ASA 5505 VPN can't access connected network

I have an ASA 5505 with ipsec VPN configured on it.  I am able to  connect to the ASA but I can't ping a connected network.  I get a dhcp  assigned address in the network I am trying to reach but can't access  that network on Vlan5.  Please help.
I attached the config.

I think final questions, can you have two nat statements that point to the same acl ie.
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.9.0 255.255.255.0
nat (fw-civic) 0 access-list no_nat
nat (fw-civic) 1 192.168.5.0 255.255.255.0
Or do I need to create a new acl for the fw-civic interface?
Thanks

Similar Messages

  • ASA 5505 VPN can't access inside host

    I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
    part of config below
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map inside_dyn_map 20 set pfs
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
    crypto map inside_map interface inside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    service-policy global_policy global
    group-policy xxxxxxx internal
    group-policy xxxxxxx attributes
    banner value xxxxx Disaster Recovery Site
    wins-server none
    dns-server value 24.xxx.xxx.xx
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelall
    default-domain none
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout none
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools value xxxxxx
    smartcard-removal-disconnect enable
    client-firewall none
    webvpn
    functions url-entry
    vpn-nac-exempt none
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    tunnel-group xxxx type ipsec-ra
    tunnel-group xxxx general-attributes
    address-pool xxxx
    default-group-policy xxxx
    tunnel-group blountdr ipsec-attributes
    pre-shared-key *

    I get the banner and IP adress info...
    This is what the client log provides...
    1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
    AddRoute failed to add a route: code 87
    Destination 172.20.255.255
    Netmask 255.255.255.255
    Gateway 10.1.2.1
    Interface 10.1.2.5
    2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
    Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.

  • ASA 5505 VPN can't access inside hosts

    I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.
    The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87
    Cisco

    No I can't ping anything.
    And here is the route -print after connection
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
    0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1
    85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10
    192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10
    192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1
    192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10
    192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10
    224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10
    224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10
    255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1
    255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1
    Default Gateway: 192.168.222.101
    ===========================================================================
    Persistent Routes:
    None

  • ASA 5505 VPN - how to access Two private networks

    Hello
    i have cisco 5505 and i confirgured a remote VPN clients.  here is my sceniro
    cisco switch 2950   ===  holds two private network 192.168.8.x  and 192.168.4.x
    vlan 2  outside interface -    Eth0/0       155.155.155.x
    Vlan 1 inside interface --       Eth 0/1    192.168.8.180
    VPN pool ip address  =  192.168.8.100 --110
    i drag i cable from my cisco switch and put in to Eth0/1. and i want to access this twor private networks 192.168.4.x and 192.168.8.x .
    now i can access to 192.168.8.x .
    but i can't access 192.168.4.x .. please can any one help me that.
    Regards
    Thomas

    configure a split tunnel list that contains the networks you want the client to access.
    Sent from Cisco Technical Support iPad App

  • ASA 5505 & VPN Client blocking access to local lan

    I have setup a IPSec vpn client connection to a Cisco ASA 5505, when I connect to the unit it fully authenticates and issues me an ip address on the local lan however when I attempt to connect to any service on the local lan the following message is displayed in the log can you help:
    Teardown UDP connection 192.168.110.200 53785 192.168.110.21 53 outside:192.168.110.200/53785(LOCAL\username) to inside 192.168.110/53
    See the attached file for a sanitised version of the config.

