Allow remote Cisco VPN ASDM Access

Similar Messages

• Problem accessing company resources remotely using Cisco VPN Client

  I connect to my company's network remotely using Cisco VPN client both from a PC (v 4.0.1) and from a MacBook Pro (v 4.9.00)(same configs), and use Remote Desktop to connect to my work computer, and now i'm able to use Citrix to run applications on the company server.
  The problem occurs on the Mac when I'm connecting from a location that uses the same private domain IP as our company's private domain. Our company's private domain is 192.168.1.x, so when I'm using the Mac on a WiFi router that happens to be set to 192.168.1.1, the Mac can connect using VPN but the remote desktop cannot connect to my work computer. Presumably, the Mac doesn't "know" that I'm trying to go through the VPN for the connection and not connect to something locally.
  This problem seems to be unique to the Mac. Every Windows machine with the same client installed has no problems no matter what WiFi I've tried. The Mac works fine on any WiFi that is not 192.168.1.x.
  However, since 192.168.1.x is very common (hotels, airports, etc., its a major problem with the Mac.
  Suggestions are greatly appreciated!
  Also, now that we're moving to Citrix, our administrator has created a webpage on the intranet that we launch applications from, but the Mac cannot find that page when connected to VPN from 192.168.1.x. Same problem.
  Thanks in advance.

  Hi,
  I presume you have split-tunneling activated.
  1. Make sure the 192.168.1.x is on the protected networks and on the MacBook client, disable "Allow local LAN access"
  2. Create a separate group for the Mac users and assgn them a different pool (192.168.100.x )and advertise it in your company to point to the VPN Concentrator.
  3. Use the NAT feature on your VPN concentrator.
  If this helped, please rate.
  Regards,
  Daniel

• Cisco vpn 5.0.07.0440-k9 connected but not access remote network from Windows 8.1 pro

  I am using Cisco vpn 5.0.07.0440-k9 and Cisco vpn 5.0.07.0290-k9 both version on our windows 8.1 pro laptop.
  VPN successfully connected but not access remote network and not getting ping. 
  But when i am try through wifi then vpn good work.
  Please help me as soon as possible.
  Thanks
  Sanjib

  Hello Karthik,
  I am using "MTS usb wifi" device and connect vpn through wifi Its working good the same win8.1 pro. But when i am try to connect VPN through LAN/Wired or USB modem (Like: Vodafone,MTS and others) its not working.
  I am using Easy vpn on Cisco RV325 router in our office. Same VPN client is very good working in Windows 7 SP1 and Windows XP SP3.
  Thanks
  Sanjib

• Is it possible to use ICS with a Cisco VPN client to allow pass through access for Domain login for a second machine.

  I have a current machine Windows 7 Pro with a Cisco VPN 3.5v client that currently connects with access to a customers network.
  They shipped a second machine Windows 8.1 Pro without adding local accounts, that is pre-joined to a sub-domain the first system has access to.
  Would it be possible to use the first machine as a ICS or Router to allow the second machine to see or access for log in, without returning to the customer site and plugging in for a log in point?
  Trying to save a 3 to 4 hr trip and lugging a system back for myself and the rest of the team.
  Thanks

  Hi,
  Please refer to this part
  http://windows.microsoft.com/en-hk/windows/using-internet-connection-sharing#1TC=windows-7
  ICS and VPN connections
  If you create a virtual private network (VPN) connection on your  host computer to a corporate network and then enable  ICS on that connection, all Internet traffic is routed to the corporate network and all of the computers on your home network
  can access the corporate network. If you don't enable ICS on the VPN connection, other computers won't have access to the Internet or corporate network while the VPN connection is active on the host computer
  Yolanda Zhu
  TechNet Community Support

• IPSEC Cisco VPN connection. Modifying default VPN gateway allows internet traffic but loses access to VPN

  Hello!!
  I'm using the IPSEC Cisco VPN Network property to connect to my company.
  Once I get connected, I lose internet access, because all the traffic is redirected through the tunnel and I want both, of course.
  If I modify the default getaway in the routing table, with this command
  route change default x.x.x.x, where this is the getaway IP when not connected to the VPN,
  I gain access to internet, but I lose access through the VPN tunnel.
  I was reading about it in google, and what I have to do is to add a static route to the VPN again, but I don't know how.
  Could you please help me?
  thanks in advance!!

