Anyconnect VPN users cannot reach LAN

Similar Messages

• Remote site to site VPN user cannot access LAN resources

  Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
  What do I need to do to fix this?
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SFGallery
  boot-start-marker
  boot-end-marker
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  clock timezone PCTime -7 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 172.16.0.1 172.16.3.99
  ip dhcp excluded-address 172.16.3.200 172.16.3.254
  ip dhcp pool SFGallery172
  import all
  network 172.16.0.0 255.255.252.0
  domain-name xxxxxxxxxxxx
  dns-server 10.10.10.10
  default-router 10.10.10.94
  netbios-name-server 10.10.10.10
  ip domain name gpgallery.com
  ip name-server 10.10.10.10
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip name-server 10.10.10.80
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki trustpoint SFGallery_Certificate
  enrollment selfsigned
  serial-number none
  ip-address none
  revocation-check crl
  rsakeypair SFGallery_Certificate_RSAKey 512
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  crypto pki certificate chain SFGallery_Certificate
  certificate self-signed 01
  xxxxxx
  quit
  license udi pid CISCO2911/K9 sn FTX1542AKJ3
  license boot module c2900 technology-package securityk9
  license boot module c2900 technology-package datak9
  hw-module sm 1
  object-group network Corp
  172.16.4.0 255.255.252.0
  10.10.10.128 255.255.255.224
  object-group network SFGallery
  172.16.0.0 255.255.252.0
  10.10.10.0 255.255.255.128
  object-group network NY
  10.10.10.160 255.255.255.224
  172.16.16.0 255.255.252.0
  object-group network GPAll
  group-object SFGallery
  group-object NY
  group-object Corp
  username xxx
  username xxx
  username xxx
  username xxx
  redundancy
  no ip ftp passive
  ip ssh version 1
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
  pass
  zone security sslvpn-zone
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key TempVPN1# address xx.xx.xx.xx
  crypto isakmp client configuration group SFGallery
  key Peters2011
  dns 10.10.10.10 10.10.10.80
  wins 10.10.10.10 10.10.10.80
  domain gpgallery.com
  pool SDM_POOL_1
  acl 111
  save-password
  split-dns gpgallery.com
  max-users 25
  max-logins 3
  netmask 255.255.252.0
  banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group SFGallery
  client authentication list ciscocp_vpn_xauth_ml_3
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 3
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 43200
  set transform-set ESP-3DES-SHA3
  set isakmp-profile ciscocp-ike-profile-1
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel toxx.xx.xx.xx
  set peer xx.xx.xx.xx
  set transform-set ESP-3DES-SHA1
  match address 107
  reverse-route
  interface Loopback1
  ip address 192.168.5.1 255.255.255.0
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description T1 Cybermesa$ETH-WAN$
  ip address xx.xx.xx.xx 255.255.255.240
  ip access-group 105 in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  interface GigabitEthernet0/1
  description LANOverloadNet$ETH-WAN$
  no ip address
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  description LAN$ETH-LAN$
  ip address 10.10.10.2 255.255.255.128
  ip access-group 100 in
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface FastEthernet0/0/0
  ip address 192.168.100.1 255.255.255.0
  ip access-group ReplicationIN out
  duplex auto
  speed auto
  interface GigabitEthernet1/0
  description $ETH-LAN$
  ip address 172.16.0.1 255.255.252.0
  ip nat inside
  ip virtual-reassembly in
  interface GigabitEthernet1/1
  description Internal switch interface connected to EtherSwitch Service Module
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1
  interface Virtual-Template2
  ip unnumbered Loopback1
  zone-member security sslvpn-zone
  interface Virtual-Template3 type tunnel
  ip unnumbered GigabitEthernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  no ip address
  ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
  ip forward-protocol nd
  ip http server
  ip http access-class 1
  ip http authentication local
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 10
  sort-by bytes
  cache-timeout 60000
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
  ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
  ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
  ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
  ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
  ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
  ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
  ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
  ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
  ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
  ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
  ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
  ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
  ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
  ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
  ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
  ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended ReplicationIN
  remark CCP_ACL Category=1
  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  deny   ip any any
  ip access-list extended ReplicationOUT
  remark CCP_ACL Category=1
  deny   ip any any
  no logging trap
  logging 10.10.10.107
  access-list 1 permit 192.168.1.2
  access-list 1 remark CCP_ACL Category=1
  access-list 1 permit 72.216.51.56 0.0.0.7
  access-list 1 permit 172.16.0.0 0.0.3.255
  access-list 1 permit 172.16.4.0 0.0.3.255
  access-list 1 permit 10.10.10.128 0.0.0.31
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 permit xx.xx.xx.xx 0.0.0.15
  access-list 1 permit 10.10.10.0 0.0.0.127
  access-list 100 remark Auto generated by SDM Management Access feature
  access-list 100 remark CCP_ACL Category=1
  access-list 100 permit tcp object-group GPAll object-group NY eq www
  access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
  access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
  access-list 100 permit ip any host 10.10.10.2
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
  access-list 100 deny   tcp any host 10.10.10.2 eq telnet
  access-list 100 deny   tcp any host 10.10.10.2 eq 22
  access-list 100 deny   tcp any host 10.10.10.2 eq www
  access-list 100 deny   tcp any host 10.10.10.2 eq 443
  access-list 100 deny   tcp any host 10.10.10.2 eq cmd
  access-list 100 deny   udp any host 10.10.10.2 eq snmp
  access-list 100 permit udp any eq domain host 10.10.10.2
  access-list 100 permit udp host 10.10.10.80 eq domain any
  access-list 100 permit udp host 10.10.10.10 eq domain any
  access-list 100 permit ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark CCP_ACL Category=1
  access-list 101 permit ip 72.216.51.56 0.0.0.7 any
  access-list 101 permit ip 172.16.0.0 0.0.3.255 any
  access-list 101 permit ip 172.16.4.0 0.0.3.255 any
  access-list 101 permit ip 10.10.10.128 0.0.0.31 any
  access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
  access-list 101 permit ip host 192.168.1.2 any
  access-list 101 permit ip 10.10.10.0 0.0.0.127 any
  access-list 102 remark Auto generated by SDM Management Access feature
  access-list 102 remark CCP_ACL Category=1
  access-list 102 permit ip 72.216.51.56 0.0.0.7 any
  access-list 102 permit ip 172.16.0.0 0.0.3.255 any
