ASA 5505 IPSEC VPN connected but can't access to LAN

Similar Messages

• Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

  Hello,
  We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
  Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
  : Saved
  ASA Version 8.4(2)
  hostname domainasa
  domain-name adomain.local
  enable password cTfsR84pqF5Xohw. encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 205.101.1.240 255.255.255.248
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 192.168.2.60
  domain-name adomain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network SBS_2011
  host 192.168.2.60
  object network NETWORK_OBJ_192.168.2.0_24
  subnet 192.168.2.0 255.255.255.0
  object network NETWORK_OBJ_192.168.5.192_
  27
  subnet 192.168.5.192 255.255.255.224
  object network Https_Access
  host 192.168.2.90
  description Spam Hero
  object-group network DM_INLINE_NETWORK_1
  network-object object SPAM1
  network-object object SPAM2
  network-object object SPAM3
  network-object object SPAM4
  network-object object SPAM5
  network-object object SPAM6
  network-object object SPAM7
  network-object object SPAM8
  object-group service RDP tcp
  description Microsoft RDP
  port-object eq 3389
  access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
  access-list outside_access_in extended permit tcp any object SBS_2011 eq https
  access-list outside_access_in extended permit icmp any interface outside
  access-list outside_access_in remark External RDP Access
  access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
  access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
  ip local pool VPN_Users 192.168.5.194-192.168.5.22
  0 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
  NETWORK_OBJ_192.168.2.0_24
  destination static NETWORK_OBJ_192.168.5.192_
  27 NETWORK_OBJ_192.168.5.192_
  27 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SBS_2011
  nat (inside,outside) static interface service tcp smtp smtp
  object network Https_Access
  nat (inside,outside) static interface service tcp https https
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-reco
  rd DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.160-192.168.2.19
  9 inside
  dhcpd dns 192.168.2.60 24.29.99.36 interface inside
  dhcpd wins 192.168.2.60 24.29.99.36 interface inside
  dhcpd domain adomain interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy domain internal
  group-policy domain attributes
  wins-server value 192.168.2.60
  dns-server value 192.168.2.60
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value adomain.local
  username ben password zWCAaitV3CB.GA87 encrypted privilege 0
  username ben attributes
  vpn-group-policy domain
  username sdomain password FATqd4I1ZoqyQ/MN encrypted
  username sdomain attributes
  vpn-group-policy domain
  username adomain password V5.hvhZU4S8NwGg/ encrypted
  username adomain attributes
  vpn-group-policy domain
  service-type admin
  username jdomain password uODal3Mlensb8d.t encrypted privilege 0
  username jdomain attributes
  vpn-group-policy domain
  service-type admin
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool VPN_Users
  default-group-policy domain
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e2466a5b754
  eebcdb0cef
  f051bef91d
  9
  : end
  no asdm history enable
  Thanks again

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Have WIFI connection but can't access Safari or App store, nothing.  Can anyone help??

  I have just bought a iPad 2 WI-FI 16G today.  I have a full WI-FI connection but can't access the App store or Safari for any webpages, can anyone help?
  Thanks!!!!

  Despite what you call, "a full WiFi connection", you may not really be connected to your WiFi network.
  Your router may not have given your iPad a valid local network IP address. Go to Settings > Wifi > your network name and touch the ">" to the right to see the network details. If the IP address starts with 169 or is blank then your router didn't provide an IP address and you won't be able to access the Internet.
  Sometimes the fix can be as simple as restarting your router (remove power to the router for 30 seconds and then  restart). Next, reset network settings on your iPad (Settings > General > Reset > Reset network settings) and then attempt to connect. In other cases it might be necessary to update the router's firmware with the latest from the manufacturer's support web pages.
  If you need more help please give more details on your network, i.e., your router make, model and version, the wifi security being used (WEP, WPA, WPA2), etc.

