Why I can't ping the internal network?
I configured a remote VPN access. I can connect my login and my password, but I can't ping any computer on the network in-house. Please helpme... the router configuration is:
SH run.
AAA new-model
connection of local AAA VPN authentication.
local authorization AAA VPN network
username vpnuser password 0 vpnpass
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP client configuration group HOME
key 123456!
DNS 10.10.10.2
VPN - D pool
include-local-lan
!
Crypto ipsec transform-set esp - the esp-hmac-md5 TEST
!
dynamic-map crypto VPN 1
transformation-TEST set
market arriere-route
!
VPNSS crypto map list of authentication of VPN client
card crypto VPNSS VPN isakmp authorization list
crypto card for the VPNSS client configuration address respond
map VPNSS 1-isakmp dynamic VPN ipsec crypto
!
interface FastEthernet0/0
Description ==> link to ISP<>
DHCP IP address
NAT outside IP
card crypto VPNSS
!
interface FastEthernet0/1
Red ==> Lan description<>
IP 192.168.1.1 255.255.255.0
IP nat inside
local pool IP VPN - D 192.168.20.1 192.168.20.20
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 dhcp
!
IP nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
Hello
I guess you get an IP address from the pool and the route is available in the router's routing table. In this case, you will need to tell the NAT router not the intended traffic to the VPN client:
IP nat inside source map route sheep interface FastEthernet0/0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.31
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 101
!
The following link contains many examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
HTH
Laurent.
Tags: Cisco Security
Similar Questions
-
Can connect to the IPSec VPN, but can not see the internal network
I have several users that can connect to our rooms of ussing IPSec VPN on a 5505. I have a user who can connect, but cannot see the internal network. This user is using DSL with a speedstream 4100. However, I have another user with the same configuration that can connect and see the internal network. Newspapers in ASDM show the link, but do not seem to show any errors trying to access internal. Any help will be greatly appreciated. Thank you, Bill.
Add...
ISAKMP nat-traversal crypto
-
Can not reach the internal network on the VPN
Hello
So I've been setting up an ASA5510 to the best of my knowledge to allow the VPN to our internal network access and its riches. IPSEC is configured correctly.
When connected I get an IP address from the VPN subnet with success, but I can't reach all internal hosts (failed pings). Also, I noticed that my default gateway uses a VPN subnet IP address.
I have followed the guide Wizard and configuration Online but am still in the dark... it's all a bit new to me!
I'll post the config if you need to see.
Any help would be appreciated!
Hi, just a few things I noticed. What group are you testing with? The tunnel of split for the two groups should be a standard ACL, well it doesn't have to be, but it is generally. I suspect that it doesn't because the ACL is defined in the wrong direction. You can therefore remove the first line of the RemoteVPNAccess of the ACL or replace it with a standard ACL. I recommend using a standard ACL.
Also applies similarly to your nat not and inside the ACL, they should be allowing the subnets the to address of the pool. So you can delete the second line of the ACL sheep and ' inside_access_in access-list extended ip 10.10.200.0 allow 255.255.255.0 everything ' inside ACL.
Also any tunnel or use a tunnel of split ACL but not both and also try to remove the filter from vpn, we can get to that after we have connectivity.
-
Cisco ASA 5505 VPN L2TP cannot access the internal network
Hello
I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.
Can you jhelp me to find the problem?
I have Cisco ASA:
within the network - 192.168.1.0
VPN - 192.168.168.0 network
I have the router to 192.168.1.2 and I cannot ping or access this router.
Here is my config:
ASA Version 8.4 (3)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 198.X.X.A 255.255.255.248
!
passive FTP mode
permit same-security-traffic intra-interface
the net-all purpose network
subnet 0.0.0.0 0.0.0.0
network vpn_local object
192.168.168.0 subnet 255.255.255.0
network inside_nw object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access deny ip any any newspaper
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool sales_addresses 192.168.168.1 - 192.168.168.254
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT dynamic interface of net-all source (indoor, outdoor)
NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local
NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search
!
network vpn_local object
dynamic NAT interface (outdoors, outdoor)
network inside_nw object
NAT dynamic interface (indoor, outdoor)
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode
Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1
card crypto 20-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
Crypto isakmp nat-traversal 3600
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
management-access inside
dhcpd address 192.168.1.5 - 192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal sales_policy group policy
attributes of the strategy of group sales_policy
Server DNS 75.75.75.75 value 76.76.76.76
Protocol-tunnel-VPN l2tp ipsec
user name-
user name-
attributes global-tunnel-group DefaultRAGroup
address sales_addresses pool
Group Policy - by default-sales_policy
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.
You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:
Policy-map global_policy
class inspection_default
inspect the icmp
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
I can't ping the server to the client in the network of the vm.
Hi, I'm new so be nice
I have an advantage of being able to put up with VMworkstation, I have 3 Server 2003 (a file, dns and dhcp server) and Server 2008 (with, I want to be PDC w / AD), I also have 1 XP and win7 1. servers can ping each other, but I can't ping clients? I have disabled the firewall on XP and win7. Before you start to get the installed roles I wanted to ping to make sure that all they communicate. I used an IP 10.10.10.11 for 2003 (10.10.10.9 for dns) ect. I was wondering why I can't ping clients. read the other post, they declare firewall. I don't know that I have disabled the. Note: this is not on a network or on the internet at the moment.
Grrrr, ok I restarted the host and now all of the mpcv displays an X on network connections, help please thank you.
Take a look at the example I posted to Re: need help with Dev virtual network environment that requires a domain controller.
