ASA 5505 VPN can't access connected network
I have an ASA 5505 with ipsec VPN configured on it. I am able to connect to the ASA but I can't ping a connected network. I get a dhcp assigned address in the network I am trying to reach but can't access that network on Vlan5. Please help.
I attached the config.
I think final questions, can you have two nat statements that point to the same acl ie.
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.9.0 255.255.255.0
nat (fw-civic) 0 access-list no_nat
nat (fw-civic) 1 192.168.5.0 255.255.255.0
Or do I need to create a new acl for the fw-civic interface?
Thanks
Similar Messages
-
ASA 5505 VPN can't access inside host
I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
part of config below
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
service-policy global_policy global
group-policy xxxxxxx internal
group-policy xxxxxxx attributes
banner value xxxxx Disaster Recovery Site
wins-server none
dns-server value 24.xxx.xxx.xx
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value xxxxxx
smartcard-removal-disconnect enable
client-firewall none
webvpn
functions url-entry
vpn-nac-exempt none
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
address-pool xxxx
default-group-policy xxxx
tunnel-group blountdr ipsec-attributes
pre-shared-key *I get the banner and IP adress info...
This is what the client log provides...
1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 172.20.255.255
Netmask 255.255.255.255
Gateway 10.1.2.1
Interface 10.1.2.5
2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201. -
ASA 5505 VPN can't access inside hosts
I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.
The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87
CiscoNo I can't ping anything.
And here is the route -print after connection
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1
85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10
192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10
192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1
192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10
192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10
224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10
224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10
255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1
255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1
Default Gateway: 192.168.222.101
===========================================================================
Persistent Routes:
None -
ASA 5505 VPN - how to access Two private networks
Hello
i have cisco 5505 and i confirgured a remote VPN clients. here is my sceniro
cisco switch 2950 === holds two private network 192.168.8.x and 192.168.4.x
vlan 2 outside interface - Eth0/0 155.155.155.x
Vlan 1 inside interface -- Eth 0/1 192.168.8.180
VPN pool ip address = 192.168.8.100 --110
i drag i cable from my cisco switch and put in to Eth0/1. and i want to access this twor private networks 192.168.4.x and 192.168.8.x .
now i can access to 192.168.8.x .
but i can't access 192.168.4.x .. please can any one help me that.
Regards
Thomasconfigure a split tunnel list that contains the networks you want the client to access.
Sent from Cisco Technical Support iPad App -
ASA 5505 & VPN Client blocking access to local lan
I have setup a IPSec vpn client connection to a Cisco ASA 5505, when I connect to the unit it fully authenticates and issues me an ip address on the local lan however when I attempt to connect to any service on the local lan the following message is displayed in the log can you help:
Teardown UDP connection 192.168.110.200 53785 192.168.110.21 53 outside:192.168.110.200/53785(LOCAL\username) to inside 192.168.110/53
See the attached file for a sanitised version of the config.This is a sanitised version of the crypto dump, I have changed the user and IP addresses
ASA5505MAN# debug crypto ikev1 7
ASA5505MAN# debug crypto ipsec 7
ASA5505MAN# Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fbc167de) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb72)
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb72)
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=515fbf7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2fe7cf10) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb73)
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb73)
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=e450c971) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=e6c212e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb74)
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb74)
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=af5953c7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
This is the isakmp dump
ASA5505MAN# show crypto isakmp
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 1
Previous Tunnels: 40
In Octets: 322076
In Packets: 2060
In Drop Packets: 84
In Notifys: 1072
In P2 Exchanges: 35
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 24
Out Octets: 591896
Out Packets: 3481
Out Drop Packets: 0
Out Notifys: 2101
Out P2 Exchanges: 275
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 284
Initiator Tunnels: 231
Initiator Fails: 221
Responder Fails: 76
System Capacity Fails: 0
Auth Fails: 54
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 30
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 12
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
ASA5505MAN#
and this is the ipsec dump
ASA5505MAN# show crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.110.200/255.255.255.255/0/0)
current_peer: x.x.x.x, username: username
dynamic allocated peer ip: 192.168.110.200
#pkts encaps: 778, #pkts encrypt: 778, #pkts digest: 778
#pkts decaps: 1959, #pkts decrypt: 1959, #pkts verify: 1959
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 778, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/54599
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 532B60D0
current inbound spi : 472C8AE7
inbound esp sas:
spi: 0x472C8AE7 (1194101479)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26551
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x532B60D0 (1395351760)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 26551
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map0, seq num: 1, local addr: x.x.x.x
access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 39333117, #pkts encrypt: 39333117, #pkts digest: 39333117
#pkts decaps: 24914965, #pkts decrypt: 24914965, #pkts verify: 24914965
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 39333117, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F6943017
current inbound spi : E6CDF924
inbound esp sas:
spi: 0xE6CDF924 (3872258340)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163840, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (3651601/15931)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF6943017 (4136906775)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 163840, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (3561355/15931)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA5505MAN# -
ASA 5505-VPN- Can't use AD services
New install:5505 VPN with MS Active Directory services on LAN.
