA offshore

the VPN client can successfully RDP on a server at the offshore location

the VPN client cannot NOT RDP on a server at the location of the customer

offshore and the location of the customer are connected by a tunnel L2L

(and between the 2 sites RDP works very well)

is that correct?

Things to check:

-the vpn in the ACL crypto pool?

-you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?

-you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?

If you need help more could you put a config (sterilized) Please?

HTH
Herbert

ASA 5505: VPN access to different subnets

Hi All-

I'm trying to understand how to configure our ASA so that remote users can have VPN access to two different subnets (Office LAN and LAN phone). Currently I have 3 VLAN configuration - VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users must be able to access their PC (192.168.1.0/24) and also have access to the office phone system (192.168.254.0/24). Is it still possible? Here are the configurations on our ASA,

Thanks in advance:

ASA Version 8.2 (5)

!

names of

name 10.0.1.0 Net-10

name 20.0.1.0 Net-20

name phone 192.168.254.0

name 192.168.254.250 PBX

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 13

!

interface Vlan1

nameif inside

security-level 100

192.168.1.98 IP address 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

address IP X.X.139.79 255.255.255.224

!

interface Vlan3

No nameif

security-level 50

192.168.5.1 IP address 255.255.255.0

!

interface Vlan13

nameif phones

security-level 100

192.168.254.200 IP address 255.255.255.0

!

passive FTP mode

object-group service RDP - tcp

EQ port 3389 object

object-group service DM_INLINE_SERVICE_1

the purpose of the ip service

EQ-ssh tcp service object

vpn_nat_inside of access list extensive ip Net-10 255.255.255.224 allow 192.168.1.0 255.255.255.0

access-list extended vpn_nat_inside allowed ip Net-10 255.255.255.224 phones 255.255.255.0

inside_nat0_outbound list extended access permits all ip Net-10 255.255.255.224

inside_access_in of access allowed any ip an extended list

Split_Tunnel_List list standard access allowed Net-10 255.255.255.224

phones_nat0_outbound list extended access permits all ip Net-10 255.255.255.224

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 Mac host everything

pager lines 24

Enable logging

timestamp of the record

record monitor errors

record of the mistakes of history

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 phones

mask IP local pool SSLClientPool-10 10.0.1.1 - 10.0.1.20 255.255.255.128

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global interface (10 Interior)

Global 1 interface (outside)

global interface (phones) 20

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (10 vpn_nat_inside list of outdoor outdoor access)

NAT (phones) 0-list of access phones_nat0_outbound

NAT (phones) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 X.X.139.65 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

LOCAL AAA authorization command

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

name of the object CN = not - asa .null

pasvpnkey key pair

Configure CRL

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

lifetime 28800

VPN-sessiondb max-session-limit 10

Telnet timeout 5

SSH 192.168.1.100 255.255.255.255 inside

SSH 192.168.1.0 255.255.255.0 inside

SSH Mac 255.255.255.255 outside

SSH timeout 60

Console timeout 0

dhcpd auto_config inside

!