• VPN Connects but unable to access internal devices

  Thank you in advance for any assistance that can be provided.
  I am using AnyConnect to create a VPN with an ASA 5505.  Once connected, the client needs to access a device behind a 1941 router.
  Internally, (not using VPN), all my routing is working correctly.  My VPN client can connect and when I put a route on my 1941 router, I am able to ping that particular device.  But my VPN client cannot appear to ping anything else, either the devices on the same internal range as the ASA 5505 or anything past the 1941.
  VPN Client                                      ASA 5505                                      Workstation                    1941 Router                        Far Device
  192.168.201.20 ----->   Outside IP x.x.x.x // Internal 192.168.101.1          192.168.101.56        192.168.101.2 // 192.168.8.1          192.168.8.150
  Client connects and get IP from ASA
                                                                                                          Cannot ping this                                                            Cannot ping this
                                                                                                                                             Can ping internal IP of 1941
                                                                                                                                              *(after creating a static route)
  I have been playing around with my configuration extensively to try and make this work.  Split-tunneling is enabled and is required.
  Here is my current config:
  hostnameMYHOST
  enable password mUUvr2NINofYuSh2 encrypted
  passwd UNDrnIuGV0tAPtz2 encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.101.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.0.0
  interface Vlan7
  no forward interface Vlan1
  nameif DMZ
  security-level 20
  ip address 137.57.183.1 255.255.255.0
  ftp mode passive
  clock timezone MST -7
  dns domain-lookup outside
  object-group network obj_any_dmz
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
  access-list nonat extended permit ip 192.168.201.0 255.255.255.0 any
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
  ip local pool vpn_pool 192.168.201.20-192.168.201.30 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (DMZ) 10 137.57.183.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 64000
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment self
  subject-name CN=MYHOST
  keypair ClientX_cert
  crl configure
  crypto ca certificate chain ASDM_TrustPoint1
  certificate 0f817951
      308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
      05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
      1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
      31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
      30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
      86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
      86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
      1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
      4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
      db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
      783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
      f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
      b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
      fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
      7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
      63ebd49d 30dd06f4 e0fa25
    quit
  crypto isakmp enable outside
  crypto isakmp policy 40
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 DMZ
  ssh timeout 10
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  ssl trust-point ASDM_TrustPoint1 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy ClientX_access internal
  group-policy ClientX_access attributes
  dns-server value 4.2.2.2
  vpn-tunnel-protocol svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunneling
  default-domain value access.local
  address-pools value vpn_pool
  ipv6-address-pools none
  webvpn
    svc mtu 1406
    svc rekey time none
    svc rekey method ssl
  username ClientX password ykAxQ227nzontdIh encrypted privilege 15
  username ClientX attributes
  vpn-group-policy ClientX_access
  service-type admin
  tunnel-group ClientX type remote-access
  tunnel-group ClientX general-attributes
  address-pool Internal_Range
  default-group-policy ClientX_access
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  default-group-policy ClientX_access
  tunnel-group ClientX_access type remote-access
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:da38065247f7334a5408b7ada3af29ae
  : end

  ok, lets go on ... ;-)
  Split-Tunneling: The ACL must include all networks you want to reach through the VPN:
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  access-list split-tunneling standard permit 192.168.8.0   255.255.255.0
  NAT: Don't use "any" in the nat-exemption, but specify all traffic that should not be natted:
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.168.201.0 255.255.255.0
  access-list nonat extended permit ip 192.168.8.0   255.255.255.0 192.168.201.0 255.255.255.0
  Routing: The 1941 needs a route for the vpn-pool pointing to the ASA (just in case there is no default route to the ASA)
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• VPN connects but unable to access resources on remote network