I can VPN into the network but cannot e.g. join my laptop to the Domain. Message says "cannot find "domain" I can: ping the PDC, RDP onto the PDC or any system on the LAN. Also applications that are on the remote laptop and rely on LAN resources fail.
Any help would be welcomeSorry, just realized I did not attach config!
-
ASA 5505 VPN Can not connect clients
Hi,
I tried to search for an answer to this question but I couldn't find the answer.
I configured the VPN on the ASA, I can not get a client to connect to the ASA I've tried and search for an answer and I really need som help!
Any help is greatly appreciated.
: Saved
ASA Version 7.2(2)
hostname
domain-name
enable password
names
ddns update method
ddns both
interface Vlan1
nameif inside
security-level 100
ddns update hostname
ddns update
dhcp client update dns
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server
name-server
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list EasyVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list OUTSIDE_IN_ACL extended permit ip any any
access-list OUTSIDE_IN_ACL extended permit icmp any interface outside
access-list Remote-VPN_splitTunnelAcl standard permit any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Bild_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool TKK 192.168.1.200-192.168.1.220 mask 255.255.255.224
ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,inside) tcp interface 3389 access-list inside_nat_static
static (inside,inside) tcp interface ftp access-list inside_nat_static_2
static (outside,inside) x.x.x.x 192.168.1.0 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 192.168.1.253
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission
to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy EasyVPN internal
group-policy EasyVPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_splitTunnelAcl
default-domain value xxx.se
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value xxx.se
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 192.168.1.253 x.x.x.x
vpn-tunnel-protocol IPSec webvpn
group-policy Bild internal
group-policy Bild attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Bild_splitTunnelAcl
username User attributes
vpn-group-policy DfltGrpPolicy
username Bild password encrypted privilege 0
username Bild attributes
vpn-group-policy Bild
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 220 set pfs
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group Bild type ipsec-ra
tunnel-group Bild general-attributes
address-pool TKK
default-group-policy Bild
tunnel-group Bild ipsec-attributes
pre-shared-key *
tunnel-group CiscoASA type ipsec-ra
tunnel-group CiscoASA general-attributes
address-pool vpn
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *
tunnel-group EasyVPN type ipsec-ra
tunnel-group EasyVPN general-attributes
address-pool vpn
default-group-policy EasyVPN
tunnel-group EasyVPN ipsec-attributes
pre-shared-key *
tunnel-group Remote-VPN type ipsec-ra
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect ftp
inspect icmp
inspect pptp
service-policy global-policy global
prompt hostname context
Cryptochecksum:8cdda33b1993ba7bb33db88d996e939c
: endHi Fredrik,
I see your acl "outside_nat0_outbound" set on inside interface for no nat, but I do not see, the acl is being defined anywhere on your config.
I also strongly recommand create your vpn-pool to be different subnet rather being as same as your inside ip of your ASA.
so, let assume your vpn pool is 192.168.255.1-254/24
so, your no-nat for inside will look like this below.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.255.0 255.255.255.0
Let me know, if this helps.
thanks -
ASA 5505 VPN client LAN access problem
Hello,
I'm not expert in ASA and routing so I ask some support the following case.