    This is a sanitised version of the crypto dump, I have changed the user and IP addresses
    ASA5505MAN# debug crypto ikev1 7
    ASA5505MAN# debug crypto ipsec 7
    ASA5505MAN# Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fbc167de) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
    Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
    Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb72)
    Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb72)
    Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
    Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
    Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=515fbf7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2fe7cf10) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
    Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
    Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb73)
    Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb73)
    Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
    Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
    Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=e450c971) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=e6c212e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
    Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
    Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb74)
    Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb74)
    Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
    Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
    Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=af5953c7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    This is the isakmp dump
    ASA5505MAN# show crypto isakmp
    IKEv1 SAs:
       Active SA: 2
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 2
    1   IKE Peer: x.x.x.x
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    2   IKE Peer: x.x.x.x
        Type    : user            Role    : responder
        Rekey   : no              State   : AM_ACTIVE
    There are no IKEv2 SAs
    Global IKEv1 Statistics
      Active Tunnels:              1
      Previous Tunnels:           40
      In Octets:              322076
      In Packets:               2060
      In Drop Packets:            84
      In Notifys:               1072
      In P2 Exchanges:            35
      In P2 Exchange Invalids:     0
      In P2 Exchange Rejects:      0
      In P2 Sa Delete Requests:   24
      Out Octets:             591896
      Out Packets:              3481
      Out Drop Packets:            0
      Out Notifys:              2101
      Out P2 Exchanges:          275
      Out P2 Exchange Invalids:    0
      Out P2 Exchange Rejects:     0
      Out P2 Sa Delete Requests: 284
      Initiator Tunnels:         231
      Initiator Fails:           221
      Responder Fails:            76
      System Capacity Fails:       0
      Auth Fails:                 54
      Decrypt Fails:               0
      Hash Valid Fails:            0
      No Sa Fails:                30
    Global IKEv2 Statistics
      Active Tunnels:                          0
      Previous Tunnels:                        0
      In Octets:                               0
      In Packets:                              0
      In Drop Packets:                         0
      In Drop Fragments:                       0
      In Notifys:                              0
      In P2 Exchange:                          0
      In P2 Exchange Invalids:                 0
      In P2 Exchange Rejects:                  0
      In IPSEC Delete:                         0
      In IKE Delete:                           0
      Out Octets:                              0
      Out Packets:                             0
      Out Drop Packets:                        0
      Out Drop Fragments:                      0
      Out Notifys:                             0
      Out P2 Exchange:                         0
      Out P2 Exchange Invalids:                0
      Out P2 Exchange Rejects:                 0
      Out IPSEC Delete:                        0
      Out IKE Delete:                          0
      SAs Locally Initiated:                   0
      SAs Locally Initiated Failed:            0
      SAs Remotely Initiated:                  0
      SAs Remotely Initiated Failed:           0
      System Capacity Failures:                0
      Authentication Failures:                 0
      Decrypt Failures:                        0
      Hash Failures:                           0
      Invalid SPI:                             0
      In Configs:                              0
      Out Configs:                             0
      In Configs Rejects:                      0
      Out Configs Rejects:                     0
      Previous Tunnels:                        0
      Previous Tunnels Wraps:                  0
      In DPD Messages:                         0
      Out DPD Messages:                        0
      Out NAT Keepalives:                      0
      IKE Rekey Locally Initiated:             0
      IKE Rekey Remotely Initiated:            0
      CHILD Rekey Locally Initiated:           0
      CHILD Rekey Remotely Initiated:          0
    IKEV2 Call Admission Statistics
      Max Active SAs:                   No Limit
      Max In-Negotiation SAs:                 12
      Cookie Challenge Threshold:          Never
      Active SAs:                              0
      In-Negotiation SAs:                      0
      Incoming Requests:                       0
      Incoming Requests Accepted:              0
      Incoming Requests Rejected:              0
      Outgoing Requests:                       0
      Outgoing Requests Accepted:              0
      Outgoing Requests Rejected:              0
      Rejected Requests:                       0
      Rejected Over Max SA limit:              0
      Rejected Low Resources:                  0
      Rejected Reboot In Progress:             0
      Cookie Challenges:                       0
      Cookie Challenges Passed:                0
      Cookie Challenges Failed:                0
    Global IKEv1 IPSec over TCP Statistics
    Embryonic connections: 0
    Active connections: 0
    Previous connections: 0
    Inbound packets: 0
    Inbound dropped packets: 0
    Outbound packets: 0
    Outbound dropped packets: 0
    RST packets: 0
    Recevied ACK heart-beat packets: 0
    Bad headers: 0
    Bad trailers: 0
    Timer failures: 0
    Checksum errors: 0
    Internal errors: 0
    ASA5505MAN#
    and this is the ipsec dump
    ASA5505MAN# show crypto ipsec sa
    interface: outside
        Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.110.200/255.255.255.255/0/0)
          current_peer: x.x.x.x, username: username
          dynamic allocated peer ip: 192.168.110.200
          #pkts encaps: 778, #pkts encrypt: 778, #pkts digest: 778
          #pkts decaps: 1959, #pkts decrypt: 1959, #pkts verify: 1959
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 778, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/54599
          path mtu 1500, ipsec overhead 82(52), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: 532B60D0
          current inbound spi : 472C8AE7
        inbound esp sas:
          spi: 0x472C8AE7 (1194101479)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
             slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 26551
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x532B60D0 (1395351760)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
             slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 26551
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        Crypto map tag: outside_map0, seq num: 1, local addr: x.x.x.x
          access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.0.0 255.255.0.0
          local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
          current_peer: x.x.x.x
          #pkts encaps: 39333117, #pkts encrypt: 39333117, #pkts digest: 39333117
          #pkts decaps: 24914965, #pkts decrypt: 24914965, #pkts verify: 24914965
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 39333117, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
          path mtu 1500, ipsec overhead 58(36), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: F6943017
          current inbound spi : E6CDF924
        inbound esp sas:
          spi: 0xE6CDF924 (3872258340)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 163840, crypto-map: outside_map0
             sa timing: remaining key lifetime (kB/sec): (3651601/15931)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xF6943017 (4136906775)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 163840, crypto-map: outside_map0
             sa timing: remaining key lifetime (kB/sec): (3561355/15931)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    ASA5505MAN#