  Hi Norbert,
  I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
  http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Do I need to run DNS on a colo server being accessed remotely via VPN?

  My Mac Mini Server is located in a colo site. We generally use it for Web, email and a couple of application-specific services. It has a dedicated IP address. We have a separate DNS service we use to point to the domains on the server located remotely from the server. Forward and reverse lookups work fine from the server, even though the local DNS service is turned off.
  However, we now have a couple of things we want to access remotely on the server via VPN (for example, some files via AFP). The firewall blocks remote AFP requests (using the built-in firewall, not a separate box). We can connect via VPN without problems. However, AFP does not work. If I allow AFP in the firewall and try to connect, no problems at all.
  Since the Mini is located by itself and will never likely have anything connected to a "local network" (never running DHCP, etc.), there generally doesn't seem to be a need to run DNS on the server.
  I suspect the problem is that when you VPN into the server you are on its "local network", whatever that means, so the DNS does not resolve since the local DNS service is not running. However, I am not positive of this.
  Must we run local DNS? Does it have to mirror the remote DNS that we currently reference? Can we somehow "reference" the local DNS from VPN clients trying to access local services?
  I hope this question makes some sense.

  Bear with me please....
  The Mac Mini is in a data center on a shelf, getting a direct connection to the Internet via ethernet with a fixed IP address (under the covers, I suspect that the data center is using some sort of router or switch, but I am not paying for a hardware firewall or other gateway). There is no local network for the Mini. It is not running DHCP, not handing out NAT addresses, etc. DNS is currently off. Rather than using the local DNS, the Mini is resolving its DNS needs with a DNS server located at another site, over the Internet. This seems to work fine (i.e., changeip confirms it is working and services seem to work).
  I am currently using the software firewall built into SLS.
  I want to turn on VPN so that remotely located computers can access services on the Mini without having to make the services visible through the firewall.
  I am able to connect devices via VPN with little difficulty (iPhones, Macs, etc.). However, when I try to access services (let's use AFP as an example), I cannot access them UNLESS they are allowed through the firewall. This tells me that I am not seeing the services through the VPN, but rather through the Internet directly.
  What I meant by "local network" is that the VPN allocates local IP addresses when devices log into the VPN service (10.0.x.x). There is no DHCP allocating these addresses, just VPN.
  My question is: why can I not see the services on the Mini blocked by the firewall when successfully logged into VPN on the server? Isn't the whole point of the VPN to gain access to services behind the firewall?
  I am guessing (with no particular information to support my thesis) that somehow without DNS running on the Mini, VPN clients are unable to access services on the Mini. I do not know for sure, however, if this is the problem. If it IS a problem, then the question is whether I should completely copy the DNS entries from the remote DNS server to the Mini and start the service. Will that solve the issue? Create conflicts with the DNS (since it is now located on both a remote service and on the Mini)? It certainly will create a maintenance headache since now I will have to maintain the DNS in both places.
  I am hesitant to migrate all of my DNS services to the Mini (because I will also have to go to the domain registrars to change where they point, etc.) to eliminate the remote one. And I am not sure it will solve this problem anyway.
  Sorry for all of the typing!

• Unable to access satellite offices with Cisco VPN client

  There are 4 sites:
  Main office - 192.168.0.x/24
  Sat office1 - 10.0.0.x/24
  Sat Office2 - 10.0.1.x/24
  Sat Office3 - 10.0.2.x/24
  All 4 offices are connected via MPLS using other Cisco routers from the telcom co. The user VPN endpoint is at the main office. (Cisco 1811)
  We can make the VPN connection with the Cisco VPN client and browse the 192 network all day long. We cannot access any of the other subnets over the VPN connection. Browsing the other subnets while physically at the main office is fine. This DID work in the past. Something changed that I cannot pinpoint, any ideas?
  Scope for the VPN endusers is 10.100.100.x/24
  Cisco VPN Client versions 4.x and 5.x (both affected)
  Thanks in advance

