Anyconnect VPN users cannot reach LAN
I know this topic has been beat to death, but I've beat myself to death trying to get it to work. I had this working, but didn't save, then the FW did a reboot when the breaker flipped. I can log in with the VPN client. I can't reach any of the LAN resources. I believe I need a NAT exemption and I believe that I have that configured correctly, but it's not working. From the logs I can see the VPN IP pool going to the external IP interface, which means NAT is happening, when it shouldn't be. What am I missing?
ip local pool vpn_pool 10.0.251.10-10.0.251.254 mask 255.255.255.0
interface Ethernet0/0
description OUTSIDE INTERFACE
duplex full
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/1
description INSIDE INTERFACE
duplex full
nameif inside
security-level 100
ip address 10.0.250.1 255.255.255.0
boot system disk0:/asa914-k8.bin
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn-pool
subnet 10.0.251.0 255.255.255.0
object network VPN-POOL
subnet 10.0.251.0 255.255.255.0
object network LAN
subnet 10.0.250.0 255.255.255.0
object-group network PAT-SOURCE
network-object 10.0.250.0 255.255.255.0
network-object 10.0.251.0 255.255.255.0
access-list OUTSIDE_IN extended deny ip any4 any4 log debugging
access-list INSIDE_OUT extended permit ip object-group PAT-SOURCE any4 log debugging
ip verify reverse-path interface outside
no arp permit-nonconnected
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT in interface inside
firewall(config)# logging console 7
Jan 07 2014 14:41:49: %ASA-5-111008: User 'jshojayi' executed the 'logging console 7' command.
Jan 07 2014 14:41:49: %ASA-5-111010: User 'jshojayi', running 'CLI' from IP 0.0.0.0, executed 'logging console 7'
firewall(config)# Jan 07 2014 14:41:49: %ASA-6-302016: Teardown UDP connection 2097 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:50: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:50: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/60524 to outside:99.66.187.4/60524
Jan 07 2014 14:41:50: %ASA-6-302015: Built outbound UDP connection 2098 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
Jan 07 2014 14:41:50: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
Jan 07 2014 14:41:50: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
Jan 07 2014 14:41:50: %ASA-6-302015: Built inbound UDP connection 2100 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:51: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:51: %ASA-6-302015: Built outbound UDP connection 2101 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
Jan 07 2014 14:41:51: %ASA-6-302016: Teardown UDP connection 2100 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:51: %ASA-6-305012: Teardown dynamic TCP translation from any:10.0.250.34/16140 to outside:99.66.187.4/16140 duration 0:01:01
Jan 07 2014 14:41:51: %ASA-6-302013: Built inbound TCP connection 2102 for outside:10.0.251.10/52558 (10.0.251.10/52558)(LOCAL\jshojayi) to inside:10.0.250.15/3389 (10.0.250.15/3389) (jshojayi)
Jan 07 2014 14:41:52: %ASA-6-302015: Built inbound UDP connection 2103 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:52: %ASA-4-410001: Dropped UDP DNS request from inside:10.0.250.22/54745 to outside:157.56.106.189/3544; label length 128 bytes exceeds protocol limit of 63 bytes
Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/62857 to outside:99.66.187.4/62857 duration 0:00:31
Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/61237 to outside:99.66.187.4/61237 duration 0:00:31
Jan 07 2014 14:41:52: %ASA-6-302016: Teardown UDP connection 2103 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
Jan 07 2014 14:41:53: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/63938(LOCAL\jshojayi) to outside:99.66.187.4/63938
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2105 for outside:10.0.251.10/63938 (99.66.187.4/63938)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2060 for outside:10.0.251.10/60840(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 165 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2106 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2061 for outside:10.0.251.10/58388(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 335 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2105 for outside:10.0.251.10/63938(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 134 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/55378(LOCAL\jshojayi) to outside:99.66.187.4/55378
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2107 for outside:10.0.251.10/55378 (99.66.187.4/55378)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51560(LOCAL\jshojayi) to outside:99.66.187.4/51560
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2108 for outside:10.0.251.10/51560 (99.66.187.4/51560)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:54: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2106 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2107 for outside:10.0.251.10/55378(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 196 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2108 for outside:10.0.251.10/51560(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 160 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302015: Built inbound UDP connection 2109 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2109 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:55: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/54078 to outside:99.66.187.4/54078
Jan 07 2014 14:41:55: %ASA-6-302015: Built outbound UDP connection 2110 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