  HI,
  I'm able to ping the ASA interface once  the VPN is connected but unable to access any of the resources located on the remote network such as shares and computers. The cisco vpn client shows data being sent and recieved when I ping the interface on the ASA but it doesn't recieve any data when I attempt to ping or access other resources on the network. 
  ASA Version 8.2(5)
  hostname HOST_NAME
  domain-name default.domain.invalid
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  speed 10
  duplex half
  interface Ethernet0/4
  speed 100
  duplex full
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.8.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 12.x.x.x x.x.x.x
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 10.10.8.2
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Vipre tcp
  port-object range 18082 18082
  port-object range 18086 18086
  object-group network town
  network-object 192.168.0.0 255.255.0.0
  access-list outside_20_cryptomap extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
  access-list new extended permit ip host 192.168.0.1 any
  access-list new extended permit ip any host 192.168.0.1
  access-list outside_20_cryptomap_1 extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
  access-list townoffice_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
  access-list townremote_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
  access-list outside_access_in extended permit tcp any interface outside object-group Vipre
  access-list outside_access_in extended permit tcp any object-group Vipre interface inside object-group Vipre
  access-list outside_access_in extended permit tcp any eq 3389 10.10.8.0 255.255.255.0 eq 3389
  access-list test extended permit ip host 192.168.0.6 host 10.10.8.155
  access-list test extended permit ip host 10.10.8.155 host 192.168.0.6
  access-list test extended permit ip host 10.10.8.2 host 192.168.3.116
  access-list test extended permit ip host 192.168.3.116 host 10.10.8.2
  access-list test extended permit ip host 10.10.8.155 host 192.168.3.116
  access-list bypass extended permit ip host 10.10.8.155 host 192.168.3.116
  access-list bypass extended permit tcp 192.168.0.0 255.255.0.0 10.10.8.0 255.255.255.0
  access-list bypass extended permit tcp 10.10.8.0 255.255.255.0 192.168.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn 10.10.8.125-10.10.8.149 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-522.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 1 192.168.0.0 255.255.0.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface 18082 10.10.8.2 18082 netmask 255.255.255.255
  static (inside,outside) tcp interface 18086 10.10.8.2 18086 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 10.10.8.2 3389 netmask 255.255.255.255
  static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
  static (inside,inside) 10.10.8.0 10.10.8.0 netmask 255.255.255.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 12.70.119.65 1
  route inside 192.168.0.0 255.255.0.0 10.10.8.250 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http  outside
  http  outside
  http  inside
  http  outside
  http inside
  http  outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp inside
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 20 match address outside_20_cryptomap_1
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer 69.87.150.118
  crypto map outside_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal 30
  telnet 10.10.8.0 255.255.255.0 inside
  telnet timeout 5
  ssh 63.161.207.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd dns 10.8.8.2
  dhcpd address 10.10.8.150-10.10.8.200 inside
  dhcpd dns 10.10.8.2 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy aaa internal
  group-policy aaa attributes
  dns-server value 10.10.8.2 4.2.2.2
  vpn-tunnel-protocol IPSec
  default-domain value domainname
  group-policy bbb internal
  group-policy bbb attributes
  wins-server value 10.10.8.2
  dns-server value 10.10.8.2
  vpn-tunnel-protocol IPSec l2tp-ipsec
  split-tunnel-policy tunnelall
  split-tunnel-network-list value townoffice_splitTunnelAcl
  default-domain value domainname.local
  group-policy townremote internal
  group-policy townremote attributes
  wins-server value 10.10.8.2
  dns-server value 10.10.8.2 4.2.2.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value townremote_splitTunnelAcl
  default-domain value domainanme
  group-policy remote internal
  group-policy remote attributes
  wins-server value 10.10.8.2
  dns-server value 10.10.8.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value townremote_splitTunnelAcl
  default-domain value dksecurity.local
  address-pools value vpn
  username xxxx password . encrypted privilege 15
  username xxxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxxx password . encrypted privilege 15
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx password  encrypted privilege 15
  username xxxx attributes
  vpn-group-policy remote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy remote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy remote
  username xxxx password  encrypted privilege 15
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy remote
  tunnel-group 69.87.150.118 type ipsec-l2l
  tunnel-group 69.87.150.118 ipsec-attributes
  pre-shared-key *****
  tunnel-group remote type remote-access
  tunnel-group remote general-attributes
  address-pool vpn
  default-group-policy townremote
  tunnel-group townremote ipsec-attributes
  pre-shared-key *****
  isakmp keepalive disable
  tunnel-group townremote type remote-access
  tunnel-group townremote general-attributes
  address-pool vpn
  default-group-policy townremote
  tunnel-group lansingremote ipsec-attributes
  pre-shared-key *****
  class-map tcp-bypass
  match access-list bypass
  class-map test
  match access-list new
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    no dns-guard
    no protocol-enforcement
    no nat-rewrite
  policy-map global_policy
  class test
  class inspection_default
  policy-map tcp
  class tcp-bypass
    set connection random-sequence-number disable
    set connection advanced-options tcp-state-bypass
  service-policy global_policy global
  service-policy tcp interface inside
  prompt hostname context
  call-home reporting anonymous prompt 2
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:c724d6744097760d94a7dcc79c39568a
  : end

