CISCO ASA Clientless VPN Host Scan

Similar Messages

• Disable ASA Clientless VPN Application Customization Help File

  I am trying to completely disable ASA Clientless VPN Applications help files. Is there a way to do this?

  Windows 8 clientless SSL VPN is officially supported as of 9.0(2) and 9.1(2) codes:
  Clientless SSL VPN: Windows 8 Support: http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html
  Maybe upgrading your code will fix it...
  Patrick

• Cisco ASA 5505 VPN Routing/Networking Question

  I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs.  I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses.  I would like to install a second Cisco ASA 5505 in a remote branch office as its peer. 
  Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center?  I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible.  It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
  What am I missing?  Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?

  You can do it in several different ways.
  One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
  In windows this is done via the route command
  do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
  in unix/linux
  It is also the route command
  Or you can tell your "default gateway" to route that network to the ASA
  Good luck
  HTH

• Cisco ASA 5505 VPN help for local lan access.

  Hi all,
  I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
  I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
  Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
  What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
  Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
  Thanks all!
  Wen Qi

  Hi,
  Try adding the following configuration
  policy-map global_policy
  class inspection_default
    inspect pptp
  And then try again.
  I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
  - Jouni

• Cisco asa 5505 vpn issue

  I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through  a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.) 

  Post the config of your ASA and someone will be able to assist.

• CISCO ASA 5505 VPN problem in Windows 7

  I am using CISCO ASA 5505. Client PC with Windows XP can use IE to make the VPN connection normally.
  However, client PC with Windows 7 cannot use IE to make the VPN connection.
  It just show the error of "Internet Explorer cannot display the webpage"
  Would you please help?
  Thank you very much!

  Hi Timothy,
  Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
  Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
  Let me know if this helps.
  Thanks,
  Vishnu Sharma

• Port Forwarding for Cisco ASA 5505 VPN

  This is the Network
  Linksys E2500 ---> Cisco ASA 5505 ---> Server
  I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
  Thank You

  For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
  Command to enable NAT-T on ASA:
  crypto isakmp nat-traversal 30

• Cisco ASA and Internal Hosted Website

  I have a Cisco ASA 8.4. I have an internal website for an application that they use both internal and externally (app.domain.com/app  is 10.0.0.3) The company that hosts their External Website and DNS created a record that points to http://app.domain.com/app to their public ip 1.2.3.4. Externally everything works great I have port forward for 80 working.  The problem is that when the users bring their laptops in to the office they are unable to get to the interanlly hosted website. I think the the firewall is having an issue letting the traffic back in. If i use the internal DNS and create a zone for domain.com with an A record for app.domain.com and point it to 10.0.0.3 the internal address..it works.  Of course when they try to access the external website it does not work. So if create an A record that points to the web hosts address, it kinda of works...parts of the website don't come up. I really think I there is something like a hairpin or u-turn that needs to be done. Oh by the way this is my first real experince with an ASA. The Symantec Gateway they had worked great. I looked in the config and there were no hairpin or crazy rules, just the standard port forward for 80.  Any ideas? I have tried several suggestions i found on the web, but none have worked.
  Thanks
  Nick

  Hi,
  The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.
  You might for example have this configuration
  object network WEB-SERVER
  host 10.0.0.3
  nat (inside,outside) static interface service 80 80
  This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".
  I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.
  If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.
  So you could try this configuration on the ASA
  object network PUBLIC-IP
  host
  object network WEB-SERVER
  host 10.0.0.3
  object network LAN
  subnet
  nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER
  The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)
  You would also perhaps needs to add this command
  same-security-traffic permit intra-interface
  This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn
  You can check the current configuration with the command
  show run same-security-traffic
  Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.
  Hope this helps
  Let me know how it goes
  - Jouni

• Include multiple sub-interfaces in Cisco ASA for VPN tunnel

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

• Access Site to Site Networks behind Cisco ASA thru VPN Client

  I have configured remote access thru asa for vpn clients to our main network. I can ping the required networks from vpn client. Internally I can ping remote network thru our sonicwall site to site vpn. I however cannot ping the remote network from the vpn client. I've added the network in the configuration on the ASA that I am trying to connect to. Any ideas what I can do so I can connect to Site B thru my vpn client connecting to Site A?
  Thanks,
  Matt

  Hello, matt0000111111.
  Did you add a VPN clients network to the sit-to-site VPN settings and to the NAT list (if nat exist at the interfaces at site-to-site vpn)?