Jan 07 2014 14:41:55: %ASA-6-302015: Built inbound UDP connection 2111 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2072 for outside:10.0.251.10/58472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2080 for outside:10.0.251.10/62680(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2073 for outside:10.0.251.10/59472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2076 for outside:10.0.251.10/60425(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2096 for outside:10.0.251.10/52985(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:07 bytes 175 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2075 for outside:10.0.251.10/53507(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(59472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60425)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(53507)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2077 for outside:10.0.251.10/57569(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2078 for outside:10.0.251.10/54477(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(62680)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2079 for outside:10.0.251.10/56608(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(56608)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(54477)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(52985)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(57569)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2111 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:59: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:59: %ASA-6-302015: Built outbound UDP connection 2112 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60840)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58388)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2114 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2114 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/52140 to outside:99.66.187.4/52140 duration 0:00:31
Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64609 to outside:99.66.187.4/64609 duration 0:02:32
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2092 for outside:10.0.251.10/51932(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 198 (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/57116(LOCAL\jshojayi) to outside:99.66.187.4/57116
Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2115 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
Jan 07 2014 14:42:00: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(51932)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:00: %ASA-6-302016: Teardown UDP connection 2115 for outside:10.0.251.10/57116(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:01 bytes 99 (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2117 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/58663(LOCAL\jshojayi) to outside:99.66.187.4/58663
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2118 for outside:10.0.251.10/58663 (99.66.187.4/58663)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/49740(LOCAL\jshojayi) to outside:99.66.187.4/49740
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2119 for outside:10.0.251.10/49740 (99.66.187.4/49740)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2098 for outside:68.94.156.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 176
Jan 07 2014 14:42:04: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2118 for outside:10.0.251.10/58663(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 148 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2119 for outside:10.0.251.10/49740(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 142 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2101 for outside:68.94.157.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 220
Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
Jan 07 2014 14:42:04: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2122 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51200(LOCAL\jshojayi) to outside:99.66.187.4/51200
Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2123 for outside:10.0.251.10/51200 (99.66.187.4/51200)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2122 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2123 for outside:10.0.251.10/51200(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 182 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/53977 to outside:99.66.187.4/53977 duration 0:00:30
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64875 to outside:99.66.187.4/64875 duration 0:00:43
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/58618 to outside:99.66.187.4/58618 duration 0:00:43
Jan 07 2014 14:42:04: %ASA-6-302015: Built outbound UDP connection 2124 for outside:192.168.1.254/67 (192.168.1.254/67) to identity:99.66.187.4/68 (99.66.187.4/68)
Jan 07 2014 14:42:05: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:05: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/60404 to outside:99.66.187.4/60404 duration 0:00:43
Jan 07 2014 14:42:05: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
Jan 07 2014 14:42:05: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
Jan 07 2014 14:42:06: %ASA-6-302016: Teardown UDP connection 2110 for outside:68.94.156.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 132
Jan 07 2014 14:42:07: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:07: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:07: %ASA-6-302016: Teardown UDP connection 2112 for outside:68.94.157.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 165
+Jan 07 2014 14:42:08: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:08: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/14848 laddr 99.66.187.4/14848
Similar Messages
-
Remote site to site VPN user cannot access LAN resources
Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
What do I need to do to fix this?