  Ken
  It is good to know that it did work in the past and then stopped working. That indicates that something changed. Is it possible that a software upgrade has been done and that the change is behavior is reflecting a different version of IOS? (I suspect that is is possible but not so likely - but we need to ask.)
  My guess is either that there was some change in the routing logic or that the access lists which indicate what traffic is to be protected by the VPN used to include remote to remote but has been changed for some reason.
  Could you post the configuration of the main office 1811?
  Another question that occurs to me is whether the main office 1811 is directly connected to the Internet or does it go through some firewall? If if goes through some firewall is it possible that there has been some change in the firewall rules that is denying the remote to remote traffic?
  HTH
  Rick

• Cisco VPN client can't ping remote network.

  I have recently installed a Cisco 5505 and have problems with some of the Cisco VPN Hosts I connect to using the Cisco VPN dialer. The Cisco Dialer connects fine but I am unable to connect to any computers on the remote network.
  I have tracked the issue down to the ones that work & the ones that don't. If the remote Cisco is on the same sub-net as the computers I am connecting to it works fine. If the remote Cisco is on a differant sub-net then the computer I am trying to connect to it won't work unless I set up a static nat for a given pc on my network.
  When I run through the dynamic Nat for my network I get the following error on the 5505.
  regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx
  I have been trying to find a solution to this issue ever since I installed the router and have not had any luck with any of the suggestions I have found on the Web. I have attached my config.
  Any help would be appreciated.
  Mike

  Thanks for your response.
  Yes that exactly the setup we are trying to get to work.
  I have a call into them now and will check on their set up but I have no control over how they configure their routers I can only make requests.
  I was hoping there was something causing it on my side as I deal with Hospitals and they can get very picky about their security.
  I guess what is confusing me is it works if it goes through a Static Nat but not if it runs through our dynamic Nat.
  Mike

• I cannot route to remote subnets from cisco vpn client and pptp client

  Hi guys,
  I've a big problem, I configured a 877 cisco router as a cisco vpn server (the customer use it to connect to his network from pc) and a pptp vpn server (he use it to connet to the network from a smartphone).
  In this router I created 2 vlan, one for wired network (192.168.10.0/24) and the second one (10.0.0.0/24) for wireless clients and I use fastethernet 3 port to connect these to the router.
  this is the issue, when the customer try to connect to a wireless network from both of vpn clients he cannot do this, but if he try to connect to a wired network client all working fine.
  following the addresses taken from the router.
  - encrypted vpn client -
  ip address. 192.168.10.20
  netmask 255.255.255.0
  Default Gateway. none (blank)
  - pptp vpn client -
  ip address. 192.168.10.21
  netmask. 255.255.255.255
  Default Gateway. 192.168.10.21
  Is possible that I cannot reach the remote subnet because the clients doesn't receive a gateway (in the first case) or receive the wrong subnet/gateway (in the second one)..?
  There is anyone can help me..?
  Thank you very much.
  Many Kisses and Kindly Regards..
  Ilaria

  The default gateway on your PC is not the problem, it will always show as the same IP address (this is no different when you dial up to an ISP, your DG will again be set to your negotiated IP address).
  The issue will be routing within the campus network and more importantly on the PIX itself. The campus network needs a route to the VPN pool of addresses that eventually points back to the PIX.
  The issue here is that the PIX will have a default gateway pointing back out towards your laptop. When you establish a VPN and try and go to an Internet address, the PIX is going to route this packet according to its routing table and send it back out the interface it came in on. The PIX won't do this, and the packet will be dropped. Unless you can set the PIX's routing table to forward Internet packets to the campus network, there's no way around this. Of course if you do that then you'll break connectivity thru the PIX for all the internal users.
  The only way to do this is to configure split tunnelling on the PIX, so that packets destined for the Internet are sent directly from your laptop in the clear just like normal, and any packet destined for the campus network is encrypted and sent over the tunnel.
  Here's the format of the command:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1048524

