ASA 5505 SSL VPN LOG failed

%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3293 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3293 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client outside:58.211.122.212/3293
%ASA-6-113012: AAA user authentication Successful : local database : user = admin
%ASA-6-113009: AAA retrieved default group policy (SSLCLientPolicy) for user = admin
%ASA-6-113008: AAA transaction status ACCEPT : user = admin
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.grouppolicy = SSLCLientPolicy
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.username = admin
%ASA-7-734003: DAP: User admin, Addr 58.211.122.212: Session Attribute aaa.cisco.tunnelgroup = SSLClientProfile
%ASA-6-734001: DAP: User admin, Addr 58.211.122.212, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-4-716023: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <SSLCLientPolicy> User <admin> IP <58.211.122.212> WebVPN Unable to create session.
%ASA-6-302013: Built inbound TCP connection 137616 for outside:58.211.122.212/3294 (58.211.122.212/3294) to identity:61.155.55.66/443 (61.155.55.66/443)
%ASA-6-302013: Built inbound TCP connection 137617 for outside:58.211.122.212/3295 (58.211.122.212/3295) to identity:61.155.55.66/443 (61.155.55.66/443)
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3294 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3294 request to resume previous session.
%ASA-6-725001: Starting SSL handshake with client outside:58.211.122.212/3295 for TLSv1 session.
%ASA-6-725003: SSL client outside:58.211.122.212/3295 request to resume previous session.
Red error what is the reason? Only appears in the window 2003 server.

ciscoasa# show   activation-key 
Serial Number:  JMX1314Z1UV
Running Activation Key: 0x9625fa6a 0x68e90200 0x38c3adac 0xaa0448d0 0x4b3815b6
Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10       
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10       
Dual ISPs                      : Disabled 
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled 
This platform has a Base license.
The flash activation key is the SAME as the running key.
ciscoasa#
Sure ?it was licence question?

Similar Messages

  • Cisco ASA 5505 SSL VPN

    Hi Everyone,
    In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
    I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
    I need help to solve this mystery. Please find attached the ASA config: #show run
    I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
    Best regards,
    BEN

    If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
    I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

  • Asa 5505 Remote VPN Can't access with my local network

    Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
    ASA Version 8.2(1)
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 155.155.155.10 255.255.255.0
    interface Vlan5
    no nameif
    no security-level
    no ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy mull internal
    group-policy mull attributes
    vpn-tunnel-protocol IPSec
    username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
    vpn-group-policy Mull
    tunnel-group mull type remote-access
    tunnel-group mull general-attributes
    address-pool vpn-Pool
    default-group-policy mull
    tunnel-group mull ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context

    Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network)  iam using Shrew Soft VPN Access Manager for my vpn connection
    here is my cry ipsec sa
    interface: outside
        Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
          current_peer:155.155.155.1, username: Thomas
          dynamic allocated peer ip: 192.168.100.1
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
          path mtu 1500, ipsec overhead 82, media mtu 1500
          current outbound spi: 73FFAB96
        inbound esp sas:
          spi: 0x1B5FFBF1 (459275249)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 2894
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        outbound esp sas:
          spi: 0x73FFAB96 (1946135446)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 2873
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

  • Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

    Hello,
    We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
    Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
    : Saved
    ASA Version 8.4(2)
    hostname domainasa
    domain-name adomain.local
    enable password cTfsR84pqF5Xohw. encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 205.101.1.240 255.255.255.248
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 192.168.2.60
    domain-name adomain.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network SBS_2011
    host 192.168.2.60
    object network NETWORK_OBJ_192.168.2.0_24
    subnet 192.168.2.0 255.255.255.0
    object network NETWORK_OBJ_192.168.5.192_
    27
    subnet 192.168.5.192 255.255.255.224
    object network Https_Access
    host 192.168.2.90
    description Spam Hero
    object-group network DM_INLINE_NETWORK_1
    network-object object SPAM1
    network-object object SPAM2
    network-object object SPAM3
    network-object object SPAM4
    network-object object SPAM5
    network-object object SPAM6
    network-object object SPAM7
    network-object object SPAM8
    object-group service RDP tcp
    description Microsoft RDP
    port-object eq 3389
    access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
    access-list outside_access_in extended permit tcp any object SBS_2011 eq https
    access-list outside_access_in extended permit icmp any interface outside
    access-list outside_access_in remark External RDP Access
    access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
    access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
    ip local pool VPN_Users 192.168.5.194-192.168.5.22
    0 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
    NETWORK_OBJ_192.168.2.0_24
    destination static NETWORK_OBJ_192.168.5.192_
    27 NETWORK_OBJ_192.168.5.192_
    27 no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network SBS_2011
    nat (inside,outside) static interface service tcp smtp smtp
    object network Https_Access
    nat (inside,outside) static interface service tcp https https
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-reco
    rd DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.160-192.168.2.19
    9 inside
    dhcpd dns 192.168.2.60 24.29.99.36 interface inside
    dhcpd wins 192.168.2.60 24.29.99.36 interface inside
    dhcpd domain adomain interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy domain internal
    group-policy domain attributes
    wins-server value 192.168.2.60
    dns-server value 192.168.2.60
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value domain_splitTunnelAcl
    default-domain value adomain.local
    username ben password zWCAaitV3CB.GA87 encrypted privilege 0
    username ben attributes
    vpn-group-policy domain
    username sdomain password FATqd4I1ZoqyQ/MN encrypted
    username sdomain attributes
    vpn-group-policy domain
    username adomain password V5.hvhZU4S8NwGg/ encrypted
    username adomain attributes
    vpn-group-policy domain
    service-type admin
    username jdomain password uODal3Mlensb8d.t encrypted privilege 0
    username jdomain attributes
    vpn-group-policy domain
    service-type admin
    tunnel-group domain type remote-access
    tunnel-group domain general-attributes
    address-pool VPN_Users
    default-group-policy domain
    tunnel-group domain ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:e2466a5b754
    eebcdb0cef
    f051bef91d
    9
    : end
    no asdm history enable
    Thanks again

    Hello Belnet,
    What do the logs show from the ASA.
    Can you post them ??
    Any other question..Sure..Just remember to rate all of the community answers.
    Julio

  • ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp

    Hello all,
    I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
    MafSecASA# show run
    : Saved
    ASA Version 8.2(1)
    hostname MafSecASA
    domain-name mafsec.com
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.4.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 7.3.3.2 255.255.255.248
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address 172.20.1.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    speed 100
    duplex full
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 3
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name mafsec.com
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object tcp
    protocol-object udp
    protocol-object icmp
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object udp
    protocol-object tcp
    protocol-object icmp
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    object-group protocol DM_INLINE_PROTOCOL_4
    protocol-object ip
    protocol-object icmp
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in remark allow remote users to internal users
    access-list inside_access_in remark allow remote users to internal users
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any
    access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
    access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 10.4.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 10.4.0.0 255.255.255.0 inside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd option 6 ip 8.8.8.8 8.8.4.4
    dhcpd address 10.4.0.15-10.4.0.245 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd lease 86400 interface inside
    dhcpd option 3 ip 10.4.0.1 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy SSLVPN internal
    group-policy SSLVPN attributes
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol svc
    group-lock none
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value inside_split_tunnel
    vlan none
    address-pools value SSLVPNPool2
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    username user1 password
    username user1 attributes
    service-type remote-access
    username user2 password
    tunnel-group SSLVPNGROUP type remote-access
    tunnel-group SSLVPNGROUP general-attributes
    address-pool SSLVPNPool2
    default-group-policy SSLVPN
    tunnel-group SSLVPNGROUP webvpn-attributes
    group-alias SSLVPN enable
    prompt hostname context
    Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
    : end
    Thank in advance for any help!

    Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs?  I'd try pinging a router or switch just to make sure.
    --Jason

  • ASA Clientless SSL VPN can't access login pages on websites

    When I'm doing a clientless SSL VPN to my ASA and using the ASA to browse websites, I can pretty much go on to just about any website except specificly login websites. I can go on google and yahoo but when I click the "mail" button it just gives me an error message "Connection Failed - Server (site name) unavailable. When I go onto hotmail.com, it says server hotmail.com unavailable. When I browse by entering hotmail's IP address in, it says "Bad Request." Same happens on ebay, youtube, etc. Funny thing is, the ONLY login page I can get onto is Cisco's website's login page. I tried changing DNS servers, nothing changed. Here is my configuration:
    show run
    : Saved
    ASA Version 8.4(4)1
    hostname PatG
    domain-name resolver4.opendns.com
    enable password aDvdtQE/ih5t061i encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    boot system disk0:/asa844-1-k8.bin
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group Comcast
    name-server 75.75.75.75
    domain-name cdns01.comcast.net
    dns server-group DefaultDNS
    name-server 208.67.220.222
    name-server 208.67.220.220
    domain-name resolver4.opendns.com
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649-103.bin
    no asdm history enable
    arp timeout 14400
    object network obj_any
    nat (inside,outside) dynamic interface
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Remote1 protocol radius
    aaa-server Remote1 (inside) host 192.168.1.8
    key *****
    radius-common-pw *****
    user-identity default-domain LOCAL
    aaa authentication ssh console Remote1
    aaa authentication http console Remote1 LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd domain redtube.com
    dhcpd auto_config outside
    dhcpd option 150 ip 192.168.1.15 192.168.1.5
    dhcpd address 192.168.1.5-192.168.1.36 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    tunnel-group-list enable
    group-policy Eng internal
    group-policy Eng attributes
    vpn-tunnel-protocol ssl-clientless
    webvpn
      url-list value EngineerMarks
    group-policy RemoteHTTP internal
    group-policy RemoteHTTP attributes
    vpn-tunnel-protocol ssl-clientless
    webvpn
      url-list value Test
      customization value Extra
    username user1 password mbO2jYs13AXlIAGa encrypted privilege 0
    tunnel-group Browser type remote-access
    tunnel-group Browser general-attributes
    authentication-server-group Remote1
    default-group-policy RemoteHTTP
    tunnel-group TEST type remote-access
    tunnel-group TEST general-attributes
    authentication-server-group Remote1
    default-group-policy RemoteHTTP
    tunnel-group TEST webvpn-attributes
    group-alias testing enable
    group-url https://24.19.162.53/testing enable
    tunnel-group Engineering type remote-access
    tunnel-group Engineering general-attributes
    authentication-server-group Remote1 LOCAL
    default-group-policy Eng
    tunnel-group Engineering webvpn-attributes
    group-alias engineering enable
    group-url https://209.165.200.2/engineering enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect http
    policy-map map
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                                                                                             CEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    password encryption aes
    Cryptochecksum:843e718c8d4b23b5f421f82fc0a0c255
    : end
    Can anyone please help me? Thanks

    In your crypto ACLs for the site-to-site tunnels, add the ASA's public IP destined to the remote network, and mirror this ACL on the remote end VPN device.
    Example:
    ASA public IP: 2.2.2.2
    Remote network: 192.168.1.0/24
    access-list vpn_to_remote_network permit ip host 2.2.2.2 192.168.1.0 255.255.255.0
    Mirror the above acl on the remote end router.
    PS. If you found this post helpful, please rate it.