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SFGallery
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.16.0.1 172.16.3.99
ip dhcp excluded-address 172.16.3.200 172.16.3.254
ip dhcp pool SFGallery172
import all
network 172.16.0.0 255.255.252.0
domain-name xxxxxxxxxxxx
dns-server 10.10.10.10
default-router 10.10.10.94
netbios-name-server 10.10.10.10
ip domain name gpgallery.com
ip name-server 10.10.10.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.80
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki trustpoint SFGallery_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair SFGallery_Certificate_RSAKey 512
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain SFGallery_Certificate
certificate self-signed 01
xxxxxx
quit
license udi pid CISCO2911/K9 sn FTX1542AKJ3
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
hw-module sm 1
object-group network Corp
172.16.4.0 255.255.252.0
10.10.10.128 255.255.255.224
object-group network SFGallery
172.16.0.0 255.255.252.0
10.10.10.0 255.255.255.128
object-group network NY
10.10.10.160 255.255.255.224
172.16.16.0 255.255.252.0
object-group network GPAll
group-object SFGallery
group-object NY
group-object Corp
username xxx
username xxx
username xxx
username xxx
redundancy
no ip ftp passive
ip ssh version 1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TempVPN1# address xx.xx.xx.xx
crypto isakmp client configuration group SFGallery
key Peters2011
dns 10.10.10.10 10.10.10.80
wins 10.10.10.10 10.10.10.80
domain gpgallery.com
pool SDM_POOL_1
acl 111
save-password
split-dns gpgallery.com
max-users 25
max-logins 3
netmask 255.255.252.0
banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group SFGallery
client authentication list ciscocp_vpn_xauth_ml_3
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP-3DES-SHA3
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA1
match address 107
reverse-route
interface Loopback1
ip address 192.168.5.1 255.255.255.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description T1 Cybermesa$ETH-WAN$
ip address xx.xx.xx.xx 255.255.255.240
ip access-group 105 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
interface GigabitEthernet0/1
description LANOverloadNet$ETH-WAN$
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN$ETH-LAN$
ip address 10.10.10.2 255.255.255.128
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
ip address 192.168.100.1 255.255.255.0
ip access-group ReplicationIN out
duplex auto
speed auto
interface GigabitEthernet1/0
description $ETH-LAN$
ip address 172.16.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
interface Virtual-Template2
ip unnumbered Loopback1
zone-member security sslvpn-zone
interface Virtual-Template3 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
no ip address
ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 60000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended ReplicationIN
remark CCP_ACL Category=1
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip any any
ip access-list extended ReplicationOUT
remark CCP_ACL Category=1
deny ip any any
no logging trap
logging 10.10.10.107
access-list 1 permit 192.168.1.2
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 72.216.51.56 0.0.0.7
access-list 1 permit 172.16.0.0 0.0.3.255
access-list 1 permit 172.16.4.0 0.0.3.255
access-list 1 permit 10.10.10.128 0.0.0.31
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit xx.xx.xx.xx 0.0.0.15
access-list 1 permit 10.10.10.0 0.0.0.127
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp object-group GPAll object-group NY eq www
access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
access-list 100 permit ip any host 10.10.10.2
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
access-list 100 deny tcp any host 10.10.10.2 eq telnet
access-list 100 deny tcp any host 10.10.10.2 eq 22
access-list 100 deny tcp any host 10.10.10.2 eq www
access-list 100 deny tcp any host 10.10.10.2 eq 443
access-list 100 deny tcp any host 10.10.10.2 eq cmd
access-list 100 deny udp any host 10.10.10.2 eq snmp
access-list 100 permit udp any eq domain host 10.10.10.2
access-list 100 permit udp host 10.10.10.80 eq domain any
access-list 100 permit udp host 10.10.10.10 eq domain any
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 72.216.51.56 0.0.0.7 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 101 permit ip host 192.168.1.2 any
access-list 101 permit ip 10.10.10.0 0.0.0.127 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 72.216.51.56 0.0.0.7 any
access-list 102 permit ip 172.16.0.0 0.0.3.255 any
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 102 permit ip host 192.168.1.2 any
access-list 102 permit ip 10.10.10.0 0.0.0.127 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
access-list 103 deny tcp any host 172.16.0.1 eq telnet
access-list 103 deny tcp any host 172.16.0.1 eq 22
access-list 103 deny tcp any host 172.16.0.1 eq www
access-list 103 deny tcp any host 172.16.0.1 eq 443
access-list 103 deny tcp any host 172.16.0.1 eq cmd