• Cisco VPN Software and Remote Desktop Problem

  Hello-
  Please have patience as I just got my first mac and I'm really just learning how everything works.
  Anyway, I'm trying to connect to my office network from my iMac (OS X 10.5.3) using the Cisco VPN client ver. 4.9.01 (0030) and the Remote Desktop Connection v2.0.0 Beta 3. I'm able to connect via the VPN but I cannot connect to the remote machine using either the machine's hostname or IP address.
  In order to troubleshoot the issue, I tried to ping the remote machine after connecting via VPN and it fails. The name is resolving but ping fails with a "No route to host" and then "Host is down error." However, I know the host is up since when I connect via VPN from my PC I can ping the remote machine without a problem.
  Anyone have any ideas? Does the Cisco VPN client for Mac not work well? Is there some simple configuration setting I'm missing somewhere? BTW, I'm connecting to the Internet via WiFi and am using a Linksys WRT54G router.
  thx,
  ian

  Hello Ian:
  Welcome to Apple discussions (and to the wonderful world of Macs). I think you will find these forums represent the best on-line community anywhere - and everyone is a volunteer!
  I am no help with your problem as I have not used a Cisco VPN. However, in my previous business life I did connect my home Mac to my business VPN. I found that our IT people were most helpful in smoothing connection issues.
  This forum addresses connection issues if you want to post there:
  http://discussions.apple.com/forum.jspa?forumID=1222
  Barry

• Best solution for managing 50 remote sites via cisco vpn

  At the moment my support organisation use the cisco vpn client on their windows pc's to provide remote support to our customers. I want to know if there is a solution from cisco that would support nialing up the 30 connections all the time without having to use clients on individual pc's. I know there will be issues because some of the sites will have conflicting lan ip address ranges. We would like to offer improved support to our customers for example using nagios to monitor their servers but this is not possible if vpn connection if not nialled up.
  Please help with the best solution.

  L2L vpns solution is suitable for your scenario, depending on your traffic load for each site u would have to do assesment on that, any asa5510 or higher in an active/standby architecture with stateful failover sure can do the job. As for conflicting LAN ips there is ways to work around that by using NAT or Policy NAT.
  ASA product line
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  Perhaps for monitoring/managing Ipsec tunels CSM Cisco Security manager
  http://www.cisco.com/en/US/products/ps6498/index.html

• Allow remote client access

  Sorry if this has already been posted. I recently installed 3.1.2 on 10g xe and I am unable to find where I can allow access by remote clients. I remember on 2.1 that there was a section that allowed you to manage http-access. I've logged in as ADMIN and can't find it anywhere.

  I needed to allow login page access by browser from another machine on the network. Setting this in sqlplus allowed me to enable that. To bring up the login page for the remote machine I use http://xxx.xxx.x.xxx:8080/apex as the url. Where xxx.xxx.x.xxx = ip address where APEX and 10g xe instance is running.

• Is 'SQLCMD.EXE' the SQL Server 2008 executable to be added to a Firewall 'Inbound Rule' to allow remote access?

  I would like to add a new Firewall 'Inbound Rule' to allow remote access by
  SQL Server 2008.    
  SQL Server Management Studio shows two TCP/IP instances, both of which are Enabled. 
  One uses port 1433 and the other uses ‘TCP Dynamic Ports’.
    In  SQL Server, the server has ‘Allow remote connections to this server’ checked.
  My Firewall allows port 1433 for the one TCP/IP instance. 
  Since the other instance is dynamic, I would like to add a new
  Firewall 'Inbound Rule' to allow the SQL Server executable to run.
  I’ve read that the SQL Server executable is commonly named SQLSERVR.EXE, but there is no such file on my laptop. 
  I’m assuming the executable that needs to be added to the Firewall 'Inbound Rule'
  is SQLCMD.EXE (in the path C:\Program Files\Microsoft SQL Server\100\Tools\Binn). 
  Can anyone please confirm this?  (I'm running Windows 7).  Thanks.

