ASA 5505 VPN Can not connect clients

Similar Messages

• ASA 5505 VPN can't access connected network

  I have an ASA 5505 with ipsec VPN configured on it.  I am able to  connect to the ASA but I can't ping a connected network.  I get a dhcp  assigned address in the network I am trying to reach but can't access  that network on Vlan5.  Please help.
  I attached the config.

  I think final questions, can you have two nat statements that point to the same acl ie.
  access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
  nat (inside) 0 access-list no_nat
  nat (inside) 1 192.168.9.0 255.255.255.0
  nat (fw-civic) 0 access-list no_nat
  nat (fw-civic) 1 192.168.5.0 255.255.255.0
  Or do I need to create a new acl for the fw-civic interface?
  Thanks

• ASA 5505 VPN can't access inside host

  I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
  part of config below
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map inside_dyn_map 20 set pfs
  crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  service-policy global_policy global
  group-policy xxxxxxx internal
  group-policy xxxxxxx attributes
  banner value xxxxx Disaster Recovery Site
  wins-server none
  dns-server value 24.xxx.xxx.xx
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  default-domain none
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout none
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools value xxxxxx
  smartcard-removal-disconnect enable
  client-firewall none
  webvpn
  functions url-entry
  vpn-nac-exempt none
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  tunnel-group xxxx type ipsec-ra
  tunnel-group xxxx general-attributes
  address-pool xxxx
  default-group-policy xxxx
  tunnel-group blountdr ipsec-attributes
  pre-shared-key *

  I get the banner and IP adress info...
  This is what the client log provides...
  1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
  AddRoute failed to add a route: code 87
  Destination 172.20.255.255
  Netmask 255.255.255.255
  Gateway 10.1.2.1
  Interface 10.1.2.5
  2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
  Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.

• ASA 5505-VPN- Can't use AD services

  New install:5505 VPN with MS Active Directory services on LAN.
  I can VPN into the network but cannot e.g. join my laptop to the Domain. Message says "cannot find "domain" I can: ping the PDC, RDP onto the PDC or any system on the LAN. Also applications that are on the remote laptop and rely on LAN resources fail.
  Any help would be welcome

  Sorry, just realized I did not attach config!

• ASA 5505 VPN can't access inside hosts

  I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.
  The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87
  Cisco

  No I can't ping anything.
  And here is the route -print after connection
  ===========================================================================
  Interface List
  0x1 ........................... MS TCP Loopback interface
  0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
  0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
  ===========================================================================
  ===========================================================================
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1
  85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1
  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
  192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10
  192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10
  192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10
  192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1
  192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10
  192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10
  192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10
  224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10
  224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10
  255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1
  255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1
  Default Gateway: 192.168.222.101
  ===========================================================================
  Persistent Routes:
  None

• Client can not connect to Server installed window server 2008 and using 8.8

  HI all!
  I have a problem when Client  log in to server that installed window server 2008.It can not connect to this server even when restart and key in IP or Server name,...
  I try disable Firewall of window 2008 in server machine and client can connect to server. But when i disable firewall, it's mean  i can not use Remote desktop or terminal service..
  Now, how i can do in order to solve this problem.
  Thanks!

  Hi,
  Take a look at the admin guide (Page 75, 119, 159):
  [http://service.sap.com/~sapidb/011000358700000150922010E.zip]
  If you installed a firewall on the license service computer, make sure that the firewall is not set to port 30000; otherwise, the license service cannot work.
  If you are using Port X, make sure that you open Port X and Port (X+1) in the firewall. For example, if you are using port 10000, make sure to also open port 10001.
  The default communication port is 1143.
  The default port of the SAP Business One license server is 30000 for license communication and 30001 for the license naming service

• HT1424 the vpn on my ipod touch is not connected and my wi-fi can not connected is due to the vpn off?

  My ipod touch is not able to join the network is that happening because of the vpn is not connected either?