  access-list 102 permit ip 172.16.4.0 0.0.3.255 any
  access-list 102 permit ip 10.10.10.128 0.0.0.31 any
  access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
  access-list 102 permit ip host 192.168.1.2 any
  access-list 102 permit ip 10.10.10.0 0.0.0.127 any
  access-list 103 remark Auto generated by SDM Management Access feature
  access-list 103 remark CCP_ACL Category=1
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
  access-list 103 deny   tcp any host 172.16.0.1 eq telnet
  access-list 103 deny   tcp any host 172.16.0.1 eq 22
  access-list 103 deny   tcp any host 172.16.0.1 eq www
  access-list 103 deny   tcp any host 172.16.0.1 eq 443
  access-list 103 deny   tcp any host 172.16.0.1 eq cmd
  access-list 103 deny   udp any host 172.16.0.1 eq snmp
  access-list 103 permit ip any any
  access-list 104 remark CCP_ACL Category=4
  access-list 104 remark IPSec Rule
  access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
  access-list 105 remark Auto generated by SDM Management Access feature
  access-list 105 remark CCP_ACL Category=1
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
  access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
  access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
  access-list 105 deny   tcp any host xx.xx.xx.xx eq telnet
  access-list 105 deny   tcp any host xx.xx.xx.xx eq 22
  access-list 105 deny   tcp any host xx.xx.xx.xx eq www
  access-list 105 deny   tcp any host xx.xx.xx.xx eq 443
  access-list 105 deny   tcp any host xx.xx.xx.xx eq cmd
  access-list 105 deny   udp any host xx.xx.xx.xx eq snmp
  access-list 105 permit tcp any host xx.xx.xx.xx eq 443
  access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
  access-list 105 permit udp any eq domain host xx.xx.xx.xx
  access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
  access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
  access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
  access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
  access-list 105 permit ip any any
  access-list 106 remark CCP_ACL Category=2
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 106 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 106 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
  access-list 106 permit ip 10.10.10.0 0.0.0.255 any
  access-list 107 remark CCP_ACL Category=4
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 107 remark IPSec Rule
  access-list 107 deny   ip 172.16.0.0 0.0.255.255 host 10.10.10.177
  access-list 108 remark CCP_ACL Category=2
  access-list 108 remark IPSec Rule
  access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
  access-list 108 permit ip 70.56.215.0 0.0.0.255 any
  access-list 109 remark CCP_ACL Category=2
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 109 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 109 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 109 permit ip 172.16.0.0 0.0.255.255 any
  access-list 111 remark CCP_ACL Category=4
  access-list 111 permit ip 10.10.10.0 0.0.0.127 any
  access-list 111 permit ip 10.10.10.128 0.0.0.31 any
  access-list 111 permit ip 172.16.0.0 0.0.3.255 any
  access-list 111 permit ip 172.16.4.0 0.0.3.255 any
  access-list 111 permit ip 10.10.10.160 0.0.0.31 any
  route-map SDM_RMAP_4 permit 1
  match ip address 109
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  route-map SDM_RMAP_2 permit 1
  match ip address 108
  snmp-server community public RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps vrrp
  snmp-server enable traps transceiver all
  snmp-server enable traps ds1
  snmp-server enable traps call-home message-send-fail server-fail
  snmp-server enable traps tty
  snmp-server enable traps eigrp
  snmp-server enable traps ospf state-change
  snmp-server enable traps ospf errors
  snmp-server enable traps ospf retransmit
  snmp-server enable traps ospf lsa
  snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
  snmp-server enable traps ospf cisco-specific state-change shamlink interface
  snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
  snmp-server enable traps ospf cisco-specific errors
  snmp-server enable traps ospf cisco-specific retransmit
  snmp-server enable traps ospf cisco-specific lsa
  snmp-server enable traps license
  snmp-server enable traps envmon
  snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
  snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
  snmp-server enable traps flash insertion removal
  snmp-server enable traps c3g
  snmp-server enable traps ds3
  snmp-server enable traps adslline
  snmp-server enable traps vdsl2line
  snmp-server enable traps icsudsu
  snmp-server enable traps isdn call-information
  snmp-server enable traps isdn layer2
  snmp-server enable traps isdn chan-not-avail
  snmp-server enable traps isdn ietf
  snmp-server enable traps ds0-busyout
  snmp-server enable traps ds1-loopback
  snmp-server enable traps energywise
  snmp-server enable traps vstack
  snmp-server enable traps mac-notification
  snmp-server enable traps bgp
  snmp-server enable traps isis
  snmp-server enable traps rf
  snmp-server enable traps aaa_server
  snmp-server enable traps atm subif
  snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
  snmp-server enable traps memory bufferpeak
  snmp-server enable traps cnpd
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps config-ctid
  snmp-server enable traps entity
  snmp-server enable traps fru-ctrl
  snmp-server enable traps resource-policy
  snmp-server enable traps event-manager
  snmp-server enable traps frame-relay multilink bundle-mismatch
  snmp-server enable traps frame-relay
  snmp-server enable traps frame-relay subif
  snmp-server enable traps hsrp
  snmp-server enable traps ipmulticast
  snmp-server enable traps msdp
  snmp-server enable traps mvpn
  snmp-server enable traps nhrp nhs
  snmp-server enable traps nhrp nhc
  snmp-server enable traps nhrp nhp
  snmp-server enable traps nhrp quota-exceeded
  snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
  snmp-server enable traps pppoe
  snmp-server enable traps cpu threshold
  snmp-server enable traps rsvp
  snmp-server enable traps syslog
  snmp-server enable traps l2tun session
  snmp-server enable traps l2tun pseudowire status
  snmp-server enable traps vtp
  snmp-server enable traps ipsla
  snmp-server enable traps bfd
  snmp-server enable traps firewall serverstatus
  snmp-server enable traps isakmp policy add
  snmp-server enable traps isakmp policy delete
  snmp-server enable traps isakmp tunnel start
  snmp-server enable traps isakmp tunnel stop
  snmp-server enable traps ipsec cryptomap add
  snmp-server enable traps ipsec cryptomap delete
  snmp-server enable traps ipsec cryptomap attach
  snmp-server enable traps ipsec cryptomap detach
  snmp-server enable traps ipsec tunnel start
  snmp-server enable traps ipsec tunnel stop
  snmp-server enable traps ipsec too-many-sas
  snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
  snmp-server host 10.10.10.107 public
  radius-server host 10.10.10.10 key HelloSFGal1#
  control-plane
  banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line 67
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  flowcontrol software
  line vty 0 4
  access-class 102 in
  transport input telnet
  line vty 5 15
  access-class 101 in
  transport input telnet
  scheduler allocate 20000 1000
  end