  Hi Bontrager,
  Firstly, please run
  Discovery Report to the detect the existing SQL Server 2008 instance. If SQL Server 2008 is installed properly on your machine, the sqlservr.exe should exists in C:\Program Files\Microsoft SQL Server\MSSQL10.<instance_name>\MSSQL\Binn.
  Secondly, if SQL Server 2008 is configured to use dynamic port, it is difficult to configure the firewall to enable access to the correct port number because the port selected might change every time that the Database Engine is started.
  Therefore, if a firewall is used, please reconfigure the SQL Server 2008 to use the static TCP port by using SQL Server 2008 Configuration Manager. 
  For more information, please review this
  article. After that, you can add the port number in firewall inbound rule.
  Thirdly, if you want to connect to  SQL Server 2008 from outside the firewall by instance name, SQL Server Browser should be turned on and you'll have to allow the SQL Server Browser through the firewall, which is UDP port 1434.
  Reference:
  https://msdn.microsoft.com/en-us/library/cc646023.aspx
  http://stackoverflow.com/questions/10539900/opening-ports-sql-server-instances
  Thanks,
  Lydia Zhang
  Lydia Zhang
  TechNet Community Support

• Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

  Hi:
  Need your great help for my new ASA 5505 (8.4)
  I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
  ASA Version 8.4(3)
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.29.8.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 177.164.222.140 255.255.255.248
  ftp mode passive
  clock timezone GMT 0
  dns server-group DefaultDNS
  domain-name ABCtech.com
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 172.29.8.0 255.255.255.0
  object service RDP
  service tcp source eq 3389
  object network orange
  host 172.29.8.151
  object network WAN_173_164_222_138
  host 177.164.222.138
  object service SMTP
  service tcp source eq smtp
  object service PPTP
  service tcp source eq pptp
  object service JT_WWW
  service tcp source eq www
  object service JT_HTTPS
  service tcp source eq https
  object network obj_lex
  subnet 172.29.88.0 255.255.255.0
  description Lexington office network
  object network obj_HQ
  subnet 172.29.8.0 255.255.255.0
  object network guava
  host 172.29.8.3
  object service L2TP
  service udp source eq 1701
  access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
  access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended deny tcp any any eq 135
  access-list inside_access_in extended deny tcp any eq 135 any
  access-list inside_access_in extended deny udp any eq 135 any
  access-list inside_access_in extended deny udp any any eq 135
  access-list inside_access_in extended deny tcp any any eq 1591
  access-list inside_access_in extended deny tcp any eq 1591 any
  access-list inside_access_in extended deny udp any eq 1591 any
  access-list inside_access_in extended deny udp any any eq 1591
  access-list inside_access_in extended deny tcp any any eq 1214
  access-list inside_access_in extended deny tcp any eq 1214 any
  access-list inside_access_in extended deny udp any any eq 1214
  access-list inside_access_in extended deny udp any eq 1214 any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit tcp any any eq www
  access-list inside_access_in extended permit tcp any eq www any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
  89
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
  w
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
  tps
  access-list outside_access_in extended permit gre any host 177.164.222.138
  access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
  01
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit icmp any any
  access-list inside_access_out extended permit ip any any
  access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
  .88.0 255.255.255.0
  access-list inside_in extended permit icmp any any
  access-list inside_in extended permit ip any any
  access-list inside_in extended permit udp any any eq isakmp
  access-list inside_in extended permit udp any eq isakmp any
  access-list inside_in extended permit udp any any
  access-list inside_in extended permit tcp any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static orange interface service RDP RDP
  nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
  lex route-lookup
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
  WW
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
  _HTTPS
  nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
  nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
  route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Guava protocol nt
  aaa-server Guava (inside) host 172.29.8.3
  timeout 15
  nt-auth-domain-controller guava
  user-identity default-domain LOCAL
  http server enable
  http 172.29.8.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set peer 173.190.123.138
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
  P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 inside
  telnet 172.29.8.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcprelay server 172.29.8.3 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  group-policy ABCtech_VPN internal
  group-policy ABCtech_VPN attributes
  dns-server value 172.29.8.3
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_Tunnel_User
  default-domain value ABCtech.local
  group-policy GroupPolicy_10.8.8.1 internal
  group-policy GroupPolicy_10.8.8.1 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username who password eicyrfJBrqOaxQvS encrypted
  tunnel-group 10.8.8.1 type ipsec-l2l
  tunnel-group 10.8.8.1 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 10.8.8.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  tunnel-group ABCtech type remote-access
  tunnel-group ABCtech general-attributes
  address-pool ABC_HQVPN_DHCP
  authentication-server-group Guava
  default-group-policy ABCtech_VPN
  tunnel-group ABCtech ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 173.190.123.138 type ipsec-l2l
  tunnel-group 173.190.123.138 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 173.190.123.138 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect pptp
    inspect ftp
    inspect netbios
  smtp-server 172.29.8.3
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:6a26676668b742900360f924b4bc80de
  : end