  • ASA 5505-VPN- Can't use AD services

    New install:5505 VPN with MS Active Directory services on LAN.
    I can VPN into the network but cannot e.g. join my laptop to the Domain. Message says "cannot find "domain" I can: ping the PDC, RDP onto the PDC or any system on the LAN. Also applications that are on the remote laptop and rely on LAN resources fail.
    Any help would be welcome

    Sorry, just realized I did not attach config!

  • ASA 5505 VPN Can not connect clients

    Hi,
    I tried to search for an answer to this question but I couldn't find the answer.
    I configured the VPN on the ASA, I can not  get a client to connect to the ASA  I've tried and search for an answer and I really need som help!
    Any help is greatly appreciated.
    : Saved
    ASA Version 7.2(2)
    hostname
    domain-name
    enable password
    names
    ddns update method
    ddns both
    interface Vlan1
    nameif inside
    security-level 100
    ddns update hostname
    ddns update
    dhcp client update dns
    ip address 192.168.1.1 255.255.255.0
    ospf cost 10
    interface Vlan2
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.0
    ospf cost 10
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server
    name-server
    domain-name
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list EasyVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list OUTSIDE_IN_ACL extended permit ip any any
    access-list OUTSIDE_IN_ACL extended permit icmp any interface outside
    access-list Remote-VPN_splitTunnelAcl standard permit any
    access-list DefaultRAGroup_splitTunnelAcl standard permit any
    access-list Bild_splitTunnelAcl standard permit any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool TKK 192.168.1.200-192.168.1.220 mask 255.255.255.224
    ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0
    no failover
    monitor-interface inside
    monitor-interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 0 access-list outside_nat0_outbound
    static (inside,inside) tcp interface 3389 access-list inside_nat_static
    static (inside,inside) tcp interface ftp access-list inside_nat_static_2
    static (outside,inside) x.x.x.x 192.168.1.0 netmask 255.255.255.255 dns
    access-group inside_access_in in interface inside
    access-group inside_access_out out interface inside
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    vpn-tunnel-protocol l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server value 192.168.1.253
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    client-firewall none
    client-access-rule none
    webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission
    to use any of the VPN features. Contact your IT administrator for more information
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy EasyVPN internal
    group-policy EasyVPN attributes
    dns-server value 192.168.1.253
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value EasyVPN_splitTunnelAcl
    default-domain value xxx.se
    group-policy Remote-VPN internal
    group-policy Remote-VPN attributes
    dns-server value 192.168.1.253
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Remote-VPN_splitTunnelAcl
    default-domain value xxx.se
    group-policy CiscoASA internal
    group-policy CiscoASA attributes
    dns-server value 192.168.1.253 x.x.x.x
    vpn-tunnel-protocol IPSec webvpn
    group-policy Bild internal
    group-policy Bild attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Bild_splitTunnelAcl
    username User attributes
    vpn-group-policy DfltGrpPolicy
    username Bild password encrypted privilege 0
    username Bild attributes
    vpn-group-policy Bild
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 60 set pfs
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 80 set pfs
    crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 100 set pfs
    crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 120 set pfs
    crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 140 set pfs
    crypto dynamic-map outside_dyn_map 140 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 160 set pfs
    crypto dynamic-map outside_dyn_map 160 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 180 set pfs
    crypto dynamic-map outside_dyn_map 180 set transform-set TRANS_ESP_DES_SHA
    crypto dynamic-map outside_dyn_map 200 set pfs
    crypto dynamic-map outside_dyn_map 200 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 220 set pfs
    crypto dynamic-map outside_dyn_map 220 set transform-set ESP-DES-SHA
    crypto dynamic-map inside_dyn_map 20 set pfs
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
    crypto map inside_map interface inside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  20
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group DefaultRAGroup general-attributes
    address-pool vpn
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group Bild type ipsec-ra
    tunnel-group Bild general-attributes
    address-pool TKK
    default-group-policy Bild
    tunnel-group Bild ipsec-attributes
    pre-shared-key *
    tunnel-group CiscoASA type ipsec-ra
    tunnel-group CiscoASA general-attributes
    address-pool vpn
    default-group-policy CiscoASA
    tunnel-group CiscoASA ipsec-attributes
    pre-shared-key *
    tunnel-group EasyVPN type ipsec-ra
    tunnel-group EasyVPN general-attributes
    address-pool vpn
    default-group-policy EasyVPN
    tunnel-group EasyVPN ipsec-attributes
    pre-shared-key *
    tunnel-group Remote-VPN type ipsec-ra
    tunnel-group Remote-VPN general-attributes
    address-pool VPN-Pool
    default-group-policy Remote-VPN
    tunnel-group Remote-VPN ipsec-attributes
    pre-shared-key *
    class-map global-class
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global-policy
    class global-class
      inspect ftp
      inspect icmp
      inspect pptp
    service-policy global-policy global
    prompt hostname context
    Cryptochecksum:8cdda33b1993ba7bb33db88d996e939c
    : end