  What type of encryption are you using? WPA/WPA2/WEP?
  Have you worked through the other suggestions in this Apple support document?
  iOS: Troubleshooting Wi-Fi networks and connections
  What about trying to use the recommend access point and Wi-Fi router settings in this document?
  iOS: Recommended settings for Wi-Fi routers and access points
  B-rock

• ASA 5505 configured for WebVPN connecting to Citrix Web Interface

  ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
  i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface .  The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark  citrix server http:// 172.30.40.5.) i enter the citrix and then for example  i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
  thanks.

  Teymur,
  Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error.  It is possible that it is generating a different error.
  The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1.  Can you confirm the exact version of code you are running on the ASA.
  If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
  Thanks
  -Jay

• Can not connect to Cerberus FTP Server with PASV

  I setup a FTP Server and i can connect from the inside fine but from the outside i can not connect in passive mode. I can in regular ftp or ssh.
  Here is the log from filezilla
  Status:          Resolving address of domain.com
  Status:          Connecting to ExternalIP:990...
  Status:          Connection established, initializing TLS...
  Status:          Verifying certificate...
  Status:          TLS/SSL connection established, waiting for welcome message...
  Response:          220-220-Welcome to Cerberus FTP Server
  Response:          220 220 Created by Cerberus, LLC
  Command:          USER test
  Response:          331 User test, password please
  Command:          PASS ***********
  Response:          230 Password Ok, User logged in
  Command:          CLNT FileZilla
  Response:          200 Command okay
  Command:          OPTS UTF8 ON
  Response:          220 UTF8 support on
  Command:          PBSZ 0
  Response:          200 PBSZ=0
  Command:          PROT P
  Response:          200 PROT P OK, data channel will be secured
  Status:          Connected
  Status:          Retrieving directory listing...
  Command:          PWD
  Response:          257 "/" is the current directory
  Command:          TYPE I
  Response:          200 Type Binary
  Command:          PASV
  Response:          227 Entering Passive Mode (external IP,195,83)
  Command:          MLSD
  Error:          Connection timed out
  Error:          Failed to retrieve directory listing
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.0(4)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.10.10 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group att
  ip address pppoe setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service FTP_PASV_Ports tcp
  description Passive Ports
  port-object range 35000 35999
  object-group service FTPS tcp
  description FTPS
  port-object eq 990
  access-list outside_access_in extended permit tcp any any object-group RDP
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any any eq ftp
  access-list outside_access_in extended permit tcp any any eq telnet
  access-list outside_access_in extended permit tcp any any eq smtp
  access-list outside_access_in extended permit tcp any any eq www
  access-list outside_access_in extended permit tcp any any eq pop3
  access-list outside_access_in extended permit tcp any any eq https
  access-list outside_access_in remark passive FTP port range
  access-list outside_access_in extended permit tcp any host server object-group FTP_PASV_Ports
  access-list outside_access_in extended permit tcp any any eq ssh
  access-list outside_access_in extended permit tcp any any object-group FTPS
  access-list outside_access_in extended permit tcp any any eq ftp-data
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1492
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface www server www netmask 255.255.255.255
  static (inside,outside) tcp interface https server https netmask 255.255.255.255
  static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface ftp server ftp netmask 255.255.255.255
  static (inside,outside) tcp interface ssh server ssh netmask 255.255.255.255
  static (inside,outside) tcp interface 990 server 990 netmask 255.255.255.255
  static (inside,outside) tcp interface ftp-data server ftp-data netmask 255.255.255.255
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 192.168.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  vpdn group att request dialout pppoe
  vpdn group att localname @static.sbcglobal.net
  vpdn group att ppp authentication pap
  vpdn username @static.sbcglobal.net password *********
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username admin password rcuFiQnIXLd encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:ecb5356a2f5e680b
  : end
  I am programing the router with ASDM so if you could tell me what i need to do from the GUI to fix this.