• Cisco ASA 5505 VPN Anyconnect no address assignment

  I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
  hostname firewall
  domain-name ITTRIPP.local
  enable password 8K8UeTZ9KV5Lvofo encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
  ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
  ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
   switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   description Private Interface
   nameif inside
   security-level 100
   ip address 192.168.178.10 255.255.255.0
   ospf cost 10
  interface Vlan2
   description Public Interface
   nameif outside
   security-level 0
   ip address 192.168.177.2 255.255.255.0
   ospf cost 10
  interface Vlan3
   description DMZ-Interface
   nameif dmz
   security-level 0
   ip address 10.10.10.2 255.255.255.0
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns domain-lookup dmz
  dns server-group DefaultDNS
   name-server 192.168.178.3
   name-server 192.168.177.1
   domain-name ITTRIPP.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network 192.168.178.x
   subnet 192.168.178.0 255.255.255.0
  object network NETWORK_OBJ_192.168.178.0_26
   subnet 192.168.178.0 255.255.255.192
  object service teamviewer
   service tcp source eq 5938
  object service smtp_tls
   service tcp source eq 587
  object service all_tcp
   service tcp source range 1 65535
  object service udp_all
   service udp source range 1 65535
  object network NETWORK_OBJ_192.168.178.128_26
   subnet 192.168.178.128 255.255.255.192
  object network NETWORK_OBJ_10.0.0.0_28
   subnet 10.0.0.0 255.255.255.240
  object-group service Internet-udp udp
   description UDP Standard Internet Services
   port-object eq domain
   port-object eq ntp
   port-object eq isakmp
   port-object eq 4500
  object-group service Internet-tcp tcp
   description TCP Standard Internet Services
   port-object eq www
   port-object eq https
   port-object eq smtp
   port-object eq 465
   port-object eq pop3
   port-object eq 995
   port-object eq ftp
   port-object eq ftp-data
   port-object eq domain
   port-object eq ssh
   port-object eq telnet
  object-group user DM_INLINE_USER_1
   user LOCAL\admin
   user LOCAL\lukas
   user LOCAL\sarah
  object-group service DM_INLINE_TCP_1 tcp
   port-object eq ftp
   port-object eq ftp-data
   port-object eq ssh
  object-group service 192.168.178.network tcp
   port-object eq 5000
   port-object eq 5001
  object-group service DM_INLINE_SERVICE_1
   service-object object smtp_tls
   service-object tcp destination eq imap4
   service-object object teamviewer
  object-group service DM_INLINE_SERVICE_2
   service-object object all_tcp
   service-object object udp_all
  object-group service DM_INLINE_SERVICE_3
   service-object object all_tcp
   service-object object smtp_tls
   service-object object teamviewer
   service-object object udp_all
   service-object tcp destination eq imap4
  object-group service vpn udp
   port-object eq 1701
   port-object eq 4500
   port-object eq isakmp
  object-group service openvpn udp
   port-object eq 1194
  access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
  access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in                                                                                                                    terface]=-
  access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object                                                                                                                    -group Internet-udp
  access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object                                                                                                                    -group Internet-tcp
  access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
  access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip                                                                                                                    
  access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1                                                                                                                    78.0 255.255.255.0 any
  access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1                                                                                                                    78.0 255.255.255.0 any
  access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in                                                                                                                    terface]=-
  access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo                                                                                                                    -reply
  access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an                                                                                                                    y host 192.168.178.95 object-group DM_INLINE_TCP_1
  access-list outside-in extended permit tcp any host 192.168.178.95 object-group                                                                                                                     192.168.178.network
  access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si                                                                                                                    p
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.                                                                                                                    251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam                                                                                                                    e Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.                                                                                                                    252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi                                                                                                                    os-ns
  access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i                                                                                                                    nterface]=-
  access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10                                                                                                                    .10.0 255.255.255.0 any
  access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
  access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec                                                                                                                    t-group Internet-tcp
  access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec                                                                                                                    t-group Internet-udp
  pager lines 24
  logging enable
  logging buffer-size 30000
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16                                                                                                                    8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
  nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1                                                                                                                    78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16                                                                                                                    8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0                                                                                                                    .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
  object network 192.168.178.x
   nat (inside,outside) dynamic interface
  nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
  access-group inside-in in interface inside
  access-group outside-in in interface outside
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ITTRIPP protocol ldap
  aaa-server ITTRIPP (inside) host 192.168.178.3
   ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
   server-type microsoft
  user-identity default-domain LOCAL
  eou allow none
  aaa authentication telnet console LOCAL
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  aaa local authentication attempts max-fail 5
  http server enable
  http 192.168.178.0 255.255.255.0 inside
  http redirect outside 80
  http redirect inside 80
  http redirect dmz 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A                                                                                                                    ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A                                                                                                                    ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2                                                                                                                    56 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map dmz_map interface dmz