  • ASA 5505 IPSEC VPN connected but can't access to LAN

    ASA : 8.2.5
    ASDM: 6.4.5
    LAN: 10.1.0.0/22
    VPN Pool: 172.16.10.0/24
    Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
    I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
    Below is my configure, do I mis-configure anything?
    ASA Version 8.2(5)
    hostname asatest
    domain-name XXX.com
    enable password 8Fw1QFqthX2n4uD3 encrypted
    passwd g9NiG6oUPjkYrHNt encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.1.253 255.255.252.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address XXX.XXX.XXX.XXX 255.255.255.240
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name vff.com
    access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
    access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
    pager lines 24
    logging enable
    logging timestamp
    logging trap warnings
    logging asdm informational
    logging device-id hostname
    logging host inside 10.1.1.230
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server AD protocol nt
    aaa-server AD (inside) host 10.1.1.108
    nt-auth-domain-controller 10.1.1.108
    http server enable
    http 10.1.0.0 255.255.252.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 10.1.0.0 255.255.252.0 inside
    ssh timeout 20
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy vpntest internal
    group-policy vpntest attributes
    wins-server value 10.1.1.108
    dns-server value 10.1.1.108
    vpn-tunnel-protocol IPSec l2tp-ipsec
    password-storage disable
    ip-comp disable
    re-xauth disable
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpntest_splitTunnelAcl
    default-domain value XXX.com
    split-tunnel-all-dns disable
    backup-servers keep-client-config
    address-pools value vpnpool
    username admin password WeiepwREwT66BhE9 encrypted privilege 15
    username user5 password yIWniWfceAUz1sUb encrypted privilege 5
    username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
    tunnel-group vpntest type remote-access
    tunnel-group vpntest general-attributes
    address-pool vpnpool
    authentication-server-group AD
    authentication-server-group (inside) AD
    default-group-policy vpntest
    strip-realm
    tunnel-group vpntest ipsec-attributes
    pre-shared-key BEKey123456
    peer-id-validate nocheck
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege cmd level 3 mode exec command packet-tracer
    privilege show level 5 mode exec command import
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command asp
    privilege show level 3 mode exec command cpu
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command vlan
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command ipv6
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command eigrp
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpnclient
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command wccp
    privilege show level 3 mode exec command dynamic-filter
    privilege show level 3 mode exec command webvpn
    privilege show level 3 mode exec command module
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode exec command compression
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege clear level 3 mode exec command dynamic-filter
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
    : end

    I change  a Machine's gateway to this ASA and capture again, now we can see some reply.
    All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
    what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
    add two gateways to all PCs and swtichwes?
    1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
       9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
      10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
      17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
      18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
      21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
      22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
      23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

  • SSL-VPN Anyconnect fails after rebooting 2811

    Hello all,
    I have setup an Anyconnect SSL-VPN in my 2811 and it works just great, but then after the reboot it fails.  I think it has something to do with the SSL Cert being ereased.  Here is my configuration, please let me know if you need anything else:
    ! Last configuration change at 02:03:27 CDT Thu Sep 27 2012
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    aaa new-model
    aaa session-id common
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-XXXXXXXXXX
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXX
    revocation-check none
    crypto pki certificate chain TP-self-signed-XXXXXXXXXX
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31363535 34343437 3534301E 170D3132 30393237 30373033
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353534
      34343735 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      810096FE 9114BCED E2FA2297 CE41A6F5 73078E18 C1109993 48E2629E 78713B48
      E6EA7C79 17C8E159 C057A05B F3CAFB4D 36AE9196 AAC4A2BF 586CF144 A81E50FC
      5261BFCF 0A11064F C9F19A4C 953DFBF8 65194AD2 73100EE0 FBFE7EB6 0AD16875
      7C1C03AE B3A461E2 9837E057 E2A8AE94 F11FDA8A 98AF8107 C0D9FF14 3CF1C62E
      BE090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1425F172 BAFEAA95 A90FA3D7 A3482174 6F951194 52301D06
      03551D0E 04160414 25F172BA FEAA95A9 0FA3D7A3 4821746F 95119452 300D0609
      2A864886 F70D0101 04050003 81810064 30DCCC2D 0506EDF6 61C37B9E DF5D8F9A
      A9FE0646 FC72C3F8 A7E10E55 CE6AA592 7385931A DDFE95B7 47ED3690 2C3F8B43
      9A637526 1464D94E 3A71D235 A14C0551 70E3ED2F F51B07E3 4379E2AF CCA03416
      10DDF3E1 784D053B A9E4A624 E34BDDFB BA638658 58E30B74 55A62B02 BDC493A8
      23191E2E E4BF390B D62DAA2B 351C09
            quit
    username USERNAME privilege 15 secret 5 $1$Pc/.$y6kJb0xpe.77ciRHZTJ8A.
    ip local pool SSL-VPN 192.168.11.5 192.168.11.8
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    bvpn gateway gateway_1
    ip interface Dialer1 port 443
    ssl trustpoint SSL-VPN
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
    webvpn context SSL-VPN
    secondary-color white
    title-color #CCCC66
    text-color black
    ssl authenticate verify all
    policy group policy_1
       functions svc-enabled
       svc address-pool "SSL-VPN"
       svc default-domain "DOMAIN"
       svc keep-client-installed
       svc split include 192.168.0.0 255.255.0.0
       svc dns-server primary DNS-SERVER
    default-group-policy policy_1
    gateway gateway_1
    inservice

    Here is the bug description that matches your explaination of the issue:
    MF: HTTPS generates a new self-signed cert on reboot even if one exists
    Symptom:
    With Secure HTTP server enabled, IOS device  generates a new self-signed certificate when it reloads even if a valid  self-signed certificate already exists.
    Conditions:
    When there is no CA(Certificate Authority) provided certificate on the device
    Workaround:
    Use CA provided certificate.
    The resolution is to upgrade it to version 15.2(1)T or higher.
    Unfortunately you would need to have SmartNet contract to be able to download the software from CCO.