    Hi Fredrik,
    I see your acl "outside_nat0_outbound" set on inside interface for no nat, but I do not see, the acl is being defined anywhere on your config.
    I also strongly recommand create your vpn-pool to be different subnet rather being as same as your inside ip of your ASA.
    so, let assume your vpn pool is 192.168.255.1-254/24
    so, your no-nat for inside will look like this below.
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.255.0 255.255.255.0
    Let me know, if this helps.
    thanks

  • ASA 5505 VPN client LAN access problem

    Hello,
    I'm not expert in ASA and routing so I ask some support the following case.
    There is a Cisco VPN client (running on Windows 7) and an ASA5505.
    The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
    The Skype works well but I cannot access devices in the interface inside via VPN connection.
    Can you please check my following config and give me advice to correct NAT or VPN settings?
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password wDnglsHo3Tm87.tM encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
    access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 1 10.0.0.0 255.255.255.0
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (outside) 1 10.0.0.0 255.255.255.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns xx.xx.xx.xx interface inside
    dhcpd enable inside
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server value 84.2.44.1
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem enable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy XXXXXX internal
    group-policy XXXXXX attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
    username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
    username XXXXXX attributes
    vpn-group-policy XXXXXX
    username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
    tunnel-group XXXXXX type ipsec-ra
    tunnel-group XXXXXX general-attributes
    address-pool VPNPOOL
    default-group-policy XXXXXX
    tunnel-group XXXXXX ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
    : end
    ciscoasa#
    Thanks in advance!
    fbela

    config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
    Need to add - config#same-security-traffic permit intra-interface
                                     #access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
                                     #nat (inside) 0 access-list nonat
    Please add and test it.
    Thanks
    Ajay

  • VPN Clients can't access DMZ Network

    Hello,
    I will try to describe my problem as best as possible. The title says VPN clients cannot access DMZ network, but that is not exactly the problem, the situation is this, a group of users are using an actual 10.x network where they have their servers and pretty much everything. The users must be relocated into a new network, the 172.16.x.  In a point in time they will not have to use 10.x anymore, but meanwhile, they need access to that network.
    I have an ASA 5510 as default gateway for the new network (172.16.x.x), one interface e0/0 connected to the outside (internet), interface e0/1 to the inside and other interface connected to the actual 10.x (which I call DMZ), so basically I am using the ASA as a bridge using NAT to grant access to the users in the network 172.16.x to the resources in the 10.x network while the migration is completed.
    All the users must use the path to the internet thru the ASA using the NAT overload to the outside interface and I put in place a NAT policy to 10.x to allow access to the 10.x network only when the internal users 172.16.x try to reach that path and so far, everything is working just fine for the internal users.
    Now for some reason, when I do VPN, the VPN clients cannot reach the 10.x network, even when they are supposed to be in the internal network (because they are doing VPN right?) .
    I have enabled split tunneling with NAT exempt the 172.16 network and I am not sure if that is causing the problem, because when I trace from my PC the 172.16.16.1 address using the VPN I get the proper route path, but when I try to reach 10.x, my PC is using its default gateway and not the VPN gateway which has a route to 10.x.
    I’m not even sure if what I am trying to do is possible, I want VPN users to be able to access a 10.x network using NAT overload with the Interface of the ASA plugged to the 10.x network, just like the internal users are doing right now.
    Any help or advice will be highly appreciated.