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
   enrollment self
   subject-name CN=firewall
   crl configure
  crypto ca trustpoint ASDM_TrustPoint1
   enrollment self
   fqdn l1u.dyndns.org
   email [email protected]
   subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA=                                                                                                                    [email protected]
   serial-number
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain ASDM_TrustPoint0
   certificate 6a871953
      308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
      0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
      86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
      5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
      6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
      9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
      2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
      7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
      3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
      4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
      300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
      4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
      260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
      aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
      1416d222 0e11ca4a 0f0b840a 49489303 b76632
    quit
  crypto ca certificate chain ASDM_TrustPoint1
   certificate 580c1e53
      308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
      05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
      796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
      0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
      54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
      06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
      4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
      6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
      32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
      406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
      300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
      040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
      65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
      03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
      6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
      03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
      2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
      c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
      bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
      d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
      81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
      336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
      ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
      d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
      d50e4e
    quit
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable inside client-services port 443
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable dmz client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
  crypto ikev1 enable outside
  crypto ikev1 policy 10
   authentication crack
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 30
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 40
   authentication crack
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 50
   authentication rsa-sig
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 60
   authentication pre-share
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 70
   authentication crack
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 80
   authentication rsa-sig
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 100
   authentication crack
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 110
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 130
   authentication crack
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 140
   authentication rsa-sig
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 150
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 65535
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet 192.168.178.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.178.0 255.255.255.0 inside
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  no vpn-addr-assign aaa
  no vpn-addr-assign local
  no ipv6-vpn-addr-assign aaa
  dhcp-client update dns server both
  dhcpd update dns both
  dhcpd address 192.168.178.100-192.168.178.150 inside
  dhcpd dns 192.168.178.3 192.168.177.1 interface inside
  dhcpd wins 192.168.178.3 interface inside
  dhcpd domain ITTRIPP.local interface inside
  dhcpd update dns both interface inside
  dhcpd option 3 ip 192.168.178.10 interface inside
  dhcpd option 4 ip 192.168.178.3 interface inside
  dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
  dhcpd option 66 ip 192.168.178.95 interface inside
  dhcpd enable inside
  dhcpd address 192.168.177.100-192.168.177.150 outside
  dhcpd dns 192.168.178.3 192.168.177.1 interface outside
  dhcpd wins 192.168.178.3 interface outside
  dhcpd domain ITTRIPP.local interface outside
  dhcpd update dns both interface outside
  dhcpd option 3 ip 192.168.177.2 interface outside
  dhcpd option 4 ip 192.168.178.3 interface outside
  dhcpd option 6 ip 192.168.178.3 interface outside
  dhcpd enable outside
  dhcpd address 10.10.10.100-10.10.10.150 dmz
  dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
  dhcpd wins 192.168.178.3 interface dmz
  dhcpd domain ITTRIPP.local interface dmz
  dhcpd update dns both interface dmz
  dhcpd option 3 ip 10.10.10.2 interface dmz
  dhcpd option 4 ip 192.168.178.3 interface dmz
  dhcpd option 6 ip 192.168.178.3 interface dmz
  dhcpd enable dmz
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag                                                                                                                    e-rate 200
  tftp-server inside 192.168.178.105 /volume1/data/tftp
  ssl encryption 3des-sha1
  ssl trust-point ASDM_TrustPoint0
  ssl trust-point ASDM_TrustPoint1 outside
  ssl trust-point ASDM_TrustPoint1 dmz
  ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
  ssl trust-point ASDM_TrustPoint1 inside
  ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
  ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
  webvpn
   enable inside
   enable outside
   enable dmz
   file-encoding 192.168.178.105 big5
   csd image disk0:/csd_3.5.2008-k9.pkg
   anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
   anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
   anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
   anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil                                                                                                                    e.xml
   anyconnect enable
   tunnel-group-list enable
   mus password *****
  group-policy DfltGrpPolicy attributes
   wins-server value 192.168.178.3
   dns-server value 192.168.178.3 192.168.177.1
   dhcp-network-scope 192.168.178.0
   vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
   default-domain value ITTRIPP.local
   split-dns value ITTRIPP.local
   webvpn
    anyconnect firewall-rule client-interface public value outside-in
    anyconnect firewall-rule client-interface private value inside-in
  group-policy GroupPolicy_SSL-Profile internal
  group-policy GroupPolicy_SSL-Profile attributes
   wins-server value 192.168.178.3
   dns-server value 192.168.178.3 192.168.177.1
   vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
   default-domain value ITTRIPP.local
   webvpn
    anyconnect profiles value SSL-Profile_client_profile type user
  username sarah password PRgJuqNTubRwqXtd encrypted
  username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
  username lukas password KGLLoTxH9mCvWzVI encrypted
  tunnel-group DefaultWEBVPNGroup general-attributes
   address-pool SSL-POOL
   secondary-authentication-server-group LOCAL
   authorization-server-group LOCAL
  tunnel-group DefaultWEBVPNGroup ipsec-attributes
   ikev1 trust-point ASDM_TrustPoint0
   ikev1 radius-sdi-xauth
  tunnel-group SSL-Profile type remote-access
  tunnel-group SSL-Profile general-attributes
   address-pool SSL-POOL
   default-group-policy GroupPolicy_SSL-Profile
  tunnel-group SSL-Profile webvpn-attributes
   group-alias SSL-Profile enable
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
   class class-default
    user-statistics accounting
  service-policy global_policy global
  mount FTP type ftp
   server 192.168.178.105
   path /volume1/data/install/microsoft/Cisco
   username lukas
   password ********
   mode passive
   status enable
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                                    CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1
  Any idea why it's not working?