dhcpd address 192.168.1.222 - 192.168.1.223 inside

dhcpd dns 64.238.96.12 66.180.96.12 interface inside

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

SSL-trust outside ASDM_TrustPoint0 point

WebVPN

allow outside

AnyConnect essentials

SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

enable SVC

tunnel-group-list activate

internal SSLClientPolicy group strategy

attributes of Group Policy SSLClientPolicy

WINS server no

value of 64.238.96.12 DNS server 66.180.96.12

VPN-access-hour no

VPN - connections 3

VPN-idle-timeout no

VPN-session-timeout no

IPv6-vpn-filter no

VPN-tunnel-Protocol svc

group-lock value NO-SSL-VPN

by default no

VLAN no

NAC settings no

WebVPN

SVC mtu 1200

SVC keepalive 60

client of dpd-interval SVC no

dpd-interval SVC bridge no

SVC compression no

attributes of Group Policy DfltGrpPolicy

value of 64.238.96.12 DNS server 66.180.96.12

Protocol-tunnel-VPN IPSec svc webvpn

attributes global-tunnel-group DefaultRAGroup

address-pool SSLClientPool-10

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

NO-SSL-VPN Tunnel-group type remote access

General-attributes of the NO-SSL-VPN Tunnel-group

address-pool SSLClientPool-10

Group Policy - by default-SSLClientPolicy

NO-SSL-VPN Tunnel - webvpn-attributes group

enable PAS_VPN group-alias

allow group-url https://X.X.139.79/PAS_VPN

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

privilege level 3 mode exec cmd command perfmon

privilege level 3 mode exec cmd ping command

mode privileged exec command cmd level 3

logging of the privilege level 3 mode exec cmd commands

privilege level 3 exec command failover mode cmd

privilege level 3 mode exec command packet cmd - draw

privilege show import at the level 5 exec mode command

privilege level 5 see fashion exec running-config command

order of privilege show level 3 exec mode reload

privilege level 3 exec mode control fashion show

privilege see the level 3 exec firewall command mode

privilege see the level 3 exec mode command ASP.

processor mode privileged exec command to see the level 3

privilege command shell see the level 3 exec mode

privilege show level 3 exec command clock mode

privilege exec mode level 3 dns-hosts command show

privilege see the level 3 exec command access-list mode

logging of orders privilege see the level 3 exec mode

privilege, level 3 see the exec command mode vlan

privilege show level 3 exec command ip mode

privilege, level 3 see fashion exec command ipv6

privilege, level 3 see the exec command failover mode

privilege, level 3 see fashion exec command asdm

exec mode privilege see the level 3 command arp

command routing privilege see the level 3 exec mode

privilege, level 3 see fashion exec command ospf

privilege, level 3 see the exec command in aaa-server mode

AAA mode privileged exec command to see the level 3

privilege, level 3 see fashion exec command eigrp

privilege see the level 3 exec mode command crypto

privilege, level 3 see fashion exec command vpn-sessiondb

privilege level 3 exec mode command ssh show

privilege, level 3 see fashion exec command dhcpd

privilege, level 3 see the vpnclient command exec mode

privilege, level 3 see fashion exec command vpn

privilege level see the 3 blocks from exec mode command

privilege, level 3 see fashion exec command wccp

privilege see the level 3 exec command mode dynamic filters

privilege, level 3 see the exec command in webvpn mode

privilege control module see the level 3 exec mode

privilege, level 3 see fashion exec command uauth

privilege see the level 3 exec command compression mode

level 3 for the show privilege mode configure the command interface

level 3 for the show privilege mode set clock command

level 3 for the show privilege mode configure the access-list command

level 3 for the show privilege mode set up the registration of the order

level 3 for the show privilege mode configure ip command

level 3 for the show privilege mode configure command failover

level 5 mode see the privilege set up command asdm

level 3 for the show privilege mode configure arp command

level 3 for the show privilege mode configure the command routing

level 3 for the show privilege mode configure aaa-order server

level mode 3 privilege see the command configure aaa

level 3 for the show privilege mode configure command crypto

level 3 for the show privilege mode configure ssh command

level 3 for the show privilege mode configure command dhcpd

level 5 mode see the privilege set privilege to command

privilege level clear 3 mode exec command dns host

logging of the privilege clear level 3 exec mode commands

clear level 3 arp command mode privileged exec

AAA-server of privilege clear level 3 exec mode command

privilege clear level 3 exec mode command crypto

privilege clear level 3 exec command mode dynamic filters

level 3 for the privilege cmd mode configure command failover

clear level 3 privilege mode set the logging of command

privilege mode clear level 3 Configure arp command

clear level 3 privilege mode configure command crypto

clear level 3 privilege mode configure aaa-order server

context of prompt hostname

no remote anonymous reporting call

Hello

Loss of connectivity to the LAN is not really supposed all remove this command UNLESS your network is using another device as their gateway to the Internet. In this case configuration dynamic PAT or political dynamics PAT (as you) would make sense because the LAN hosts would see your VPN connection from the same directly connected network users and would be know to traffic before the ASA rather than their default gateway.

So is this just for VPN usage and NOT the gateway on the LAN?