  Thanks so much, Herbert.
  As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  I would delete these lines:
  no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
  no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
  no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
  no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
  no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
  and replace with these
  ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
  ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
  ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
  ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
  ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
  Then add:
  access-list 150 deny   ip host 10.10.10.95 10.10.10.160 0.0.0.31
  access-list 150 deny   ip host 10.10.10.95 172.16.8.0 0.0.3.255
  access-list 150 deny   ip host 10.10.10.130 10.10.10.160 0.0.0.31
  access-list 150 deny   ip host 10.10.10.130 172.16.8.0 0.0.3.255
  access-list 150 permit ip host 10.10.10.95 any
  access-list 150 permit ip host 10.10.10.130 any
  route-map nonat permit 10
  match ip address 150

• ASA 5505 Anyconnect VPN Users can't access Internet

  Vpn user cannot access the internet but able to ping the lan network (192.168.1.0).. it seem like im missing a lan or nat rule.. Possibly allowing the vpn subnet 192.168.2.0 /24 to pass through to the internet.  Im looking to accomplish this without split tunneling.. Thanks

  on 8.2.5 version or lower:  Let say your inside hosts are accessing Internet by using dynamic nat index "1" and now you can use the same nat index "1" allow your vpn-pool range to be part of the same dynamic-nat index "1" to access the Internet.  Note I am natting source interface is be outside for vpn-client users because they (vpn-users) are physically coming off the outside interface.
  nat (outside) 1 192.168.2.0 255.255.255.0
  on 8.3 version or greater:  
  object network vpn-user-subnet
   subnet 192.168.2.0 255.255.255.0
   nat (outside,outside) dynamic interface
  Hope this helps.
  Thanks
  Rizwan Rafeek

• VPN users cannot connect to LAN

  I have to users down in australia, they can connect via vpn but cannot ping any of the LAN ip address
  PLease help URGENT!

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use thI e posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Are the VPN clients in a different subnet from your LAN?  If so, I would suspect a routing issue, either your VPN clients either don't know how to get to the LAN subnet and/or the LAN clients don't know how to get to the VPN client subnet.

• Cannot block VPN user to reach a host (inside)?