  Hello Wayne,
  Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
  I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
  Regards,
  Julio
  Security Trainer

• Cisco VPN Client and Quick VPN interaction?

  I have both a Cisco VPN client for connecting to my company LAN and a QuickVPN client for connecting to my home LAN installed on my W2K laptop.  Both start and run correctly, and both connect just as they should.  My home LAN uses a WRV54G router to provide VPN connection.  I can alternate back and forth between the two clients and connect to each LAN with no obvious issues, but not at the same time, of course.
  Here's the question.  When I connect to the home LAN, I can log on with no problem and I can remotely administer the WRV54G with no problem.  I can ping all of the wired and wireless W2K computers on my home LAN with no problem.  However, I cannot "see", browse or map any of the shared resources on my home LAN.  I have created user accounts on the home LAN computers for my laptop and router logins and I have given these accounts permissions to my shared resources, but I still cannot get to them.  Linksys tech support has been absolutely no help whatsoever, even after repeated attempts.
  While trying to troubleshoot this myself, I've noticed that when the Cisco VPN client is running and I'm connected to my company LAN, the IP address and subnet of my computer is changed to ones assigned by the DHCP server at my company.  This seems to happen because the Cisco client activates the "Local Area Connection Number 2" on my laptop and assigns IP addresses using it.  However, when I'm using the QuickVPN client to connect to my home, the IP address and subnet of my laptop continues to be those assigned by whatever local network I'm connected to (e.g. hotel, etc).
  I'm wondering if the QuickVPN is supposed to be assigning an IP address and subnet to my laptop from the WRV54G's DHCP server when I connect to my home LAN.  If so, could the Cisco VPN client installed on my laptop be preventing that from happening?
  Sorry for the long post, but I'm at my wit's end on this one and Linksys is just no help at all.

  1. The Cisco VPN client creates a virtual interface on your computer. This allows you to route traffic to the tunnel. The QuickVPN client is simpler. It only encrypts the traffic to the other end. It does not use a virtual interface. That's why you don't have another IP address when connected with QuickVPN. QuickVPN only encrypts IP packets with IPSec from your computer to 192.168.1.* (or whatever you may use on your WRV LAN) and sends them to the WRV's public IP address.
  2. Microsoft Windows file sharing and LAN network browsing depends on network broadcasts. Those only work inside a LAN. If you connect from the outside to a LAN, broadcasts won't go through the VPN tunnel. This means you cannot use standard name windows workgroup name resolution to access shares. Those are propagated with broadcasts which will never go through the VPN tunnel. This means you are not able to use workgroup browsing. All you can to do access your shares is to use the IP address of the other computer.
  In short:
  \\mycomputer\share won't work
  \\192.168.1.50\share works
  (assuming the general sharing setup is O.K., i.e. you can use sharing correctly inside your LAN).
  Of course, firewalls on the server end may cause problems. Access comes in from a public IP address. This may be blocked. Check the firewall logs on the server to find out if this is the case or not.
  Moreover, establishing the VPN connection from a private LAN to a private LAN may not work. This is due to the double network address translation which breaks IPSec and thus the connection. If the hotel uses private IP addresses, this may be the case. But in that case you won't get ping responses from your WRV LAN.
  What definitively won't work is in case when the hotel uses the same IP address subnet as you. If the hotel uses 192.168.1.* addresses and your WRV uses 192.168.1.* addresses you cannot connect. QuickVPN does only IPSec tunneling. There is no address translation in QuickVPN. Therefore connecting the identical private IP address subnet through QuickVPN will never work because all addresses exists twice, once on either side.