If it is just the VPN device I'd adding this

global interface (phones) 10

He would do the same translation for 'phones' as he does on 'inside' (of course with different PAT IP)

-Jouni

Cannot access remote network by VPN Site to Site ASA

Hello everyone

First of all I must say that I have configured the VPN site-to site a million times before. Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

ASA local:
hostname gyd - asa
domain bct.az
activate the encrypted password of XeY1QWHKPK75Y48j
XeY1QWHKPK75Y48j encrypted passwd
names of
DNS-guard
!
interface GigabitEthernet0/0
Shutdown
nameif vpnswc
security-level 0
IP 10.254.17.41 255.255.255.248
!
interface GigabitEthernet0/1
Vpn-turan-Baku description
nameif outside Baku
security-level 0
IP 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
Vpn-ganja description
nameif outside-Ganja
security-level 0
IP 10.254.17.17 255.255.255.248
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. * 255.255.255.0
!
interface GigabitEthernet0/3
Description BCT_Inside
nameif inside-Bct
security-level 100
IP 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
IP 192.168.251.1 255.255.255.0
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
name-server 192.168.1.3
domain bct.az
permit same-security-traffic intra-interface
object-group network obj - 192.168.121.0
object-group network obj - 10.40.60.0
object-group network obj - 10.40.50.0
object-group network obj - 192.168.0.0
object-group network obj - 172.26.0.0
object-group network obj - 10.254.17.0
object-group network obj - 192.168.122.0
object-group service obj-tcp-eq-22
object-group network obj - 10.254.17.18
object-group network obj - 10.254.17.10
object-group network obj - 10.254.17.26
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
icmp_inside list extended access permit icmp any one
icmp_inside of access allowed any ip an extended list
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
RDP list extended access permit tcp any host 192.168.45.3 eq 3389
rdp extended permitted any one ip access list
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
pager lines 24
Enable logging
emblem of logging
recording of debug console
recording of debug trap
asdm of logging of information
Interior-Bct 192.168.1.27 host connection
flow-export destination inside-Bct 192.168.1.27 9996
vpnswc MTU 1500
outside Baku MTU 1500
outside-Ganja MTU 1500
MTU 1500 remote access
Interior-Bct MTU 1500
management of MTU 1500
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any outside Baku
ICMP allow access remotely
ICMP allow any interior-Bct
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
3 overall (RAS) interface
azans access-list NAT 3 (outside-Ganja)
NAT (remote access) 0 access-list sheep-vpn-city
NAT 3 list nat-vpn-internet access (remote access)
NAT (inside-Bct) 0-list of access inside_nat0_outbound
NAT (inside-Bct) 2-nat-ganja access list
NAT (inside-Bct) 1 access list nat
Access-group rdp on interface outside-Ganja
!
Router eigrp 2008
No Auto-resume
neighbor 10.254.17.10 interface outside Baku
neighbor 10.40.50.66 Interior-Bct interface
Network 10.40.50.64 255.255.255.252
Network 10.250.25.0 255.255.255.0
Network 10.254.17.8 255.255.255.248
Network 10.254.17.16 255.255.255.248
redistribute static
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede GANYMEDE +.
AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
key *.
AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
key *.
RADIUS protocol AAA-server TACACS1
AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
key *.
AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
key *.
authentication AAA ssh console LOCAL GANYMEDE
Console to enable AAA authentication RADIUS LOCAL
Console Telnet AAA authentication RADIUS LOCAL
AAA accounting ssh console GANYMEDE
Console Telnet accounting AAA GANYMEDE
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Interior-Bct
http 192.168.139.0 255.255.255.0 Interior-Bct
http 192.168.0.0 255.255.255.0 Interior-Bct
Survey community SNMP-server host inside-Bct 192.168.1.27
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.10
card crypto mymap 10 transform-set RIGHT
correspondence address card crypto mymap 20 110
card crypto mymap 20 peers set 10.254.17.11
mymap 20 transform-set myset2 crypto card
card crypto mymap interface outside Baku
correspondence address card crypto ganja 10 110
10 ganja crypto map peer set 10.254.17.18
card crypto ganja 10 transform-set RIGHT
card crypto interface outside-Ganja ganja
correspondence address card crypto vpntest 20 110
peer set card crypto vpntest 20 10.250.25.1
newset vpntest 20 transform-set card crypto
card crypto vpntest interface vpnswc
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = gyd - asa .az .bct
sslvpnkeypair key pair
Configure CRL
map of crypto DefaultCertificateMap 10 ca certificate