  Hi all,
  I'm a newbie in ASA, here is my question
  Currently the ASA is
  - allowing VPN-89 to access INSIDE-88, the Internet and VPN-89 itself
  - allowing VPN-81-Admin to Access INSIDE-88, the Internet and VPN-81-Admin itself
  - this ASA has a static route to 10.10.10.0
  Now i would like to add a rule to block the VPN-89 to recach the 10.10.10.179(UCCX), but it fails.
  VPN-89 from outside still can connect to 10.10.10.179
  > access-list outside_access_in extended deny ip object VPN-89 object UCCX
  Anybody knows how to block the VPN-89 to reach the 10.10.10.179(UCCX)
  Config has been attached
  Thanks in advance
  Sam

  Hi,
  There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.
  The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is
  sysopt connection permit-vpn
  If you were to insert the following command
  no sysopt connection permit-vpn
  Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.
  Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.
  Hope this helps
  - Jouni

• Anyconnect VPN peers cannot ping, RDP each other

  I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1).  I have a remote access VPN set up and the remote access users are able to log in and access LAN resources.   I can ping the VPN peers from the remote LAN.    My problem that the VPN peers cannot ping (RDP, ectc..) each other.   Pinging one VPN peer from another reveals the following error in the ASA Log.
  Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure. 
  Below is my ASA running-config:
  ASA Version 8.3(1)
  hostname ciscoasa
  domain-name dental.local
  enable password 9ddwXcOYB3k84G8Q encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 192.168.1.128
  domain-name dental.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network RAVPN
  subnet 10.10.10.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_28
  subnet 10.10.10.0 255.255.255.240
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  access-list Local_LAN_Access remark VPN client local LAN access
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  access-list VpnPeers remark allow vpn peers to ping each other
  access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
  pager lines 24
  logging enable
  logging asdm informational
  logging mail informational
  logging from-address [email protected]
  logging recipient-address [email protected] level informational
  logging rate-limit 1 600 level 6
  mtu outside 1500
  mtu inside 1500
  ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static any any destination static RAVPN RAVPN
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
  object network obj_any
  nat (inside,outside) dynamic interface
  object network RAVPN
  nat (any,outside) dynamic interface
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  crl configure
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=ciscoasa
  keypair billvpnkey
  proxy-ldc-issuer
  crl configure
  crypto ca server
  cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
  issuer-name CN=ciscoasa
  smtp from-address admin@ciscoasa
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
     **hidden**
    quit
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 10bdec50
      **hidden**
    quit
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.1 255.255.255.255 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  dhcpd address 192.168.1.50-192.168.1.99 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
  svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
  svc enable
  tunnel-group-list enable
  internal-password enable
  smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.1.128
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
  default-domain value dental.local
  webvpn
    svc modules value vpngina
  group-policy DefaultRAGroup_1 internal
  group-policy DefaultRAGroup_1 attributes
  dns-server value 192.168.1.128
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value dental.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.1.128
  vpn-simultaneous-logins 4
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-lock value RAVPN
  split-tunnel-network-list value Local_LAN_Access
  default-domain value dental.local
  webvpn
    url-list value DentalMarks
    svc modules value vpngina
    svc profiles value dellstudio type user
    svc ask enable default webvpn
    smart-tunnel enable SmartTunnelList
  username wketchel1 password 5c5OoeNtCiX6lGih encrypted
  username wketchel1 attributes
  vpn-group-policy DfltGrpPolicy
  webvpn
    svc profiles value DellStudioClientProfile type user
  username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
  username wketchel attributes
  vpn-group-policy DfltGrpPolicy
  webvpn
    svc modules none
    svc profiles value DellStudioClientProfile type user
  username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
  username jenniferk attributes
  vpn-group-policy DfltGrpPolicy
  webvpn
    svc profiles value DellStudioClientProfile type user
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNPool
  authorization-server-group LOCAL
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  authentication eap-proxy
  tunnel-group RAVPN type remote-access
  tunnel-group RAVPN general-attributes
  address-pool VPNPool
  authorization-server-group LOCAL
  tunnel-group RAVPN webvpn-attributes
  group-alias RAVPN enable
  tunnel-group RAVPN ipsec-attributes
  pre-shared-key *****
  tunnel-group RAVPN ppp-attributes
  authentication pap
  authentication ms-chap-v2
  authentication eap-proxy
  tunnel-group WebSSLVPN type remote-access
  tunnel-group WebSSLVPN webvpn-attributes
  group-alias WebSSLVPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  smtp-server 173.194.64.108
  prompt hostname context
  hpm topN enable
  Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
  : end

  Hi,
  Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
  I would suggest the following changes
  object network VPN-POOL
  subnet 10.10.10.0 255.255.255.0
  object network LAN
  subnet 192.168.1.0 255.255.255.0
  object-group network PAT-SOURCE
  network-object 192.168.1.0 255.255.255.0
  network-object 10.10.10.0 255.255.255.0
  nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
  nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
  nat (any,outside) after-auto source dynamic PAT-SOURCE interface
  The above should enable
  Dynamic PAT for LAN and VPN users
  NAT0 for the traffic between LAN and VPN
  NAT0 for traffic between VPN users
  You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
  no nat (inside,any) source static any any destination static RAVPN RAVPN
  no nat  (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28
  no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
  no object network obj_any
  no object network RAVPN
  In the event that you dont want to change the configurations that much you might be fine just by adding this
  object network VPN-POOL
  subnet 10.10.10.0 255.255.255.0
  nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
  But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
  - Jouni

• VPN with 2 network cards - vpn clients cannot see LAN.