    Allow clients to access DMZ, add exempt NAT rule, add both the "same-security-traffic" thru cli. Please give it a try.
    Sent from Cisco Technical Support iPad App

  • Can not access home network via ipod touch, password entered  not accepted

    Can not access home network via ipod touch, password entered not accepted
    Trying to help my son set up his ipod touch to connect to the network and the password I entered is not accepted.
    1. Which password is required? I entered the password I use for logging into my router
    2. The home network is recognized, when selected it requires a password to be entered, but I am just not sure what password it is looking for to connect.
    I have not been able to find any information on this subject

    jersey0904, Welcome to the discussion area!
    You need to enter the wireless encryption password... not the administrative password for the router.

  • I am unable to re-install itunes. The installer starts ok and then indicates that it can not access a network !!

    I am unable to re-install itunes. The installer starts ok and then indicates that it can not access a network !!  I have tried to uninstall but get the sme error message. I have used 3rd party software to uninstal but still have no joy. My pc is running Vista.
    Can you anyone offer a working solution ?

    Many thanks.
    Let's try the fixit from the following Microsoft document with that one:
    Fix problems with programs that can't be installed or uninstalled

  • Asa 5505 Remote VPN Can't access with my local network

    Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
    ASA Version 8.2(1)
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 155.155.155.10 255.255.255.0
    interface Vlan5
    no nameif
    no security-level
    no ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy mull internal
    group-policy mull attributes
    vpn-tunnel-protocol IPSec
    username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
    vpn-group-policy Mull
    tunnel-group mull type remote-access
    tunnel-group mull general-attributes
    address-pool vpn-Pool
    default-group-policy mull
    tunnel-group mull ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context

    Hey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network)  iam using Shrew Soft VPN Access Manager for my vpn connection
    here is my cry ipsec sa
    interface: outside
        Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
          current_peer:155.155.155.1, username: Thomas
          dynamic allocated peer ip: 192.168.100.1
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
          path mtu 1500, ipsec overhead 82, media mtu 1500
          current outbound spi: 73FFAB96
        inbound esp sas:
          spi: 0x1B5FFBF1 (459275249)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 2894
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        outbound esp sas:
          spi: 0x73FFAB96 (1946135446)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 2873
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

  • ASA 5505 VPN clients can't ping router or other clients on network

    I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
    Result of the command: "show running-config"
    : Saved
    ASA Version 7.2(4)
    hostname ASA
    domain-name default.domain.invalid
    enable password kdnFT44SJ1UFX5Us encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.4 Server
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list vpn_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface www Server www netmask 255.255.255.255
    static (inside,outside) tcp interface https Server https netmask 255.255.255.255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable 480
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy vpn internal
    group-policy vpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_splitTunnelAcl
    username admin password wwYXKJulWcFrrhXN encrypted privilege 15
    username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
    username VPNuser attributes
    vpn-group-policy vpn
    tunnel-group vpn type ipsec-ra
    tunnel-group vpn general-attributes
    address-pool VPNpool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
    : end
    Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
    Thanks.