  You need to change the VPN pool ip subnet to something other than the same ip range used on the inside interface.
  Sent from Cisco Technical Support iPad App

• ASA 5505 IPSec VPN Question

  I have a number of ASA 5505 boxes which I need to reconfigure to work with a Watchguard XTM 850 over IPsec.  The 5505s were previously configured to connect back to a 5510 Firewall using EasyVPN.  With EasyVPN still enabled, the remote boxes attempt to make a connection back, but there are a few settings such as Identity and Encryption types I need to modify to connect to the Watchguard firewalls.  It appears that these settings cannot be changed with EasyVPN enabled.  If I disable it, and change the identity and authentication settings, the boxes do not attempt to make a connection back.  I'm not sure if what I am trying to do is even possible at this point, and I am in dire need of some direction.  

  It is not clear from this description what is the problem and it sounds like either some part of your config changes is not correct or that there is some mismatch between your config and the config of the remote device. A starting place would be to post your config (masking off sensitive information such as public addresses and passwords.
  HTH
  Rick

• VPN Connected but can not see folders / server

  I have established a connection between an OSX server and client but now can not see the server or any services on the client.  There are no servers listed in the 'Network' section of finder and using 'Connect to server' I can not see it either. The log on the server shows the connection and the client does as well but other than that I can not do anything with the connection.
  Details
  - Using 10.6 osx server and a 10.6 client.
  - Connected via VPN, L2TP
  Thanks,
  Brian

  I have connected to VPN but can't see anything on my finder or desktop.
  I tried connecting to server by doing command+K and entered the ip address like afp://ipaddress/user
  doesn't work. I get error message saying:
  Connection Failed
  The server "165.124.164.125" is available on your computer. Access the volumes and files locally.
  help!!

• WRT54GS V4.0 Laptop Connects But can't access internet unless I am in DMZ mode.

  This is recent. I've changed no settings or otherwise done anything to block access, but I've had this problem 2 times now, and I'm beginning to think the router is crapping out on me.
  Here's why I know it is not the laptop Wifi that is the problem... When I am connected to the router, I CAN access the router administration pages, but I can't access anything on the internet itself unless the modem is in DMZ mode(I have to put it into DMZ mode and then power cycle the router). If the modem is in DMZ mode, I have no problems.
  This only happens with the Wireless connection. On my desktop I have no such problems either way.
  I have been using this router since January of this year and have not had any issues until recently when I would occasionally have to reset the laptop's connection to this router, and now this issue.
  Note: after it happened the first time, I took my laptop over to the in-laws house and I had no issues for the entire day that I was using the laptop. I come back here to my router and start having issues again.
  P.S. I use Ethereal (wireless security monitor) to determine what channels others are using within my range and have set mine to different channels that do not conflict with others, but still no change.
  Message Edited by jokieman on 11-25-200612:36 PM
  Message Edited by jokieman on 11-25-200601:05 PM

  Hi.. What are the DNS serves that are assign to your laptop when you have this issue? Are they public or private? Are you able to ping to any of these DNS server?
  You should have public DNS server assign to your laptop. and you should be able to ping to that DNS server to make sure that you have internet connection. If you dont have public dns server, try to ping to 4.2.2.2 (a very common dns server) if you are able to ping to this, then assign this dns to your laptop. you should be online.
  Also try to upgrade the firmware on the router.

• I'm showing a strong wi-fi connection but can't access web?

  I have a strong WI-FI connection but when I go to access a website it won't open?Any suggestions to fix problem would be appreciated. I've already tried the reset network settings route but that only worked temporarily.

  You may not really be connected to your WiFi network.
  Your router may not have given your iPad a valid IP address. Go to Settings > Wifi > your network name and touch the ">" to the right to see the network details. If the IP address starts with 169 or is blank then your router didn't provide an IP address and you won't be able to access the Internet.
  Sometimes the fix can be as simple as restarting your router (remove power for 30 seconds and restart). Next, reset network settings on your iPad (Settings > General > Reset > Reset network settings) and then attempt to connect. In other cases it might be necessary to update the router's firmware with the latest from the manufacturer's support web pages.
  If you need more help please give more details on your network, i.e., your router make, model and version, the wifi security being used (WEP, WPA, WPA2), etc.