  Problem: When a VPN client connects they can only access the server and not any LAN computers. Unable to even ping the LAN computers. The VPN client machine connects via PPTP and receives the appropriate IP address but the subnet mask field is blank. The router is being set to 192.168.1.2
  Here's my network setup:
  en0: (external) IP: 192.168.1.2 and is connected to aDSL modem (192.168.1.1)
  en1: (internal net) IP: 192.168.2.1
  The internal en1 network range is: 192.168.2.2 - 192.168.2.25
  The VPN range being handed out is: 192.168.2.26 - 192.168.2.30
  VPN client machines are able to fully interact with the server, just cannot reach any LAN computers.
  Any ideas??
  XServe Mac OS X (10.4.9) Various Intel laptops and G5/G4 Lan machines
  XServe   Mac OS X (10.4.9)   Various Intel laptops and G5/G4 Lan machines

  >The network address at the vpn client location is not 192.168.2.0/24. The vpn client has a public IP.
  So you're saying that your client system has a 192.168.2.x address, and that's also the address range you're using behind the VPN?
  That won't work.
  You now have two 192.168.2.x networks - one local to the client and one over the VPN.
  Normal routing rules dictate that the local connection wil always take priority over the remote connection, so the client will look on the local LAN for anything in the 192.168.2.x range, completely ignoring the VPN.
  If you think about it, your machine is told that it has two paths to get to anything in the 192.168.2.x network, either directly connected, or across the VPN connection. Given teh choice, which one do you think you'd take?
  The only real solution here is to use a different subnet at each end of the link - either change the client network to something else, or change the internal corp network. If you don't do that you'll have to set up host-based routes (one per system over the VPN) that overrides the local routing table (assuming that's even possible... I'd have to think about it).

• Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

  Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
  I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

  This looks fairly complete
  http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
  Sent from Cisco Technical Support iPad App

• 881W - wifi user cannot reach Internet

  Hi
  We had setup a wired/wireless LAN using Cisco 881W router for one of our client. Wired lan works OK but we have issues with wireless.
  Users on wireless LAN can connect to the wireless network, but cannot browse the Internet. The wifi network does not give out an ip address to the client so client cannot get to the default gateway and Internet. Not sure what part of config does not work. If someone give us a hand solving this issue would be greatly appreciated. Bellow are router config and AP config.
  thanks
  ##### sh runn #####
  881WiFi#sh run
  Building configuration...
  Current configuration : 10848 bytes
  ! No configuration change since last restart
  version 15.2
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname 881WiFi
  boot-start-marker
  boot system flash:c880data-universalk9-mz.152-1.T.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone PCTime -8 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1574171871
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1574171871
  revocation-check none
  rsakeypair TP-self-signed-1574171871
  ip dhcp excluded-address 192.168.1.1 192.168.1.49
  ip dhcp excluded-address 192.168.1.81 192.168.1.254
  ip dhcp excluded-address 10.10.10.100
  ip dhcp pool ccp-pool1
  import all
  network 192.168.1.0 255.255.255.0
  default-router 192.168.1.253
  dns-server 4.2.2.2
  ip dhcp pool wireless
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.100
  dns-server 4.2.2.2
  ip domain name xxxxx.com
  ip name-server 4.2.2.2
  ip cef   
  no ipv6 cef
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_BOOTPC
  match access-group name SDM_BOOTPC
  class-map type inspect match-all sdm-nat-user-protocol--1-1
  match access-group 101
  match protocol user-protocol--1
  class-map type inspect match-any SDM_DHCP_CLIENT_PT
  match class-map SDM_BOOTPC
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any sdm-cls-bootps
  match protocol bootps
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol dns
  match protocol ftp
  match protocol h323
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any SDM_IP
  match access-group name SDM_IP
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
  match class-map SDM_EASY_VPN_SERVER_TRAFFIC
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect sdm-cls-bootps
    pass
  class type inspect ccp-icmp-access
    inspect
  class class-default
    pass
  policy-map type inspect sdm-pol-NATOutsideToInside-1
  class type inspect sdm-nat-user-protocol--1-1
    inspect
  class class-default
    drop
  policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
    drop log
  class type inspect ccp-protocol-http
    inspect
  class type inspect ccp-insp-traffic
    inspect
  class class-default
    drop
  policy-map type inspect ccp-permit
  class type inspect SDM_EASY_VPN_SERVER_PT
    pass   
  class type inspect SDM_DHCP_CLIENT_PT
    pass
  class class-default
    drop
  policy-map type inspect sdm-permit-ip
  class type inspect SDM_IP
    pass
  class class-default
    drop log
  zone security out-zone
  zone security in-zone
  zone security ezvpn-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
  service-policy type inspect sdm-pol-NATOutsideToInside-1
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
  service-policy type inspect sdm-permit-ip
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group TG-VPNXXX
  key CiscoAcs
  dns 4.2.2.2
  pool SDM_POOL_1
  acl 102
  netmask 255.255.255.0
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group TG-VPNXXX
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 7200
  set transform-set ESP-3DES-SHA
  set isakmp-profile ciscocp-ike-profile-1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description $ES_WAN$$FW_OUTSIDE$
  ip address dhcp client-id FastEthernet4
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  ip unnumbered FastEthernet4
  zone-member security ezvpn-zone
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan200
  ip flow ingress
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  switchport trunk native vlan 200
  switchport mode trunk
  no ip address
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 192.168.1.253 255.255.255.0
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1452
  interface Vlan200
  ip address 10.10.10.100 255.255.255.0
  ip local pool SDM_POOL_1 192.168.1.130 192.168.1.140
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 50
  sort-by bytes
  ip route 0.0.0.0 0.0.0.0 10.12.19x.xxx 254
  ip route 0.0.0.0 0.0.0.0 75.155.16x.xxx 254
  ip route 0.0.0.0 0.0.0.0 75.155.16x.xxx 254
  ip route 0.0.0.0 0.0.0.0 dhcp 254
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_BOOTPC
  remark CCP_ACL Category=0
  permit udp any any eq bootpc
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_IP
  remark CCP_ACL Category=1
  permit ip any any
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.14
  access-list 101 permit ip any host 192.168.1.200
  access-list 102 remark CCP_ACL Category=4
  access-list 102 permit ip 192.168.1.0 0.0.0.255 any
  no cdp run
  line con 0
  transport output telnet
  line aux 0
  transport output telnet
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0 4
  transport input ssh
  scheduler interval 500
  end
  881WiFi#                    
  SS-AP#sh run
  Building configuration...
  Current configuration : 1542 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SS-AP
  no aaa new-model
  clock timezone PDT -7
  clock summer-time PDT recurring
  ip name-server 4.2.2.2
  dot11 ssid WIFI-SSID
     vlan 200
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 0 SecretKey
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 200 mode ciphers aes-ccm
  ssid WIFI-SSID
  station-role root
  interface Dot11Radio0.200
  encapsulation dot1Q 200 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
  description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
  no ip address
  no ip route-cache
  interface GigabitEthernet0.200
  encapsulation dot1Q 200 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address dhcp
  no ip route-cache
  ip default-gateway 10.10.10.100
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  snmp-server community public RO
  bridge 1 protocol ieee
  bridge 1 route ip
  !S
  line con 0
  no activation-character
  line vty 0 4
  password cisco
  login
  end
  SS-AP# 