crypto isakmp identity address
ISAKMP crypto enable vpnswc
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 Interior-Bct
SSH timeout 35
Console timeout 0
priority queue outside Baku
queue-limit 2046
TX-ring-limit 254
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.168.1.3
SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
SSL-trust ASDM_TrustPoint0 remote access point
WebVPN
turn on remote access
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal group ssl policy
attributes of group ssl policy
banner welcome to SW value
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
group-lock value SSL
WebVPN
value of the SPS URL-list
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the PFS
BCT.AZ value by default-field
ssl VPN-group-strategy
WebVPN
value of the SPS URL-list
IPSec-attributes tunnel-group DefaultL2LGroup
ISAKMP retry threshold 20 keepalive 5
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
IPSec-attributes tunnel-group DefaultWEBVPNGroup
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.10
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type SSL tunnel-group remote access
attributes global-group-tunnel SSL
ssl address pool
Authentication (remote access) LOCAL servers group
Group Policy - by default-ssl
certificate-use-set-name username
Group-tunnel SSL webvpn-attributes
enable SSL group-alias
Group-url https://85. *. *. * / activate
tunnel-group 10.254.17.18 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.18
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.11 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.11
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type tunnel-group DefaultSWITGroup remote access
attributes global-tunnel-group DefaultSWITGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultSWITGroup
pre-shared key *.
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect the netbios
Review the ip options
class flow_export_cl
flow-export-type of event all the destination 192.168.1.27
class class by default
flow-export-type of event all the destination 192.168.1.27
Policy-map Voicepolicy
class voice
priority
The class data
police release 80000000
!
global service-policy global_policy
service-policy interface outside Baku Voicepolicy
context of prompt hostname

Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
: end
GYD - asa #.

ASA remote:
ASA Version 8.2 (3)
!
ciscoasa hostname
activate the encrypted password of XeY1QWHKPK75Y48j
2KFQnbNIdI.2KYOU encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif inside
security-level 100
IP 192.168.80.14 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP 10.254.17.11 255.255.255.248
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
access-list 110 scope ip allow a whole
192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
management of MTU 1500
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside) 0 access-list sheep
Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.80.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.9
mymap 10 transform-set myset2 crypto card
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN

tunnel-group 10.254.17.9 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.9
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname

Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
: end
ciscoasa # $

Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

Would appreciate any help. Thank you in advance...

If the tunnel is up (phase 1), but no traffic passing the best test is the following:

Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

Test on both directions.

Please post the results.

Federico.

Cisco VPN Client and Windows XP VPN Client IPSec to ASA

I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

Config is:

!

interface GigabitEthernet0/2.30

Description remote access

VLAN 30

nameif remote access

security-level 0

IP 85.*. *. 1 255.255.255.0

!

access-list 110 scope ip allow a whole

NAT list extended access permit tcp any host 10.254.17.10 eq ssh

NAT list extended access permit tcp any host 10.254.17.26 eq ssh

access-list extended ip allowed any one sheep

access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

flow-export destination inside-Bct 192.168.1.27 9996

IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

ARP timeout 14400

global (outside-Baku) 1 interface

global (outside-Ganja) interface 2

NAT (inside-Bct) 0 access-list sheep-vpn

NAT (inside-Bct) 1 access list nat

NAT (inside-Bct) 2-nat-ganja access list

Access-group rdp on interface outside-Ganja

!

Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

dynamic-access-policy-registration DfltAccessPolicy

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

Crypto ipsec transform-set newset aes - esp esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

Crypto ipsec transform-set vpnclienttrans transport mode

Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

life crypto ipsec security association seconds 214748364

Crypto ipsec kilobytes of life security-association 214748364

raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

card crypto interface for remote access vpnclientmap

crypto isakmp identity address

ISAKMP crypto enable vpntest

ISAKMP crypto enable outside-Baku

ISAKMP crypto enable outside-Ganja

crypto ISAKMP enable remote access

ISAKMP crypto enable Interior-Bct

crypto ISAKMP policy 30

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

No encryption isakmp nat-traversal

No vpn-addr-assign aaa

Telnet timeout 5

SSH 192.168.1.0 255.255.255.192 outside Baku

SSH 10.254.17.26 255.255.255.255 outside Baku

SSH 10.254.17.18 255.255.255.255 outside Baku

SSH 10.254.17.10 255.255.255.255 outside Baku

SSH 10.254.17.26 255.255.255.255 outside-Ganja

SSH 10.254.17.18 255.255.255.255 outside-Ganja

SSH 10.254.17.10 255.255.255.255 outside-Ganja

SSH 192.168.1.0 255.255.255.192 Interior-Bct

internal vpn group policy

attributes of vpn group policy

value of DNS-server 192.168.1.3

Protocol-tunnel-VPN IPSec l2tp ipsec

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split tunnel

BCT.AZ value by default-field

attributes global-tunnel-group DefaultRAGroup

raccess address pool

Group-RADIUS authentication server

Group Policy - by default-vpn

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key *.

Hello

For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

Please see configuration below:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

or

http://tinyurl.com/5t67hd

Please see the section of tunnel-group config of the SAA.

There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

"crypto isakmp nat-traversal.

Thirdly, change the transformation of the value

raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

Let me know the result.

Thank you

Gilbert

VPN-ASA5505 problem

Hi all

I inherited this VPN and get slowly upward. At least users can connect to it now! I had a few problems. Users can connect to the VPN, but cannot ping or access shared files on the server (192.168.2.3), but the VPN users must be able to make full use of the network.

I removed the NAT rule.

#no nat (inside) 1 0.0.0.0 0.0.0.0)

And after removing that, VPN users have been able to navigate and access to internal resources. However, users in the office now had no internet. I went and added the rule of return and returned internet.

Believe it is related to the split tunneling, what can I do to activate full VPN access and still have internet at Headquarters?

ASA Version 7.2 (4)

!

ciscoasa hostname

domain default.domain.invalid

activate mI3N1CPoxB4FJhZg encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

209.124.X.X 255.255.255.252 IP address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

Server DNS 192.168.2.3 Group

DNS server-group DefaultDNS

domain default.domain.invalid

the Exchange25 object-group network

access-list standard split allow 192.168.2.0 255.255.255.0

access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

out_in of access allowed any ip an extended list

outside_access_in list extended access permit tcp any eq smtp host 192.168.2.3 eq smtp

outside_access_in list extended access permit tcp any host 192.168.2.3 eq https

outside_access_in list extended access permit tcp any host 192.168.2.3 eq www

outside-access allowed extended access list tcp no matter what interface outside eq 7000

outside-access allowed extended access list tcp no matter what interface outside eq 3389

outside-access allowed extended access list tcp no matter what interface outside eq 587

outside-access allowed extended access list tcp no matter what interface outside eq https

LAN_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool vpnpool 192.168.2.31 - 192.168.2.60

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ASDM image disk0: / asdm - 524.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access LAN_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

public static tcp (indoor, outdoor) interface 192.168.2.3 smtp smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 7000 192.168.2.80 7000 netmask 255.255.255.255

public static interface 3389 192.168.2.3 (indoor, outdoor) tcp 3389 netmask 255.255.255.255

public static interface 587 587 netmask 255.255.255.255 tcp (indoor, outdoor) 192.168.2.3

public static tcp (indoor, outdoor) interface https 192.168.2.3 https netmask 255.255.255.255

Access-group out_in in interface outside

Route outside 0.0.0.0 0.0.0.0 209.124.192.45 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Enable http server

http 0.0.0.0 255.255.255.255 outside

http 192.168.2.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-SHA

map mymap 65000-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 20

Telnet 0.0.0.0 0.0.0.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd dns 192.168.2.3

!