  You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the  local pool.
  By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol.

• Cisco ASA 5505 VPN connection issue ("Unable to add route")

  I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
  Setup:
  * Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
  * PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
  NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
  I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
  First I tried with the built-in ASDM IPSec Wizard, instructions found here.
  VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
  Client logs show following error messages:
  1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.101
  3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
  4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
  7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.100
  9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
  I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
  A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(5)
  hostname AsaDWD
  enable password kLu0SYBETXUJHVHX encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group DW-VPDN
  ip address pppoe setroute
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group DW-VPDN request dialout pppoe
  vpdn group DW-VPDN localname fa******@SKYNET
  vpdn group DW-VPDN ppp authentication pap
  vpdn username fa******@SKYNET password *****
  dhcpd auto_config outside
  dhcpd address 192.168.2.5-192.168.2.36 inside
  dhcpd domain DOMAIN interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DWD internal
  group-policy DWD attributes
  vpn-tunnel-protocol IPSec
  username test password ******* encrypted privilege 0
  username test attributes
  vpn-group-policy DWD
  tunnel-group DWD type remote-access
  tunnel-group DWD general-attributes
  address-pool DWD-VPN-Pool
  default-group-policy DWD
  tunnel-group DWD ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
  : end
  I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
  Following commands have been entered:
  ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
  username *** password ****
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption 3des
  isakmp policy 1 hash sha
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 43200
  isakmp enable outside
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
  crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp nat-traversal
  sysopt connection permit-ipsec
  sysopt connection permit-vpn
  group-policy dwdvpn internal
  group-policy dwdvpn attributes
  vpn-tunnel-protocol IPSec
  default-domain value DWD
  tunnel-group dwdvpn type ipsec-ra
  tunnel-group dwdvpn ipsec-attributes
  pre-shared-key ****
  tunnel-group dwdvpn general-attributes
  authentication-server-group LOCAL
  default-group-policy dwdvpn
  Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
  I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
  The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
  Does anyone know what's going on?

  Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
  Please find my renewed config below:
  DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

• Cisco ASA 5505 VPN with iPhone

  Hello Everyone. I am a newbie to the Cisco appliances, so please bear with me. I am trying to configure this unit to allow iPhone VPN access to our network to sync LOTUS DOMINO (Not Exchange) user's Email, Contacts, and Calendar. We have a Sonicwall NSA 2400 that is our main router, so the ASA will only be used for VPN access, not routing. It will be in the DMZ providing VPN access for the iPhones. With the VPN connected, we need to limit access to only those services required by the iphone to sync information. The Software version on the Cisco is 7.2(4). If there is anyone that could help me out, I would greatly appreciate it. Please remember I am new to this, so please be patient. Where do I begin? I hope to hear from anyone soon.

  Hi,
  I cannot help you with the Cisco side of the equation, but do you know about Lotus Traveler? It's free from IBM and essentially adds ActiveSync support to your Domino email environment. The iPhone is configured with an Exchange ActiveSync account and pointed to the Lotus Traveler server (which sits in your DMZ and only needs port 80/443 access). It gives you full push email/contacts/calendar (Blackberry-like) functionality.
  Like I said, it's a free add-on from IBM Lotus for all licensed Domino users.

• Cisco ASA 5505 VPN Help Needed

  Hi all.
  I am trying to connect to a VPN set up at a remote customer site. However it seems that connections cannot be established from inside my office network. I have tried from other sites and connections can be established. For obvious reasons, this is not a practical solution.
  I have run network monitoring within the ASDM at the time of various connection attempts and keep get the following message:
  194.75.53.148
  regular translation creation failed for protocol 47 src inside:192.168.0.81 dst outside:194.75.53.148
  My configuration is below:
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name xxx.local
  enable password SpSqlpxlX4bU60eP encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group XXXX
  ip address xxx.xxx.xxx.xxx 255.255.255.255 pppoe setroute
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address xxx.xxx.xxx.xxx 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name xxx.local
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq https
  port-object eq smtp
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit tcp any host abc.abc.com eq https
  access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_1
  access-list outside_access_in extended permit tcp any host abc.abc.com eq https
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  static (inside,outside) tcp abc smtp abc smtp netmask 255.255.255.255
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.0.85 255.255.255.255 inside
  ssh timeout 5
  console timeout 0
  vpdn group abc request dialout pppoe
  vpdn group abc localname 02024658215@abc
  vpdn group abc ppp authentication pap
  vpdn username 02024658215@abc password ********* store-local
  dhcpd auto_config outside
  username manager password KDNz8d1FwKy7dzg2 encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:27b2bfc3a2fa63ce614199070bd1195f
  : end
  If I drill down into the error further it says that the ASA is not permitted to let traffic destined for a network or broadcast address through. The traffic is coming back to 192.168.0.81 which is neither of these.
  Maybe I am overlooking something simple but any help or guidance would be much appreciated.
  Thanks in advance.
  Ben Peacock.

  Hi,
  Try adding the following configuration
  policy-map global_policy
  class inspection_default
    inspect pptp
  And then try again.
  I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
  - Jouni

• Cisco ASA 5505 VPN Remote Acces Problem

  Hello Guys .. i have cisco 5505 Asa security Adaptive , and i have two local networks 192.168.1.0 /24   and 192.168.2.0/24 , and i have my ISP public connection,,,,,what i want to do is i want to connect Remote VPN connection and access my  Private Network of 192. my public ip is like 155.155.155.0 /24    ...
  i put my ISP connection in the EO/0 and my private networks into E0/1 and E0/2.
  so i created a remote vpn connection ,, and then i connected to the VPN ..
  My problem i can't reach and access my private networks .. this probem frustrated me a lot .. so cisco guys please help me
  and iam using ASDM cisco graphic interface

  Hi Timothy,
  Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
  Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
  Let me know if this helps.
  Thanks,
  Vishnu Sharma