André
PS: in the example, NAT is default vmnet8.
-
I tried to go in advance and choose "Add TimeCapsule to the existing network", but it keeps defaulting to 'add a new network '.
without having to activate the internal networks?
"Add TimeCapsule to the existing network.
You cannot add a TC in an existing network, if there is.
You must configure the TC for the network.
It keeps default back to "add a new network.
So, it's OK... The TC is part of an existing network or makes a new.
You must connect to the TC network... either wireless or ethernet.
However, you can manually configure the TC simply plug ethernet for example.
See, cable using Time Capsule for Mac for backup only.
The same can be done for the wireless... but a TC is really the bad device for backups if you don't have a network... It's cheaper, faster and more reliable by using a USB key.
-
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
-
VPN client without access to the internal network
Hi all
I try to get IPsec VPN clients talk to my internal network. Can ping the IP address of internal port, but not the bridge beyond the period of INVESTIGATION, or all the resources on the internal network.
Thoughts?
Hello Tony
You need to check on the following things
1. Split tunnel network
2. "no nat" split tunnel network
What is a network or production test (I hope that the customer have the right configuration of bridge)
Also, if possible please post your config for a better understanding
concerning
Harish
-
I can connect to the local network, but not to the internet
Why in an internet connection, I can connect to the Local network, but not to the Internet.
I have valid IP address and configuration is good.I recommend you read some threads here in the forum about similar issues.
If this problem occurs using the WiFi network, then check if you can use the connection to the local network.
Using the WiFi network, you must check if the common WLan parameters are favourable;
Check if the encryption key is right; turn off filtering by mac address, check the TCP/IP protocol settings if it has been set to automatic, disable the firewall settings, rest you WLan router, check if you connected to the right SSID.Good bye
-
Satellite A100-529: How can I enable the wireless network adapter
Hi all!
I'm new here, but I want to know how can I activate the wireless network device. On my Toshiba Satellite A100-529 keyboard is a Fn key that must be pressed with the F8 key to turn on the wireless network device. I did, but it does not work.
What can I do to turn on my wireless device?
Thank you!You are right. The FN + F8 key combination should be used to switch to the WLan card.
But look, man. Have you checked if your laptop supports wireless network card?
I think it does not support the minPCI wireless network card and the card does not exist!That's why the WLan card cannot be activated :) you know ;)
-
Why I can still see the files deleted and renamed on a shared directory?
Why I can still see the files deleted and renamed on a shared directory, but my co-workers can't see them? Is there a setting on my pc that I need to change?
HelloThanks for posting your question in the Microsoft Community.The question you posted would be better suited in the TechNet Forums.I would recommend posting your query in the link below.Windows 7 networking:
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads
I hope that the information above helps you. -
A server is now accessible from external network access using the IP and port in browser below http
http://x.x.x.x:8080For the same, we have configured (static NAT) port forwarding in cisco security 1905.
The application is also accessible via IP and the internal network port internal (ie. http://y.y.y.y:8080)
Is there a way I can configure my 1905 Cisco as well as internal network (ie. machine B) I can access the application using the IP and the public port and not with the IP address internal? From now on, I'm not able to do the same.
The current configurations are as follows:
access-list 1 permit y.y.y.0 0.0.0.255
IP nat inside source list 1 interface GigabitEthernet0/0 overload
IP nat inside source tcp static y.y.y.y 8080 interface GigabitEthernet0/0 8080Hello
You can try Domainless Nat.
no nat ip within the source list 1 interface GigabitEthernet0/0 overload
no nat inside source tcp ip static y.y.y.y 8080 interface GigabitEthernet0/0 8080int gig0/0
no nat inside ip
activate nat IPint gig0/1
no nat inside ip
activate nat IPIP nat source list 1 interface GigabitEthernet0/0 overload
interface IP nat source tcp static y.y.y.y 8080 GigabitEthernet0/0 8080RES
Paul
-
why I can not get the same apps I have on my iPad?
why I can not get the same apps I have on my iPad?
Because they are different versions for different operating systems.
-
How can I cut the internal of my Satellite L670-1JP louspeakers?
How can I disable the internal of my Satellite L670-1JP louspeakers, without inhibition of output?
Hello
Try * Fn + ESC. *
Welcome them
-
Why I can't open the attachment in Outlook express?
Why I can't open the attachment in Outlook express?
Try to save the first attachment, then try to open it. See also www.oehelp.com/OETips.aspx#1
Steve
Maybe you are looking for
-
Can I trade in my series 1 for a watch of series 2 Watch.
-
Windows vista family 32-bit premium; bluescreen problem?
First of all, I'll go on what I've already tried: -Run multiple analyses of virus/malware/spyware -Updated with windows updater/drivers as much as possible -Wipe the computer and re-installed Windows vista (the projected Blue computer while installin
-
Disaster recovery network topology
I am creating an exact replica of the production network to the location of DR. Using replication from host to host, host to vmdk and data backup, I am replicating servers and data via. Now, I need delete it even subnet and the server and domain na
-
7936 conference phone lock / freezing
This issue was published on January 20, 2016 and was not resolved, so I still have the problem. I have several IP Cisco 7936 conference phones that locking up and the only way to get them operational again is to supply their market, however don't not
-
The installation program: Windows 8 Pro x 64. WMP 12.0.9200.16420 Question: In the trial of an extra-large music collection (~ 148 000 songs, mostly VBR *.wma) default WMP x 32 app will cause a memory leak upward to 1.5 GB in the Task Manager and the