  Appreciated.
  Here it is:
  881WiFi#sh run
  Building configuration...
  Current configuration : 10960 bytes
  ! No configuration change since last restart
  version 15.2
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname 881WiFi
  boot-start-marker
  boot system flash:c880data-universalk9-mz.152-1.T.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone PCTime -8 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1574171871
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1574171871
  revocation-check none
  rsakeypair TP-self-signed-1574171871
  ip dhcp excluded-address 192.168.1.1 192.168.1.49
  ip dhcp excluded-address 192.168.1.81 192.168.1.254
  ip dhcp excluded-address 10.10.10.100
  ip dhcp pool ccp-pool1
  import all
  network 192.168.1.0 255.255.255.0
  default-router 192.168.1.253
  dns-server 4.2.2.2
  ip dhcp pool wireless
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.100
  dns-server 4.2.2.2
  ip domain name something.com
  ip name-server 4.2.2.2
  ip port-map user-protocol--1 port tcp 12000
  ip port-map user-protocol--1 port tcp 1550
  ip cef   
  no ipv6 cef
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_BOOTPC
  match access-group name SDM_BOOTPC
  class-map type inspect match-all sdm-nat-user-protocol--1-1
  match access-group 101
  match protocol user-protocol--1
  class-map type inspect match-any SDM_DHCP_CLIENT_PT
  match class-map SDM_BOOTPC
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any sdm-cls-bootps
  match protocol bootps
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol dns
  match protocol ftp
  match protocol h323
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any SDM_IP
  match access-group name SDM_IP
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
  match class-map SDM_EASY_VPN_SERVER_TRAFFIC
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect sdm-cls-bootps
    pass
  class type inspect ccp-icmp-access
    inspect
  class class-default
    pass
  policy-map type inspect sdm-pol-NATOutsideToInside-1
  class type inspect sdm-nat-user-protocol--1-1
    inspect
  class class-default
    drop
  policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
    drop log
  class type inspect ccp-protocol-http
    inspect
  class type inspect ccp-insp-traffic
    inspect
  class class-default
    drop
  policy-map type inspect ccp-permit
  class type inspect SDM_EASY_VPN_SERVER_PT
    pass   
  class type inspect SDM_DHCP_CLIENT_PT
    pass
  class class-default
    drop
  policy-map type inspect sdm-permit-ip
  class type inspect SDM_IP
    pass
  class class-default
    drop log
  zone security out-zone
  zone security in-zone
  zone security ezvpn-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
  service-policy type inspect sdm-pol-NATOutsideToInside-1
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
  service-policy type inspect sdm-permit-ip
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group TG
  key KEy
  dns 4.2.2.2
  pool SDM_POOL_1
  acl 102
  netmask 255.255.255.0
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group TG
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 7200
  set transform-set ESP-3DES-SHA
  set isakmp-profile ciscocp-ike-profile-1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description $ES_WAN$$FW_OUTSIDE$
  ip address dhcp client-id FastEthernet4
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  ip unnumbered FastEthernet4
  zone-member security ezvpn-zone
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan200
  ip flow ingress
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  switchport trunk native vlan 200
  switchport mode trunk
  no ip address
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 192.168.1.253 255.255.255.0
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1452
  interface Vlan200
  ip address 10.10.10.100 255.255.255.0
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1452
  ip local pool SDM_POOL_1 192.168.1.130 192.168.1.140
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 50
  sort-by bytes
  ip nat inside source static tcp 192.168.1.14 12000 interface FastEthernet4 12000
  ip nat inside source list 1 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.1.200 1550 interface FastEthernet4 1550
  ip route 0.0.0.0 0.0.0.0 10.12.192.254 254
  ip route 0.0.0.0 0.0.0.0 75.155.160.254 254
  ip route 0.0.0.0 0.0.0.0 75.155.160.254 254
  ip route 0.0.0.0 0.0.0.0 dhcp 254
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_BOOTPC
  remark CCP_ACL Category=0
  permit udp any any eq bootpc
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_IP
  remark CCP_ACL Category=1
  permit ip any any
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.14
  access-list 101 permit ip any host 192.168.1.200
  access-list 102 remark CCP_ACL Category=4
  access-list 102 permit ip 192.168.1.0 0.0.0.255 any
  no cdp run
  banner login ^C===============================================
                            ACCESS TO THIS DEVICE
                  IS FOR AUTHORIZED USERS ONLY!
  Disconnect IMMEDIATELY if you are not an authorized user!
  ===============================================
  ^C
  line con 0
  transport output telnet
  line aux 0
  transport output telnet
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0 4
  transport input ssh
  scheduler interval 500
  end      
  881WiFi#  
  SS-AP#sh run
  Building configuration...
  Current configuration : 1542 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SS-AP
  no aaa new-model
  clock timezone PDT -7
  clock summer-time PDT recurring
  ip name-server 4.2.2.2
  dot11 ssid SSID
     vlan 200
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 0 Password
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 200 mode ciphers aes-ccm
  ssid SSID
  station-role root
  interface Dot11Radio0.200
  encapsulation dot1Q 200 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
  description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
  no ip address
  no ip route-cache
  interface GigabitEthernet0.200
  encapsulation dot1Q 200 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address dhcp
  no ip route-cache
  ip default-gateway 10.10.10.100
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  snmp-server community public RO
  bridge 1 protocol ieee
  bridge 1 route ip
  line con 0
  no activation-character
  line vty 0 4
  password cisco
  login
  end
  SS-AP#      