access-list 103 deny udp any host 172.16.0.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
access-list 105 deny tcp any host xx.xx.xx.xx eq telnet
access-list 105 deny tcp any host xx.xx.xx.xx eq 22
access-list 105 deny tcp any host xx.xx.xx.xx eq www
access-list 105 deny tcp any host xx.xx.xx.xx eq 443
access-list 105 deny tcp any host xx.xx.xx.xx eq cmd
access-list 105 deny udp any host xx.xx.xx.xx eq snmp
access-list 105 permit tcp any host xx.xx.xx.xx eq 443
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
access-list 105 permit udp any eq domain host xx.xx.xx.xx
access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 105 permit ip any any
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 106 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 106 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 106 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 107 remark IPSec Rule
access-list 107 deny ip 172.16.0.0 0.0.255.255 host 10.10.10.177
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 108 permit ip 70.56.215.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 109 remark IPSec Rule
access-list 109 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 109 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 109 remark IPSec Rule
access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 109 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 109 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 109 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.10.10.0 0.0.0.127 any
access-list 111 permit ip 10.10.10.128 0.0.0.31 any
access-list 111 permit ip 172.16.0.0 0.0.3.255 any
access-list 111 permit ip 172.16.4.0 0.0.3.255 any
access-list 111 permit ip 10.10.10.160 0.0.0.31 any
route-map SDM_RMAP_4 permit 1
match ip address 109
route-map SDM_RMAP_1 permit 1
match ip address 106
route-map SDM_RMAP_2 permit 1
match ip address 108
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps c3g
snmp-server enable traps ds3
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps bgp
snmp-server enable traps isis
snmp-server enable traps rf
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps ipsla
snmp-server enable traps bfd
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host 10.10.10.107 public
radius-server host 10.10.10.10 key HelloSFGal1#
control-plane
banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
access-class 102 in
transport input telnet
line vty 5 15
access-class 101 in
transport input telnet
scheduler allocate 20000 1000
endThanks so much, Herbert.
As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
I would delete these lines:
no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
and replace with these
ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
Then add:
access-list 150 deny ip host 10.10.10.95 10.10.10.160 0.0.0.31
access-list 150 deny ip host 10.10.10.95 172.16.8.0 0.0.3.255
access-list 150 deny ip host 10.10.10.130 10.10.10.160 0.0.0.31
access-list 150 deny ip host 10.10.10.130 172.16.8.0 0.0.3.255
access-list 150 permit ip host 10.10.10.95 any
access-list 150 permit ip host 10.10.10.130 any
route-map nonat permit 10
match ip address 150 -
ASA 5505 Anyconnect VPN Users can't access Internet
Vpn user cannot access the internet but able to ping the lan network (192.168.1.0).. it seem like im missing a lan or nat rule.. Possibly allowing the vpn subnet 192.168.2.0 /24 to pass through to the internet. Im looking to accomplish this without split tunneling.. Thanks
on 8.2.5 version or lower: Let say your inside hosts are accessing Internet by using dynamic nat index "1" and now you can use the same nat index "1" allow your vpn-pool range to be part of the same dynamic-nat index "1" to access the Internet. Note I am natting source interface is be outside for vpn-client users because they (vpn-users) are physically coming off the outside interface.
nat (outside) 1 192.168.2.0 255.255.255.0
on 8.3 version or greater:
object network vpn-user-subnet
subnet 192.168.2.0 255.255.255.0
nat (outside,outside) dynamic interface
Hope this helps.
Thanks
Rizwan Rafeek -
VPN users cannot connect to LAN
I have to users down in australia, they can connect via vpn but cannot ping any of the LAN ip address
PLease help URGENT!Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use thI e posting's information even if Author has been advised of the possibility of such damage.
Posting
Are the VPN clients in a different subnet from your LAN? If so, I would suspect a routing issue, either your VPN clients either don't know how to get to the LAN subnet and/or the LAN clients don't know how to get to the VPN client subnet. -
Cannot block VPN user to reach a host (inside)?
Hi all,
I'm a newbie in ASA, here is my question
Currently the ASA is
- allowing VPN-89 to access INSIDE-88, the Internet and VPN-89 itself
- allowing VPN-81-Admin to Access INSIDE-88, the Internet and VPN-81-Admin itself
- this ASA has a static route to 10.10.10.0
Now i would like to add a rule to block the VPN-89 to recach the 10.10.10.179(UCCX), but it fails.