attributes of Group Policy DfltGrpPolicy

No banner

WINS server no

value of server DNS 192.168.2.3

DHCP-network-scope no

VPN-access-hour no

VPN - 5 concurrent connections

VPN-idle-timeout 30

VPN-session-timeout no

VPN-filter no

Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

allow password-storage

disable the IP-comp

Re-xauth disable

Group-lock no

disable the PFS

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelall

Split-tunnel-network-list no

TMA.local value by default-field

Split-dns no

Disable dhcp Intercept 255.255.255.255

disable secure authentication unit

disable authentication of the user

user-authentication-idle-timeout 10

disable the IP-phone-bypass

disable the leap-bypass

disable the NEM

Dungeon-client-config backup servers

MSIE proxy server no

MSIE-proxy method non - change

Internet Explorer proxy except list - no

Disable Internet Explorer-proxy local-bypass

disable the NAC

NAC-sq-period 300

NAC-reval-period 36000

NAC-by default-acl no

address pools no

enable Smartcard-Removal-disconnect

the firewall client no

rule of access-client-none

WebVPN

url-entry functions

HTML-content-filter none

Home page no

4 Keep-alive-ignore

gzip http-comp

no filter

list of URLS no

value of customization DfltCustomization

port - forward, no

port-forward-name value access to applications

SSO-Server no

value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information

SVC no

SVC Dungeon-Installer installed

SVC keepalive no

generate a new key SVC time no

method to generate a new key of SVC no

client of dpd-interval SVC no

dpd-interval SVC bridge no

deflate compression of SVC

internal TMAgroup group strategy

attributes of Group Policy TMAgroup

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split

gene AzJFyGPWta7durW9 encrypted privilege 15 password username

username admin privilege 15 encrypted password hLjunphNGLvrgsRP

username TMAen encrypted password ojCI79mnpWOehEZC

tunnel-group TMAgroup type ipsec-ra

attributes global-tunnel-group TMAgroup

address vpnpool pool

Group Policy - by default-TMAgroup

IPSec-attributes tunnel-group TMAgroup

pre-shared-key *.

!

!

context of prompt hostname

Cryptochecksum:78c4838558d030ac964d2c331deed909

: end

Hello

Please add the following to your configuration:

nonat_inside ip access list allow any 192.168.2.0 255.255.255.0

NAT (inside) 0-list of access nonat_inside

You must keep the "nat (inside) 1 0.0.0.0 0.0.0.0 ' so that your users access to the Internet.

"Nat (inside) 0 nonat_inside access-list" allows to bypass the above rule only for traffic destined to the VPN pool.

In addition, it is to you if you want to use split tunneling or not.

More information on tunneling split:

ASA/PIX: Allow the tunneling split for the VPN Clients on the example of Configuration of ASA

Let me know.

Portu.

Please note all useful posts

kb2726233 update is blocking my vpn access

kb2736233 update is blocking my vpn access, the question of the activex control, Microsoft is there anything I can do other than do not take into account this update, or do not allow this update. Is a daily problem, have to remove every day.

Hi mesbit8851,

If the suggestions here have not solved the problem you are having, I suggest you to send your request in the TechNet forums.

http://social.technet.Microsoft.com/forums/en/itproxpsp/threads

WebVPN and remote VPN access

Hello

Is there a difference between WebVPN and remote VPN access or they are the same.

Thank you.

access remote vpn consists of

-IPSEC VPN remote access. It is part of the ASA, no permit required, requires pre-installed Client from Cisco VPN IPSEC on PC

-with AnyConnect SSL VPN remote access. It requires licensing of SSL VPN on SAA. AnyConnect client can be installed automatically on the PC with the launch of web.

-with Essentials AnyConnect SSL VPN remote access. Beginning with ASA 8.2 (1), almost license $ 0. It's the same AnyConnect client as in the previous article, but it cannot be installed automatically with the launch of web. It must be previously installed as of Cisco IPSEC VPN client.

-webvpn aka clientless vpn. It is a portal HTTPS which allows HTTP connections, file sharing, telnet, RDP and much more (with smart tunnels) resources without having to install a real client on the PC. It requires licensing of SSL VPN on SAA. It cannot be used if "AnyConnect Essentials" license is activated on SAA after 8.2 (1)

Kind regards

Roman

Microsoft l2tp IPSec VPN site to site ASA on top

I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

Hello

Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

See you soon,.