• My remote AnyConnect VPN host cannot be pinged or accessed from inside the LAN

  I have a remote VPN host via Anyconnect that can reach my LAN resources without a problem; however, there is a server application that must initiate sessions to the remote host and it cannot.
  Hosts within my LAN cannot ping or connect to the remote host, even though its connectivity inbound is fine.
  NAT issue?

  Hi mega5llc1 ,
  Can you run the following command and paste the output.
  Packet-tracer input inside (or name of your inside  int) icmp  (server ip) 8 0 (VPN IP) detailed
  Hope this helps
  - Randy -

• VPN client cannot access Lan

  Hi,
  I can connect via VPN to my ASA 5505 but I cannot access my asa. I do not quite understand the routing,acl and nat configs I would need.
  attached is my config

  Here is the my config

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• AnyConnect VPN and HP Office Jet Pro 8500 A910

  I can print from my IBM T400 laptop running Windows 7 64-bit. However, when I log into work AnyConnect VPN, I cannot print. It says the printer is disconnected from the network even though it is connected. IT support at work says it cannot change or adjust any VPN settings. The only way I can print is to disconnect from VPN. Is there anything I can adjust on the printer software or printer itself?
  This question was solved.
  View Solution.

  Hi,
  In order to print over the local network while connected to a remote VPN network might be possible by modifying the VPN split tunneling configuration.
  However, it is depands on the VPN capabilities and might not be allowed due to security requirements of your IT department.
  Anyway, there is no way to configure such a thing by the printer or the printer software.. it is directly affected by the network configuration, and therefore require to change the VPN settings.
  Regards,
  Shlomi
  Say thanks by clicking the Kudos thumb up in the post.
  If my post resolve your problem please mark it as an Accepted Solution

• AnyConnect 3.1.01065 error - Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established.

  I've got a user running:
  AnyConnect 3.1.01065
  on
  Windows 7 64bit.
  Several weeks ago she started encountering the following error:
  -after logging into Windows and launching the AnyConnect client, she enters her username and password and successfully authenticates.
  -the connection is not established and she's presented with the following message: "Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established."
  After doing some troubleshooting, inlcuding uninstalling/reinstalling the anyconnect client, it seems the culprit is the following file:
  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\<filename>.xml. When the problem occurs (which is not regularly, sometimes it occurs daily, sometimes just once a week) examining that file indicates it has no security or permissions set. Quitting the AnyConnect software, modifying the file so that the user has full control of it, then relaunching AnyConnect fixes the problem (until it happens again). Uninstalling, and making sure to move C:\ProgramData\Cisco to the trash, then reinstalling did not seem to help.
  The closest match in these forums is the following thread, https://supportforums.cisco.com/message/3760446 - though no clear resolution was given.
  Has anyone else encountered this, and been able to fix it?
  Thanks much.