VPN-89 from outside still can connect to 10.10.10.179
> access-list outside_access_in extended deny ip object VPN-89 object UCCX
Anybody knows how to block the VPN-89 to reach the 10.10.10.179(UCCX)
Config has been attached
Thanks in advance
SamHi,
There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.
The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is
sysopt connection permit-vpn
If you were to insert the following command
no sysopt connection permit-vpn
Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.
Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.
Hope this helps
- Jouni -
Anyconnect VPN peers cannot ping, RDP each other
I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1). I have a remote access VPN set up and the remote access users are able to log in and access LAN resources. I can ping the VPN peers from the remote LAN. My problem that the VPN peers cannot ping (RDP, ectc..) each other. Pinging one VPN peer from another reveals the following error in the ASA Log.
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure.
Below is my ASA running-config:
ASA Version 8.3(1)
hostname ciscoasa
domain-name dental.local
enable password 9ddwXcOYB3k84G8Q encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.128
domain-name dental.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network RAVPN
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access remark VPN client local LAN access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VpnPeers remark allow vpn peers to ping each other
access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address [email protected]
logging recipient-address [email protected] level informational
logging rate-limit 1 600 level 6
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static RAVPN RAVPN
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
object network obj_any
nat (inside,outside) dynamic interface
object network RAVPN
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair billvpnkey
proxy-ldc-issuer
crl configure
crypto ca server
cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
issuer-name CN=ciscoasa
smtp from-address admin@ciscoasa
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
**hidden**
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 10bdec50
**hidden**
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.1.50-192.168.1.99 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
svc enable
tunnel-group-list enable
internal-password enable
smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value dental.local
webvpn
svc modules value vpngina
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
default-domain value dental.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.128
vpn-simultaneous-logins 4
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value RAVPN
split-tunnel-network-list value Local_LAN_Access
default-domain value dental.local
webvpn
url-list value DentalMarks
svc modules value vpngina
svc profiles value dellstudio type user
svc ask enable default webvpn
smart-tunnel enable SmartTunnelList
username wketchel1 password 5c5OoeNtCiX6lGih encrypted
username wketchel1 attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
username wketchel attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc modules none
svc profiles value DellStudioClientProfile type user
username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
username jenniferk attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group RAVPN webvpn-attributes
group-alias RAVPN enable
tunnel-group RAVPN ipsec-attributes
pre-shared-key *****
tunnel-group RAVPN ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group WebSSLVPN type remote-access
tunnel-group WebSSLVPN webvpn-attributes
group-alias WebSSLVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 173.194.64.108
prompt hostname context
hpm topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: endHi,
Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
I would suggest the following changes
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object-group network PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
The above should enable
Dynamic PAT for LAN and VPN users
NAT0 for the traffic between LAN and VPN
NAT0 for traffic between VPN users
You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
no nat (inside,any) source static any any destination static RAVPN RAVPN
no nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no object network obj_any
no object network RAVPN
In the event that you dont want to change the configurations that much you might be fine just by adding this
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
- Jouni -
VPN with 2 network cards - vpn clients cannot see LAN.
Problem: When a VPN client connects they can only access the server and not any LAN computers. Unable to even ping the LAN computers. The VPN client machine connects via PPTP and receives the appropriate IP address but the subnet mask field is blank. The router is being set to 192.168.1.2
Here's my network setup:
en0: (external) IP: 192.168.1.2 and is connected to aDSL modem (192.168.1.1)
en1: (internal net) IP: 192.168.2.1
The internal en1 network range is: 192.168.2.2 - 192.168.2.25
The VPN range being handed out is: 192.168.2.26 - 192.168.2.30
VPN client machines are able to fully interact with the server, just cannot reach any LAN computers.
Any ideas??
XServe Mac OS X (10.4.9) Various Intel laptops and G5/G4 Lan machines
XServe Mac OS X (10.4.9) Various Intel laptops and G5/G4 Lan machines>The network address at the vpn client location is not 192.168.2.0/24. The vpn client has a public IP.
So you're saying that your client system has a 192.168.2.x address, and that's also the address range you're using behind the VPN?
That won't work.
You now have two 192.168.2.x networks - one local to the client and one over the VPN.
Normal routing rules dictate that the local connection wil always take priority over the remote connection, so the client will look on the local LAN for anything in the 192.168.2.x range, completely ignoring the VPN.