    I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
    here is the runnign config again:
    Result of the command: "show startup-config"
    : Saved
    : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
    ASA Version 7.2(4)
    hostname ASA
    domain-name default.domain.invalid
    enable password kdnFT44SJ1UFX5Us encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.4 Server
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list vpn_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    asdm location Server 255.255.255.255 inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface www Server www netmask 255.255.255.255
    static (inside,outside) tcp interface https Server https netmask 255.255.255.255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable 480
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy vpn internal
    group-policy vpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_splitTunnelAcl
    username admin password wwYXKJulWcFrrhXN encrypted privilege 15
    username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
    username VPNuser attributes
    vpn-group-policy vpn
    tunnel-group vpn type ipsec-ra
    tunnel-group vpn general-attributes
    address-pool VPNpool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:78864f4099f215f4ebdd710051bdb493

  • ASA 5505 VPN no access to inside network

    Trying to set up ipsec/l2tp vpn to provide full access to internal network for remote users with only Windows built-in vpn client.
    The vpn client can connect successfully, but can't see anything on the inside network.
    The ASA is not the gateway for hosts on the internal network
    name x.y.z.129 isp-gateway
    name 172.16.1.0 vpn-address-pool
    name 10.11.10.0 inside-network
    name x.y.z.128 outside-network
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list vpn extended permit ip inside-network 255.255.254.0 vpn-address-pool 255.255.255.0
    access-list outside_access_in extended permit ip any any
    global (outside) 1 interface
    nat (outside) 1 vpn-address-pool 255.255.255.0
    nat (inside) 0 access-list vpn
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 isp-gateway 1
    ciscoasa# show route
    Gateway of last resort is cic-gateway to network 0.0.0.0
    C    outside-network 255.255.255.128 is directly connected, outside
    S    172.16.1.5 255.255.255.255 [1/0] via isp-gateway, outside
    C    inside-network 255.255.254.0 is directly connected, inside
    S*   0.0.0.0 0.0.0.0 [1/0] via isp-gateway, outside

    Do you configure split tunnel or no split tunnel policy?
    Also when you are connected and try to access internal network, can you pls share the output of :
    show cry isa sa
    show cry ipsec sa

  • ASA 5505 VPN Network access problem

    I have been working on this thing all night and I can't seem to get any where. I have a very straight forward set up, and so far the only issue I'm having is being able to access the network when connected through VPN, I have internet access, but nothing else and it's really strange.
    Here is my config, I thought this would be a pretty straight forward set up, and I got everything else up and running with in a few minutes, but not being able to access the network via VPN is frustrating after I have tried all night to get it to work. I have read a lot of stuff online, and I keep on thinking im close but never get anywhere. Any help is appreciated.
    Attached is the config.
    Thanks

    Your NAT config confuses me. Are those "static (inside,inside)" lines for real?
    try this:
    no global (inside) 1 interface
    no nat (T1) 1 access-list outside_nat dns
    nat (inside) 0 access-list Local_LAN_Access
    And remove those dodgy "static (inside,inside)" NATs!
    I recommend staying with tunnelling everything.
    You should tighten "access-list T1_access_in" because at the moment all IP is allowed from the internet to those "static (inside,T1)" NATs.
    If you put "no sysopt connection permit-vpn" then all VPN traffic is forced through "access-list T1_access_in" - an easy way of filtering it.
    I would tighten "access-list inside_access_in" but unapply and remove "access-list inside_access_out".

Maybe you are looking for

  • External harddrive is slow

    Hello there I have a MacBook Pro Intel Core 2 Duo 2.2Ghz with Mac OS X 10.5.4, and Im experiencing slow data transfers from my Western Digital My Book 500gb external harddrive. This results in video-lag when trying to play dvd or other video files fr

  • Errors with JDK source file

    I'm extremely new to JAVA. I just installed JDK 6 and JRE on Windows XP and typed java ~version at the command prompt and got this error: Exception in thread "main" java.lang.NoClassDefFoundError: ~version caused by: java.lang.ClassNotFoundException:

  • Raytheon 2000b camera with PCI-1422

    I am trying to use a Raytheon 2000b camera with PCI-1422. I have downloaded the attached doc and icd file from NI. 1. As far as I now there is no proper NI cable for my camera, but the pinout is described in the doc file. I would like to purchase a c

  • I also encounter a publishing error

    The past few days, I have encountered a publishing error. I am using iWeb 1.1. When I publish, the content online does update, but iWeb gives an error message at the end and acts as if nothing has published. To update anything I have to update everyt

  • Cannot switch to Start Screen by Left-click of Start-Memu

    I've installed W10 TP Build 9926 onto W7 Ultimate 64-bit. It works almost fine, except inability of Left clicking on Start-Menu. The Left-click has no effect, or my screen does't change to Start screen. The Right-click works, i.e. context menu appear