• Windows 7 Won't work with GT704WGB - Connects, but can't access internet or ping router

  Upgraded my Verizon DSL.
  I replaced an old WireStream DLS router and NetGear wireless access/router with Verizon's GT704WGB.
  After  I replaced it, Wireless connections from Windows 7 no longer work.
  Help. Any ideas?
  1. The GT704WGB installation seemed to be easy and successful.
  2. I have 3 devices and 4 operating systems
      a. An iPhone - It connects to my wireless network and works fine.
      b. An Acer lap-top running Windows XP service pack 2 - It connects to my wireless network and works find.
      c. An Hp Pavilion lap-top running Ubuntu Linux
           i. It connects to router via cable and works fine.
          ii. It connects to router wirelessly and works fin.
      d. The same Hp Pavilion when booted to Windows 7 doesn't work wirelessly.  :-(
           i. It connects via cable to router and works fine
          ii. When I disconnect cable and connect wirelessly IT DOESN'T WORK. :-(
  What happens is Windows reports the the wireless adapter has connected to the network, but says it is NOT CONNECTED TO INTERNET. Further I can't ping the router, 192.168.1.1. I have checked the IP4 properties and settings for the adapter. They seem
  fine.
  1. Adapter has an address on the network.
  2. DHCP is enabled.
  3. Gateway is provided automatically  by DHCP
  4. DNS is provided automatically by DHCP.
  Pinging router gets no response. Attempting to resolve a name, www.google.com reports unable to resolve name.
  All of this works perfectly when directly cabled to router.
  Any help with how to troubleshoot this would be appreciated.
  Solved!
  Go to Solution.

  Solved my own problem. Sorry for the spam. :-)
  Windows does not support multiple gateways. I had foregotten I had a 2nd wireless access point/router plugged into the network (Cisco/Linksys E1000). That router had been working fine in combination with old SpeedStream DSL router from Verizon, but apparently it introduced a second gateway address which was in conflict with GT704WGB.
  Solution:
  1. Unplug Cisco E1000. Reset it to factory settings by pushing red button.
  2. Plug Cisco E1000 back into network.
  3. Use Cisco CD and setup.exe to "install" E1000.
  4. Use Cisco CD and Cisco Connect to reconfigure E1000.
  5. Done.
  All devices working with all OS's including Windows 7.

• Internet connected but can't access any websites

  Hi everyone,
  I have wireless and my computer was working totally fine this morning. I didn't download any updates or anything and when I came home this afternoon it said that my computer was connected to the internet but when I try to open any webpages in Safari is just says that it is trying to load the page but never actually does. MSN messenger will not work either. Does anyone have any idea how I can fix this?? I know it is not the internet because our PC on the same network is working fine. Thanks in advance!
  P.S. Not completely sure of my OS, still kinda new to Macs.

  journey778, Welcome to the discussion area!
  Your system information states OS 10.0.x. If you are using that version of OS X you do not have an Intel based iMac. I would suggest that you upgrade to OS 10.2 at least.
  If you do have an Intel based iMac, you may want to try renewing the DHCP lease. Open System Preferences->Ethernet->Advanced... and click on the "Renew DHCP Lease".

• My ipad freezes when trying to connect to WIFI.  It say i am connected, but can't access sites

  I am using the Wifi in my house and I am connected.  The IPad 3 freezes.  My phone which is an I phone 4 works fine on the wifi.
  What shold I do

  You can try clearing Safari and see if that fixes the problem.
  Go to Settings>Safari>Clear History, Cookies and Data or Cache. Restart the iPad. Restart the iPad by holding down on the sleep button until the red slider appears and then slide to shut off. To power up hold the sleep button until the Apple logo appears and let go of the button.