If you think about it, your machine is told that it has two paths to get to anything in the 192.168.2.x network, either directly connected, or across the VPN connection. Given teh choice, which one do you think you'd take?
The only real solution here is to use a different subnet at each end of the link - either change the client network to something else, or change the internal corp network. If you don't do that you'll have to set up host-based routes (one per system over the VPN) that overrides the local routing table (assuming that's even possible... I'd have to think about it). -
Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?
Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.This looks fairly complete
http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
Sent from Cisco Technical Support iPad App -
881W - wifi user cannot reach Internet
Hi
We had setup a wired/wireless LAN using Cisco 881W router for one of our client. Wired lan works OK but we have issues with wireless.
Users on wireless LAN can connect to the wireless network, but cannot browse the Internet. The wifi network does not give out an ip address to the client so client cannot get to the default gateway and Internet. Not sure what part of config does not work. If someone give us a hand solving this issue would be greatly appreciated. Bellow are router config and AP config.
thanks
##### sh runn #####
881WiFi#sh run
Building configuration...
Current configuration : 10848 bytes
! No configuration change since last restart
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881WiFi
boot-start-marker
boot system flash:c880data-universalk9-mz.152-1.T.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone PCTime -8 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1574171871
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1574171871
revocation-check none
rsakeypair TP-self-signed-1574171871
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.81 192.168.1.254
ip dhcp excluded-address 10.10.10.100
ip dhcp pool ccp-pool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.253
dns-server 4.2.2.2
ip dhcp pool wireless
network 10.10.10.0 255.255.255.0
default-router 10.10.10.100
dns-server 4.2.2.2
ip domain name xxxxx.com
ip name-server 4.2.2.2
ip cef
no ipv6 cef
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group TG-VPNXXX
key CiscoAcs
dns 4.2.2.2
pool SDM_POOL_1
acl 102
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group TG-VPNXXX
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan200
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 200
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.253 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan200
ip address 10.10.10.100 255.255.255.0
ip local pool SDM_POOL_1 192.168.1.130 192.168.1.140
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 50
sort-by bytes
ip route 0.0.0.0 0.0.0.0 10.12.19x.xxx 254
ip route 0.0.0.0 0.0.0.0 75.155.16x.xxx 254
ip route 0.0.0.0 0.0.0.0 75.155.16x.xxx 254
ip route 0.0.0.0 0.0.0.0 dhcp 254
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.14
access-list 101 permit ip any host 192.168.1.200
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
line con 0
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
transport input ssh
scheduler interval 500
end
881WiFi#
SS-AP#sh run
Building configuration...
Current configuration : 1542 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SS-AP
no aaa new-model
clock timezone PDT -7
clock summer-time PDT recurring
ip name-server 4.2.2.2
dot11 ssid WIFI-SSID
vlan 200
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 SecretKey
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 200 mode ciphers aes-ccm
ssid WIFI-SSID
station-role root
interface Dot11Radio0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
interface GigabitEthernet0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp
no ip route-cache
ip default-gateway 10.10.10.100
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
!S
line con 0
no activation-character
line vty 0 4
password cisco
login
end
SS-AP#Appreciated.
Here it is:
881WiFi#sh run
Building configuration...
Current configuration : 10960 bytes
! No configuration change since last restart
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881WiFi
boot-start-marker
boot system flash:c880data-universalk9-mz.152-1.T.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone PCTime -8 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1574171871
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1574171871
revocation-check none
rsakeypair TP-self-signed-1574171871
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.81 192.168.1.254
ip dhcp excluded-address 10.10.10.100
ip dhcp pool ccp-pool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.253
dns-server 4.2.2.2
ip dhcp pool wireless
network 10.10.10.0 255.255.255.0
default-router 10.10.10.100
dns-server 4.2.2.2
ip domain name something.com
ip name-server 4.2.2.2
ip port-map user-protocol--1 port tcp 12000
ip port-map user-protocol--1 port tcp 1550
ip cef
no ipv6 cef
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group TG
key KEy
dns 4.2.2.2
pool SDM_POOL_1
acl 102
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group TG
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan200
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 200
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.253 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan200
ip address 10.10.10.100 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 192.168.1.130 192.168.1.140
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 50
sort-by bytes
ip nat inside source static tcp 192.168.1.14 12000 interface FastEthernet4 12000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.200 1550 interface FastEthernet4 1550
ip route 0.0.0.0 0.0.0.0 10.12.192.254 254
ip route 0.0.0.0 0.0.0.0 75.155.160.254 254
ip route 0.0.0.0 0.0.0.0 75.155.160.254 254
ip route 0.0.0.0 0.0.0.0 dhcp 254
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.14
access-list 101 permit ip any host 192.168.1.200
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
banner login ^C===============================================
ACCESS TO THIS DEVICE
IS FOR AUTHORIZED USERS ONLY!