  • Problem with ASA 5505 SSL login

    I have an ASA 5505 that is hosting a SSL VPN. The user can not login. They receive login error. To the best of their knowledge, this problem started after the office Domain Controller was rebuilt. I have looked on ASA and in AD and cannot seem to trace the issue. Any ideas?                  

    David,
    In order to understand why LDAP is not working run a "debug ldap 255" and then try to login or run a AAA test.
    Attach the output to find out the issue.
    Please check this out as well, to make sure that you have the correct settings:
    ASA 8.0: Configure LDAP Authentication for WebVPN Users
    HTH.
    Portu.

  • SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

    Hi,
    Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
    some relevant config
    webvpn
    enable wan
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable
    group-policy vpnpolicy1 internal
    group-policy vpnpolicy1 attributes
    vpn-tunnel-protocol svc
    tunnel-group admins type remote-access
    tunnel-group admins general-attributes
    address-pool sslpool2
    default-group-policy vpnpolicy1
    username myuser password 1234567890 encrypted privilege 15
    username myuser  attributes
    vpn-group-policy vpnpolicy1
    Debug:
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
    webvpn_add_auth_handle: auth_handle = 17
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    webvpn_session.c:http_webvpn_create_session[184]
    WebVPN: error creating WebVPN session!
    webvpn_remove_auth_handle: auth_handle = 17
    webvpn_free_auth_struct: net_handle = CD5734D0
    webvpn_allocate_auth_struct: net_handle = CD5734D0
    webvpn_free_auth_struct: net_handle = CD5734D0

    AnyConnect says:
    "The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
    The following message was received from the secure gateway: Host or network is 0"
    Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
    ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
    asa01# debug webvpn 255
    INFO: debug webvpn  enabled at level 255.
    asa01# debug http 255
    debug http enabled at level 255.
    asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_login_resolve_tunnel_group: tgCookie = NULL
    webvpn_login_resolve_tunnel_group: tunnel group name from default
    webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
    webvpn_portal.c:http_webvpn_kill_cookie[790]
    webvpn_auth.c:http_webvpn_pre_authentication[2321]
    WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
    webvpn_add_auth_handle: auth_handle = 22
    WebVPN: started user authentication...
    webvpn_auth.c:webvpn_aaa_callback[5138]
    WebVPN: AAA status = (ACCEPT)
    webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
    webvpn_portal.c:webvpn_login_validate_net_handle[2234]
    webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
    webvpn_portal.c:webvpn_login_assign_app_next[2272]
    webvpn_portal.c:webvpn_login_cookie_check[2289]
    webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
    webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
    webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
    webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
    webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
    webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
    webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
    webvpn_portal.c:webvpn_login_check_cert_status[2733]
    webvpn_portal.c:webvpn_login_cert_only[2774]
    webvpn_portal.c:webvpn_login_primary_username[2796]
    webvpn_portal.c:webvpn_login_primary_password[2878]
    webvpn_portal.c:webvpn_login_secondary_username[2910]
    webvpn_portal.c:webvpn_login_secondary_password[2988]
    webvpn_portal.c:webvpn_login_extra_password[3021]
    webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
    webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
    webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
    webvpn_portal.c:webvpn_login_aaa_resuming[3093]
    webvpn_auth.c:http_webvpn_post_authentication[1485]
    WebVPN: user: (myuser) authenticated.
    webvpn_auth.c:http_webvpn_auth_accept[2938]
    HTTP: net_handle->standalone_client [0]
    webvpn_session.c:http_webvpn_create_session[184]
    webvpn_session.c:http_webvpn_find_session[159]
    WebVPN session created!
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_remove_auth_handle: auth_handle = 22
    webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE9C3208
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C3208
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_allocate_auth_struct: net_handle = CE863DE8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE863DE8
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    webvpn_auth.c:webvpn_auth[581]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    WebVPN: session has been authenticated.
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_allocate_auth_struct: net_handle = CE9C32C8
    ewsStringSearch: no buffer
    Close 0
    webvpn_free_auth_struct: net_handle = CE9C32C8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_allocate_auth_struct: net_handle = CC894AA8
    webvpn_session.c:http_webvpn_find_session[159]
    webvpn_session.c:webvpn_update_idle_time[1463]
    Close 1043041832
    webvpn_free_auth_struct: net_handle = CC894AA8