There is a Cisco VPN client (running on Windows 7) and an ASA5505.
The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
The Skype works well but I cannot access devices in the interface inside via VPN connection.
Can you please check my following config and give me advice to correct NAT or VPN settings?
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password wDnglsHo3Tm87.tM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 10.0.0.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns xx.xx.xx.xx interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 84.2.44.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy XXXXXX internal
group-policy XXXXXX attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list none
username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
username XXXXXX attributes
vpn-group-policy XXXXXX
username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXX general-attributes
address-pool VPNPOOL
default-group-policy XXXXXX
tunnel-group XXXXXX ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
: end
ciscoasa#
Thanks in advance!
fbelaconfig#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
Need to add - config#same-security-traffic permit intra-interface
#access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
#nat (inside) 0 access-list nonat
Please add and test it.
Thanks
Ajay -
VPN Clients can't access DMZ Network
Hello,
I will try to describe my problem as best as possible. The title says VPN clients cannot access DMZ network, but that is not exactly the problem, the situation is this, a group of users are using an actual 10.x network where they have their servers and pretty much everything. The users must be relocated into a new network, the 172.16.x. In a point in time they will not have to use 10.x anymore, but meanwhile, they need access to that network.
I have an ASA 5510 as default gateway for the new network (172.16.x.x), one interface e0/0 connected to the outside (internet), interface e0/1 to the inside and other interface connected to the actual 10.x (which I call DMZ), so basically I am using the ASA as a bridge using NAT to grant access to the users in the network 172.16.x to the resources in the 10.x network while the migration is completed.
All the users must use the path to the internet thru the ASA using the NAT overload to the outside interface and I put in place a NAT policy to 10.x to allow access to the 10.x network only when the internal users 172.16.x try to reach that path and so far, everything is working just fine for the internal users.
Now for some reason, when I do VPN, the VPN clients cannot reach the 10.x network, even when they are supposed to be in the internal network (because they are doing VPN right?) .
I have enabled split tunneling with NAT exempt the 172.16 network and I am not sure if that is causing the problem, because when I trace from my PC the 172.16.16.1 address using the VPN I get the proper route path, but when I try to reach 10.x, my PC is using its default gateway and not the VPN gateway which has a route to 10.x.
I’m not even sure if what I am trying to do is possible, I want VPN users to be able to access a 10.x network using NAT overload with the Interface of the ASA plugged to the 10.x network, just like the internal users are doing right now.
Any help or advice will be highly appreciated.Allow clients to access DMZ, add exempt NAT rule, add both the "same-security-traffic" thru cli. Please give it a try.
Sent from Cisco Technical Support iPad App -
Can not access home network via ipod touch, password entered not accepted
Can not access home network via ipod touch, password entered not accepted
Trying to help my son set up his ipod touch to connect to the network and the password I entered is not accepted.
1. Which password is required? I entered the password I use for logging into my router
2. The home network is recognized, when selected it requires a password to be entered, but I am just not sure what password it is looking for to connect.
I have not been able to find any information on this subjectjersey0904, Welcome to the discussion area!
You need to enter the wireless encryption password... not the administrative password for the router. -
I am unable to re-install itunes. The installer starts ok and then indicates that it can not access a network !! I have tried to uninstall but get the sme error message. I have used 3rd party software to uninstal but still have no joy. My pc is running Vista.
Can you anyone offer a working solution ?Many thanks.