Disconnect IMMEDIATELY if you are not an authorized user!
===============================================
^C
line con 0
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
transport input ssh
scheduler interval 500
end
881WiFi#
SS-AP#sh run
Building configuration...
Current configuration : 1542 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SS-AP
no aaa new-model
clock timezone PDT -7
clock summer-time PDT recurring
ip name-server 4.2.2.2
dot11 ssid SSID
vlan 200
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 Password
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 200 mode ciphers aes-ccm
ssid SSID
station-role root
interface Dot11Radio0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
interface GigabitEthernet0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp
no ip route-cache
ip default-gateway 10.10.10.100
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no activation-character
line vty 0 4
password cisco
login
end
SS-AP# -
My remote AnyConnect VPN host cannot be pinged or accessed from inside the LAN
I have a remote VPN host via Anyconnect that can reach my LAN resources without a problem; however, there is a server application that must initiate sessions to the remote host and it cannot.
Hosts within my LAN cannot ping or connect to the remote host, even though its connectivity inbound is fine.
NAT issue?Hi mega5llc1 ,
Can you run the following command and paste the output.
Packet-tracer input inside (or name of your inside int) icmp (server ip) 8 0 (VPN IP) detailed
Hope this helps
- Randy - -
Hi,
I can connect via VPN to my ASA 5505 but I cannot access my asa. I do not quite understand the routing,acl and nat configs I would need.
attached is my configHere is the my config
-
Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN
Dear All,
i have the folloing case :
i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
so what the setting of the mail and smtp server should be ,
was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
Best regards,Thanks Jennifer.
I did manage to configure LDAP attribute map to the specific group policy.
Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
Example: let say my username is LLH.
Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
Only me know the preshared key and only me can login with my Connection Profile.
Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
Example:
AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
I hope above description can paint the scenario clearer.
Thanks in advance for all the help and comment given. -
AnyConnect VPN and HP Office Jet Pro 8500 A910
I can print from my IBM T400 laptop running Windows 7 64-bit. However, when I log into work AnyConnect VPN, I cannot print. It says the printer is disconnected from the network even though it is connected. IT support at work says it cannot change or adjust any VPN settings. The only way I can print is to disconnect from VPN. Is there anything I can adjust on the printer software or printer itself?
This question was solved.
View Solution.Hi,
In order to print over the local network while connected to a remote VPN network might be possible by modifying the VPN split tunneling configuration.
However, it is depands on the VPN capabilities and might not be allowed due to security requirements of your IT department.
Anyway, there is no way to configure such a thing by the printer or the printer software.. it is directly affected by the network configuration, and therefore require to change the VPN settings.
Regards,
Shlomi
Say thanks by clicking the Kudos thumb up in the post.
If my post resolve your problem please mark it as an Accepted Solution -
I've got a user running:
AnyConnect 3.1.01065
on
Windows 7 64bit.
Several weeks ago she started encountering the following error:
-after logging into Windows and launching the AnyConnect client, she enters her username and password and successfully authenticates.
-the connection is not established and she's presented with the following message: "Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established."
After doing some troubleshooting, inlcuding uninstalling/reinstalling the anyconnect client, it seems the culprit is the following file:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\<filename>.xml. When the problem occurs (which is not regularly, sometimes it occurs daily, sometimes just once a week) examining that file indicates it has no security or permissions set. Quitting the AnyConnect software, modifying the file so that the user has full control of it, then relaunching AnyConnect fixes the problem (until it happens again). Uninstalling, and making sure to move C:\ProgramData\Cisco to the trash, then reinstalling did not seem to help.