  Just FYI, it seems at least in this case, purging all the previous system restore points seems to have resolved this issue...

• 2851 router vpn to 851 router lan clients cannot ping

  Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
  Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
  851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
  The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
  The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
  I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
  The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
  From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
  To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
  This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
  So some stripped-down configs:
  For the 2851:
  no service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router2851
  boot-start-marker
  boot-end-marker
  no logging buffered
  no logging console
  enable password mypassword2
  no aaa new-model
  dot11 syslog
  no ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.20.0.1 172.20.6.1
  ip dhcp excluded-address 172.20.6.254 172.20.15.254
  ip dhcp pool Internal_2000
     import all
     network 172.20.0.0 255.255.240.0
     domain-name myseconddomain.int
     default-router 172.20.0.1
     lease 7
  no ip domain lookup
  multilink bundle-name authenticated
  voice-card 0
   no dspfarm
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-2995823027
   <<truncated>>
        quit
  username myusername privilege 15 password 0 mypassword2
  archive
   log config
    hidekeys
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.53.254.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.53.254.aaa
   set peer 216.53.254.aaa
   set transform-set ESP-3DES-SHA
   match address 100
  interface GigabitEthernet0/0
   description $ETH-WAN$
   ip address 216.189.223.bbb 255.255.255.192
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
   no shut
  interface GigabitEthernet0/1
   description $FW_INSIDE$$ETH-LAN$
   ip address 172.20.0.1 255.255.240.0
   ip nat inside
   ip virtual-reassembly
   no ip route-cache
   duplex auto
   speed auto
   no mop enabled
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
  ip http server
  ip http authentication local
  ip http secure-server
  ip dns server
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.20.0.0 0.0.15.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
  access-list 101 permit ip 172.20.0.0 0.0.15.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  banner motd ~This is a private computer system for authorized use only. And Stuff~
  line con 0
  line aux 0
  line vty 0 4
   privilege level 15
   password mypassword
   login local
   transport input telnet ssh
  scheduler allocate 20000 1000
  end
  And for the 851:
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname router851
  boot-start-marker
  boot-end-marker
  logging buffered 52000 debugging
  no logging console
  enable password mypassword
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  resource policy
  clock timezone PCTime -5
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip dhcp use vrf connected
  ip dhcp excluded-address 172.21.1.1 172.21.1.100
  ip dhcp pool Internal_2101
     import all
     network 172.21.1.0 255.255.255.0
     default-router 172.21.1.1
     domain-name mydomain.int
     dns-server 172.21.1.10
     lease 4
  ip cef
  ip domain name mydomain.int
  ip name-server 172.21.1.10
  crypto pki <<truncated>>
  crypto pki certificate chain TP-self-signed-3077836316
   <<truncated>>
    quit
  username myusername privilege 15 password 0 mypassword2
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key mysharedkey address 216.189.223.aaa
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
   description Tunnel to216.189.223.bbb
   set peer 216.189.223.bbb
   set transform-set ESP-3DES-SHA2
   match address 100
  bridge irb
  interface FastEthernet0
   spanning-tree portfast
  interface FastEthernet1
   spanning-tree portfast
  interface FastEthernet2
   spanning-tree portfast
  interface FastEthernet3
   spanning-tree portfast
  interface FastEthernet4
   description $ETH-WAN$
   ip address 216.53.254.aaa 255.255.254.0
   ip nat outside
   ip virtual-reassembly
   ip tcp adjust-mss 1460
   duplex auto
   speed auto
   no cdp enable
   crypto map SDM_CMAP_1
   no shut
  interface Vlan1
   description Internal Network
   no ip address
   ip nat inside
   ip virtual-reassembly
   bridge-group 1
   bridge-group 1 spanning-disabled
  interface BVI1
   description Bridge to Internal Network
   ip address 172.21.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  ip route 172.21.1.0 255.255.255.0 BVI1
  ip http server
  ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.21.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
  access-list 101 permit ip 172.21.1.0 0.0.0.255 any
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  bridge 1 route ip
  banner motd ~This is a private computer system for authorized use only. And Stuff.~
  line con 0
   password mypassword
   no modem enable
  line aux 0
  line vty 0 4
   password mypassword
  scheduler max-task-time 5000
  end
  Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
  I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
  Regards,
  Ted.

  Hi,
  First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
  Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
  1.In the RRAS server,Open Routing and Remote Access.
  2.Right-click the server name,then click
  properties.
  3.On the General tab,select
  IPv4 Router check box,and then click Local area network(LAN) routing only.
  Then,announce the 172.16.0.0 network to the router.
  To learn more details about enabling LAN routing, please refer to the link below,
  http://technet.microsoft.com/en-us/library/dd458974.aspx
  Best Regards,
  Tina