  Dan,
  Looking at the output,
  Status:          Resolving address of domain.com
  Status:          Connecting to ExternalIP:990...
  Status:          Connection established, initializing TLS...
  Status:          Verifying certificate...
  Status:          TLS/SSL connection established, waiting for welcome message...
  This looks like FTPS which is not supported on the ASA. You can workaround it by trying to connect using Active mode from the outside instead of PSV.
  You can find more info here:
  https://supportforums.cisco.com/docs/DOC-23206
  Mike

• Can not connect to wireless network any more, missing command

  I can not connect to any wireless network. I have been having this problem for days. In desperation I installed 10.4 in a seperate HD. I clicked on the airport icon in the upper tool bar, selected my network name and clicked on "open internet connect" and I was connected, what?? I rebooted into 10.5 and tried the same thing again. But the panel that opens when you click on the airport icon has NO "open internet connect" command. A couple of weeks ago I reinstalled my OS. I have run diskwarrior and Techtool pro. Thinking back to the time I first installed 10.5 I don't remember ever seeing that command. Is Leopard compatible with the airport card? How do I get my "open internet connect" command back??

  It sounds like a problem between hardware and software. When you select your network, does anything freeze or does nothing happen?
  Nothing happens.
  Try this, open your Network Preference Pane, turn off airport off and delete the Airport connection by selecting "Airport" in the left pane and click the " - " button. Click on the "+" sign and create a new Airport connection. Hit Apply if it is available. Turn AirPort on and try to select your network and login if you can. The status should show Connected and an IP address should show up after of a couple of seconds.
  I get "AirPort has a self-assigned IP address and may not be able to connect to the Internet". On a couple of occasions (over the last couple days) I got you are connected to the internet on IP 172.17.90.251. However when I tried to open a web page I got the banner you are not connected to the internet. Strange, the pref panet said I was the Safari said I was not. Certainly the IP address does not show up in a few seconds. I also have ComCast cable but I need to use the MetroFi-Free wireless so my wife has the bandwidth to do her company work using VPN.

• Windows 8 can not connect RemoteApp on W2K12 RDS, but Windows 7 can connect. Why?

  Hi!
  Windows 8 can not connect RemoteApp (W2K12 RDS), but Windows 7 can connect. Why?
  External and internal DNS name is different, the public Cert is mapped to RD Web Access and a RD GateWay Role.
  The internal cert (issued by enterprise ca) is mapped to RD Connection Broker roles (SSO and Publishing).
  These certifications also be installed on client computers (Personal and Trusted Root Certification Authorities).
  The internal CA revocation list is publicated to a website and this web site is accessible from internet. Ports (3389,3391,443) forwarded to RDS server.
  On windows 7 everything works fine, but Windows 8 can not connect to Remote Apps. Windows 8 can connect to RDS server via Remote Desktop Connection.
  The error:
  Thank you for your answers.

  Check this thread -> 
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0c0d7c4a-e422-4a6c-99eb-66df26a1ffc6/rdp8-your-computer-cant-connect-to-the-remote-computer-because-an-error-occurred?forum=winserverTS
  and this
  http://support.microsoft.com/kb/2903333
  HTH,
  JB

• 10GR2: API5022:can not connect to the specified repository.

  Hi
  Today I have started getting the following message when try to connect to the Design Center in 10GR2:
  'API5022:can not connect to the specified repository. Verify connection information'
  Nothing has changed in the repository for several days, though we were able to login to the Design Center yesterday without any issue. This is happening for all users, so is not a client problem.
  Also, we can login to the repository via repository browser, administrator and various query tools. Therefore, the connection details are ok.
  Has anyone else encountered this in 10.2? If so, any suggestions would be very much appreciated...
  Thanks
  GB

  The problem might be caused by changing the LOCALE setting to a value that is not recognized.
  The selection in the preferences does not allow to reset to an empty value, nor does OWB allow to cancel the selection.
  This setting is stored locally outside any database at the following location:
  C:\oracle\OWB102\owb\bin\admin\Preference.properties.
  where the first part is the OWB homedir
  After I changed the content into the following, I was able to start OWB and connect to the repository again without any errors:
  #Locally Cached Preferences - DO NOT MODIFY
  #Wed Apr 25 21:14:29 CEST 2007
  LOCALE=en_US
  Even though it says not to modify, remember that the only alternative would be re-installing OWB.
  Hope this works for anyone having this problem.
  Regards,
  Patrick.