The closest match in these forums is the following thread, https://supportforums.cisco.com/message/3760446 - though no clear resolution was given.
Has anyone else encountered this, and been able to fix it?
Thanks much.Just FYI, it seems at least in this case, purging all the previous system restore points seems to have resolved this issue...
-
2851 router vpn to 851 router lan clients cannot ping
Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
So some stripped-down configs:
For the 2851:
no service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router2851
boot-start-marker
boot-end-marker
no logging buffered
no logging console
enable password mypassword2
no aaa new-model
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.6.1
ip dhcp excluded-address 172.20.6.254 172.20.15.254
ip dhcp pool Internal_2000
import all
network 172.20.0.0 255.255.240.0
domain-name myseconddomain.int
default-router 172.20.0.1
lease 7
no ip domain lookup
multilink bundle-name authenticated
voice-card 0
no dspfarm
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-2995823027
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.53.254.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.53.254.aaa
set peer 216.53.254.aaa
set transform-set ESP-3DES-SHA
match address 100
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 216.189.223.bbb 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
no shut
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 172.20.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.15.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 permit ip 172.20.0.0 0.0.15.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner motd ~This is a private computer system for authorized use only. And Stuff~
line con 0
line aux 0
line vty 0 4
privilege level 15
password mypassword
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
And for the 851:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router851
boot-start-marker
boot-end-marker
logging buffered 52000 debugging
no logging console
enable password mypassword
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.21.1.1 172.21.1.100
ip dhcp pool Internal_2101
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
domain-name mydomain.int
dns-server 172.21.1.10
lease 4
ip cef
ip domain name mydomain.int
ip name-server 172.21.1.10
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-3077836316
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.189.223.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.189.223.bbb
set peer 216.189.223.bbb
set transform-set ESP-3DES-SHA2
match address 100
bridge irb
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description $ETH-WAN$
ip address 216.53.254.aaa 255.255.254.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
no shut
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 172.21.1.0 255.255.255.0 BVI1
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.21.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
bridge 1 route ip
banner motd ~This is a private computer system for authorized use only. And Stuff.~
line con 0
password mypassword
no modem enable
line aux 0
line vty 0 4
password mypassword
scheduler max-task-time 5000
end
Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
Regards,
Ted.Hi,
First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
1.In the RRAS server,Open Routing and Remote Access.
2.Right-click the server name,then click
properties.
3.On the General tab,select
IPv4 Router check box,and then click Local area network(LAN) routing only.
Then,announce the 172.16.0.0 network to the router.
To learn more details about enabling LAN routing, please refer to the link below,
http://technet.microsoft.com/en-us/library/dd458974.aspx
Best Regards,
Tina
Maybe you are looking for
-
Run RFEBKA00 as background job
Hello, I want to run program RFEBKA00 as background job. On selection screen, there is parameter "Execute as background job", but even if I tick this checkbox, report is ran on foreground. How can I run this program as background job? Thanks®ards,
-
Hi all, I've been trying to set up public key authentication for SSH recently, and have come across a problem which has left me stumped. I want to be able to SSH into computer A (iBook G4, 10.5.1) from computer B (iMac G4, 10.5.0), and vice versa. At
-
Qyery returning empty result using dbms_xmlgen doesn't work as expected
Hi group. I'm using the following code in a PSQL procedure procedure selectXML(consulta in varchar2,xmlout out clob) as context dbms_xmlquery.ctxtype; resultado clob; tam integer; context_gen dbms_xmlgen.ctxHandle; begin IF useDBMS_XMLGEN THEN BEGIN
-
Running out of memory... what to do?
I am using a mid-2012 non-retina 13" MacBook Pro that I upgraded with a large SSD and 16 gigs of RAM, but I find myself running out of memory every day. I am developing a DirectX11 game engine in a virtualized Windows 7 environment, and my memory nee
-
Giga_labview.llb
I'm trying to download the giga_labview.llb file from http://zone.ni.com/devzone/cda/tut/p/id/3625#toc1 but I get a connection time out error. Is there any other safe place to download from? I want to learn how to handle large files and how to displa