• Tried everything - says its connected, but can't access the internet

  I have set up my wireless correctly. I went in and changed the name of SSID, and put a WEP password on it. I have the Default IP as 192.168.1.1 and starting IP at 192.168.1.100
  I pinged 192.168.1.1 and it was fine. I then pinged the 4.2.2.2 and it timed out. So I downloaded the firmware and upgraded it successfully. Tried the ping again and got the same result. Also, when I connect the modem to the router, then the router to my computer the internet doesn't work. I have to bypass the router and just use the modem. 
  I have reset the router multiple times - it is hard to set up because in my building there seems to be someone else nearby who has a linksys router with the same default IP and they don't have a password or anything so it's hard to decide which one to connect to to set up. 
  either way, nothing has worked. Any ideas?!?!

  Whats the model number of your Router. When you Hardwired you Computer to the Router you still dont have a access to internet. This means your router is not configured properly.
  If your Internet Service Providor is Cable follow this link
  If your Internet Service Providor is DSL follow this link
  Here are the wireless settings which you can set on your router, Assuming you have a G series router, Follow this steps.
  Open an Internet Explorer browser page on your wired computer(desktop).In the address bar type - 192.168.1.1 and press Enter...Leave username blank & in password use admin in lower case...
  For Wireless Settings, please do the following : -
  Click on the Wireless tab
  - Wireless Network mode should be mixed...
  - Provide a unique name in the Wireless Network Name (SSID) box in order to differentiate your network from your neighbours network...
  - Set the Wireless channel to 11-2.462GHz...Wireless SSID broadcast should be Enabled and then click on Save Settings...
  Please make a note of Wireless Network Name (SSID) as this is the Network Identifier...
  For Wireless Security : -
  Click on the Sub tab under Wireless > Wireless Security...
  Change the Wireless security mode to WEP, Encryption should be 64 bit.Leave the passphrase blank, don't type in anything...Under WEP Key 1 type in any 10 numbers please(numbers only and no letters eg: your 10 digit phone number) and click on save settings...
  Please make a note of WEP Key 1 as this is the Security Key for the Wireless Network...
  Click on Advanced Wireless Settings
  Change the Beacon Interval to 75 >>Change the Fragmentation Threshold to 2304, Change the RTS Threshold to 2304 >>Click on "Save Settings"...
  Now see if you can locate your Wireless Network and attempt to connect... 

• Asa 5505 Remote VPN Can't access with my local network

  Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
  ASA Version 8.2(1)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 155.155.155.10 255.255.255.0
  interface Vlan5
  no nameif
  no security-level
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy mull internal
  group-policy mull attributes
  vpn-tunnel-protocol IPSec
  username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
  vpn-group-policy Mull
  tunnel-group mull type remote-access
  tunnel-group mull general-attributes
  address-pool vpn-Pool
  default-group-policy mull
  tunnel-group mull ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context

  Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network)  iam using Shrew Soft VPN Access Manager for my vpn connection
  here is my cry ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
        current_peer:155.155.155.1, username: Thomas
        dynamic allocated peer ip: 192.168.100.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 73FFAB96
      inbound esp sas:
        spi: 0x1B5FFBF1 (459275249)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2894
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x73FFAB96 (1946135446)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 2873
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

• IPSEC VPN Connection

  I have create a ipsec  vpn connection between asa router 500 and netgear vpn prosafe 318, the problwm I'm running into is , I have my separate from the above connection, Im only trying to give access to one sever, the other side can ping my ip, but I can not ping the other side at all, and when I do a tracert , it is not utilizing the vpn , it is using the internet. What is that Im missing or did wrong ?
  This topic first appeared in the Spiceworks Community

  On Spiceworks there's an article titled 10 signs SysAdmins are really superheroes - Yes, we mean you!http://community.spiceworks.com/topic/1099346-10-signs-sysadmins-are-really-superheroes-yes-we-mean-...and has a picture of an IT guy with the Superman S under his shirt. So I responded with Based on Man of Steel , I believe you have an anarachrinistic impression of Clark Kent.As we all know now... Pa Kent's paranoia regarding the alien-nature of Clark's being means that maintaining the secret of Clark's origins is the primary mission no matter what is happening in the environment. Thus Pa Kent's noble death saving a stupid dog from the path of a tornado.. making it clear to Clark to do nothing. Who wouldn't want a husband and father like that?