• I can not connect to my newly installed local host cf server 9:

  I can not connect to my newly installed local host cf server 9:
  Oops! Firefox could not connect to 127.0.0.1:8500
  Suggestions:
  Try reloading: 127.0.0.1:8500/CFIDE/administrator/monitor/index.cfm
  Search on Google:
  can you help? same message with all 127.0.0.1:8500
  urls, data or server admin....
  Forta I 8/Edition files work with CF SERVER 9?

  I have the same problem, on my primary computer (Windows XP Pro , but the cause may be different from what 123polis123 had.
  It seems that the installer installed the Enterprise Multiserver configuration instead of the built in server.
  Note that I installed sucessfully on my laptop (Windows XP Home), using the same install parameters.
  I chose the "Server configuration" which has a self contained server tunning a single instance with an embedded JEE server.  After running though all the installation screens, before proceeding with the actual installation, the installer reported the following:
  Installation Type:
    Server configuration
  Licensing:
    Developer Edition
  Installation Directories:
    Product: C:\ColdFusion9
    Web root: C:\ColdFusion9\wwwroot
  Server Information:
    Web Server: Built-in web server
    Port: 8500
    ODBC Services: installed
    Search Services: installed
    ColdFusion Solr Search Services: installed
    Microsoft .Net version: v 2.0.50727
    .NET Java Port: 6085
    .NET Client Port: 6086
    Documentation: installed
    RDS: enabled
  Disk Space Information (for Installation Target):
    Required: 1,089,069,939
    Available: 7,387,262,976
  The installation proceeded without a hitch, except at the end when the browser is supposed to come up with the admin configuration page it can't find the server.  Port 8500 is open. I fiddled around awhile to see what the problem was.  I installed on the other computer which went fine - the only difference is that the .NET version is 1.1.4322.   I then re-installed, without uninstalling, on the problem computer.  When the installer got to the screen where I select the server configuration, Enterprise Multiserver configuration was selected and it was not possible to select onything else.   I uninstalled and re-installed.  Same thing happened.
  The processes running included: k2admin.exe, k2index.exe, k2server.exe and CFDotNetsvc.exe.   The processes on the sucessful install included cfp.exe and cfupdate.exe.
  Note that I had installed Eclipse and the CFEclipse plugin before installing CF9.

• Can not connect to ftp with mountain lion

  Hallo everybody,
  i have a problem with my ftp-client, i use cyberduck, i can not connect to any ftp-server...
  evertime i get this message:
  USER user_xyz
  331 User user_xyz OK. Password required
  PASS **********
  530 Login authentication failed
  this will only happen when i try it with mountain lion 10.8.2
  with snow leopard and lion everything works fine and i can connect to the ftp-server.
  i try to take another ftp-client but its the same... i try filezilla and transmit.
  can anybody help me with this problem?

  In your Network System Preferences, under Advanced, Proxies tab, is Passive mode selected? If it is, try toggling it off then on (or try it with it off).
  Also, have you contacted the Cyberduck people to ask if they know about a problem?
  Have you tried connecting from Terminal?

• OUtlook 2013 can not connect to exchange 2013 after exchange maibox member of DAG failed.

  hi ALL
  OUtlook 2013 can not connect to exchange 2013 after exchange maibox member of DAG failed.
  Exchange environment contains 2 Exchange Mailboxesserver ,( one Failed , virtual Machine)
  2 cas Servers
  first databases could not be mounted but after we run the below command , users can use OWA but outlook could not connect
  Start-DatabaseAvailabilityGroup -Identity DAG -MailboxServer MBX1
  please support
  thanks

  Hi,
  According to your description, I understand that Outlook client cannot connect to Exchange server 2013 while one member of DAG failed.
  If I have misunderstand your concern, please do not hesitate to let me know.
  I want to double confirm whether all account store in MBX1 experience this issue, users in MBX2 works fine.
  Please run following command to double check the database status:
  Get-MailboxDatabase –Status | select Name,Mounted,MountedOnServer
  If it works in OWA, the issue may be related to Outlook side. Please run “Test E-mail AutoConfiguration” and “Outlook Connection Status” to get more details, expecial the setting of proxy server, it’s more helpful
  for further troubleshooting.
  Additional, please try to recreate a profile for testing. Besides, please move active DB back to MBX1.
  Best Regards,
  Allen Wang