Daniel

ASA5505 can transfer clients to remote VPN access to the local network

I have currently ASA 5505 and 2911-router and I am trying to configure the VPN topology.

Can ASA5505 you transmit to remote VPN access clients LAN operated by another router?

These two cases are possible? :

(1) ASA 5505 and 2911-router are separate WAN interfaces, each connected directly to the ISP. But so can I connect an other interfaces LAN of ASA 5505 in a switch managed by 2911 router customers to distance-SSL-VPN to inject into the local network managed by the router?
(2) ASA 5505 is behind router-2911. May 2911 router address public ip or public ip address VPN-access attempts have directly be sent to ASA 5505 when there is only a single public ip address address available?
Long put short, ASA 5505 can inject its clients to remote-access-VPN as one of the hosts on the local network managed by 2911-router?
Thank you.

I could help you more if you can explain the purpose of this configuration and connectivity between the router and ASA.

You can activate the reverse route on the dynamic plane on the SAA. The ASA will install a static route to the customer on the routing table. You can use a routing protocol to redistribute static routes to your switch on the side of LAN of the SAA.

VPN access to the not directly connected networks

Hello

I have a 5510 which is used for Client VPN access and there is something simple that I can't work.

The VPN part works very well with AAA on a CBS.

But what does not is access to networks that are not directly connected to the inside interface.

That is to say the VPN users can connect to the network within the Interface (say 192.168.0.0/24) but not a 10.0.0.0/8 network which is connected through 192.168.0.1 router.

I have the static routes in Routing and firewall all showing the way back to the firewall on all the other networks, but I don't get more far the 192.168.0.1 router...

I use split tunneling and pass all of the private over the VPN - internet networks is used through the own local access to clients.

Can someone help me out here?

Thank you.

Fraser

PS: have the same type of access on a 7206VXR and soft, everything can be consulted and which is necessary - but I would like to move this service to the ASA.

Fraser

I don't understand the ASDM parts as you suggest. The code would be great.

I would also recommend control ACL applied to the inside interface (if any) that it allows traffic as

inside_access_in list of permitted access 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask

If still no joy, attach your config sanitized, would be useful for me to diagnose.

Concerning

Political dynamic VPN access and access to the administration

Hi all

I'm testing a scenerio with an ASA 5520 so he could authenticate VPN users against and an environment Active Directory more access to management as well. I created a dynamic access on the ASA policy indicating that, if you are a member of the Active Directory 'Managment' group continue. I have chagned the DefaultAccessPolicy to "Finish." With it, users could not connect VPN because they are not a member of this group, but access to manage the ASA is allowed due to this policy.

Is there a way through the use of dynamic access policies I can afford access to the administration (SSH, AMPS, etc.) by matching to membership in a group and will allow normal users to VPN in successfully, but not give them access to the management of the ASA?

I just try this but it seems that I should be able to swing that?

Thaks in advance.

Hello

You can try to apply the DAP and configure the filter ACL network. allowing only the protocols you want to that they can access.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

Multiple VPN groups on the ASA firewall

I have a remote VPN configured in my ASA firewall with a group of users configured on the external ACS VPN. The group called VPNASA to authenticate via the ACS server and the server ip pool is on the firewall of the SAA. Now, my boss asked me to set up a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How to configure the firewall for the ASA to accept both the Group and authenticate on the same ACS server? I've never done this before so I need help.

Thank you very much!

Hello

all you need to do is create another group strategy and attach it to a group of tunnel: -.

internal vpnsales group policy

attributes of the strategy of group vpnsales

banner - VPN access for the sales team

value x.x.x.x DNS server

split tunnel political tunnelspecified

Split-tunnel-network-list split-sales value

address-pools sales-pool

value by default-domain mydomain.com

type tunnel-group vpnsales remote access

tunnel-group vpnsales General-attributes

authentication-server-group vpnsales

Group Policy - by default-vpnsales

vpnsales ipsec tunnel - group capital

pre-share-key @.

you will also create a map of the attribute named vpnsales for acs auth.

Thank you

Manish

Wacky VPN access problem of ASA

Similar Questions

Maybe you are looking for