  • Cisco ASA 5505, Cisco VPN Client and Novell Netware

    Hi,
    Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
    I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
    When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
    The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • ASA 5505 Easy VPN to ASA 5510 Question

    I am working on configuring ASA 5505's for some of our remote offices to connect to our 5510 at HQ.. I have the 5505's configured and running using Easy VPN since they will be getting their IP addresses dynamically.
    From a computer connected to the ASA I can connect to and ping all of my servers at HQ. From HQ I can't ping the computer or RDP to it.
    I haven't done this type of a config in years so I'm unsure of what I need to change. It seems to me that the routes aren't populating at the HQ to get to the 5505's. I was reading up on Reverse Route Injection and that seems like the right answer. I wanted to get some other ideas before I made any changes to the 5510.
    Any thoughts or tips would be appreciated.
    Thanks

    Dan,
    EzVPN might get funky sometimes. Have you looked into something like a "dynamic to static Lan to Lan" ?
    If you are using EzVPN on the branch becuase you have a dynamic IP, you might want to give it a shot.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
    The config example uses a PIX 6.3 as remote, but the configuration on the remote site should be the same as any other L2L config. The one that changes is the one at the HQ where you need to configure a Default L2L group to accept the dynamic connections.
    Have a good one.
    Raga

  • Cisco ASA 5505 as VPN client

    Hello all thanks for looking,
    I need to know how to setup my cisco asa 5505 as a vpn client to services like HMA or privateinternet and other paid VPN services. If someone else has already written a guide to this then that would be great. What I want to do is route all my secure traffice through the asa and have it go across the internet as encrypted VPN stuff and have my other stuff that does not need to be encrypted just go through to my other router. 
    Thanks in advance,

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • CIsco ASA 5505 and VPN licenses

    Hi,
    Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
    How those licenses are counted? Will I need a license per one IPSec SA?
    If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
    Thank you.
    Regards,
    Alex

    Alex,
    In an ASA 5505, it should say something like this...when you do sh ver.
    VPN Peers : 25
    It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
    Its a per tunnel license.
    Rate this, if it helps!
    Gilbert

Maybe you are looking for

  • I have an additional row that is empty under my tabs in Safari 5.1 that I can't get rid of.

    The bar right under the tabs is empty and just taking up screen real estate. It isn't so bad on my desktop monitor, but when I'm just using the laptop screen it is a lot of lost screen space. I have only noticed it over the past couple of days, and I

  • Attachments in Mail Activity

    Hi, I'm configuring a marketing scenario in CRM 4.0 in order to execute campaigns via email with the correspondant mail form. The result of these campaigns is the creation of business activities (category Mail) My question is, ¿is possible to attach

  • Unwanted keyline around media in interactive PDF

    Using: Indesign CS6 Acrobat X Pro I am exporting an interactive PDF with a movie placed on a page, and when viewing in Acrobat I'm getting a black keyline around the movie's bounding box when I enter the page. If I click anywhere else on the page, th

  • Timed out Problems to using the Solar_project_admin transaction

    Hello everyone! I'm trying to create a project in the Solution Manager using SOLAR_PROJECT_ADMIN transaction but we receive the timed out error message and the process is stopped. Could help me ?

  • Erase and Install problems after fixing 10.4.5 update issues

    Initially, I had permission issues after upgrading to 10.4.5. After hours of reconfiguring user accounts, I thought that maybe the best overall solution would be to erase and reinstall Tiger. I am an old PC user so reformatting the hard drive can be