Let's try the fixit from the following Microsoft document with that one:
Fix problems with programs that can't be installed or uninstalled -
Asa 5505 Remote VPN Can't access with my local network
Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 155.155.155.10 255.255.255.0
interface Vlan5
no nameif
no security-level
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mull internal
group-policy mull attributes
vpn-tunnel-protocol IPSec
username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
vpn-group-policy Mull
tunnel-group mull type remote-access
tunnel-group mull general-attributes
address-pool vpn-Pool
default-group-policy mull
tunnel-group mull ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname contextHey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network) iam using Shrew Soft VPN Access Manager for my vpn connection
here is my cry ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
current_peer:155.155.155.1, username: Thomas
dynamic allocated peer ip: 192.168.100.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 73FFAB96
inbound esp sas:
spi: 0x1B5FFBF1 (459275249)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2894
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x73FFAB96 (1946135446)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2873
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
ASA 5505 VPN clients can't ping router or other clients on network
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
: end
Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
Thanks.I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
here is the runnign config again:
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location Server 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:78864f4099f215f4ebdd710051bdb493 -
ASA 5505 VPN no access to inside network
Trying to set up ipsec/l2tp vpn to provide full access to internal network for remote users with only Windows built-in vpn client.
The vpn client can connect successfully, but can't see anything on the inside network.
The ASA is not the gateway for hosts on the internal network
name x.y.z.129 isp-gateway
name 172.16.1.0 vpn-address-pool
name 10.11.10.0 inside-network
name x.y.z.128 outside-network
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list vpn extended permit ip inside-network 255.255.254.0 vpn-address-pool 255.255.255.0
access-list outside_access_in extended permit ip any any
global (outside) 1 interface
nat (outside) 1 vpn-address-pool 255.255.255.0
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 isp-gateway 1
ciscoasa# show route
Gateway of last resort is cic-gateway to network 0.0.0.0
C outside-network 255.255.255.128 is directly connected, outside
S 172.16.1.5 255.255.255.255 [1/0] via isp-gateway, outside
C inside-network 255.255.254.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via isp-gateway, outsideDo you configure split tunnel or no split tunnel policy?
Also when you are connected and try to access internal network, can you pls share the output of :
show cry isa sa
show cry ipsec sa -
ASA 5505 VPN Network access problem
I have been working on this thing all night and I can't seem to get any where. I have a very straight forward set up, and so far the only issue I'm having is being able to access the network when connected through VPN, I have internet access, but nothing else and it's really strange.
Here is my config, I thought this would be a pretty straight forward set up, and I got everything else up and running with in a few minutes, but not being able to access the network via VPN is frustrating after I have tried all night to get it to work. I have read a lot of stuff online, and I keep on thinking im close but never get anywhere. Any help is appreciated.
Attached is the config.
ThanksYour NAT config confuses me. Are those "static (inside,inside)" lines for real?
try this:
no global (inside) 1 interface
no nat (T1) 1 access-list outside_nat dns
nat (inside) 0 access-list Local_LAN_Access
And remove those dodgy "static (inside,inside)" NATs!
I recommend staying with tunnelling everything.
You should tighten "access-list T1_access_in" because at the moment all IP is allowed from the internet to those "static (inside,T1)" NATs.
If you put "no sysopt connection permit-vpn" then all VPN traffic is forced through "access-list T1_access_in" - an easy way of filtering it.
I would tighten "access-list inside_access_in" but unapply and remove "access-list inside_access_out".
Maybe you are looking for
-
Hello there I have a MacBook Pro Intel Core 2 Duo 2.2Ghz with Mac OS X 10.5.4, and Im experiencing slow data transfers from my Western Digital My Book 500gb external harddrive. This results in video-lag when trying to play dvd or other video files fr
-
I'm extremely new to JAVA. I just installed JDK 6 and JRE on Windows XP and typed java ~version at the command prompt and got this error: Exception in thread "main" java.lang.NoClassDefFoundError: ~version caused by: java.lang.ClassNotFoundException:
-
Raytheon 2000b camera with PCI-1422
I am trying to use a Raytheon 2000b camera with PCI-1422. I have downloaded the attached doc and icd file from NI. 1. As far as I now there is no proper NI cable for my camera, but the pinout is described in the doc file. I would like to purchase a c
-
I also encounter a publishing error
The past few days, I have encountered a publishing error. I am using iWeb 1.1. When I publish, the content online does update, but iWeb gives an error message at the end and acts as if nothing has published. To update anything I have to update everyt
-
Cannot switch to Start Screen by Left-click of Start-Memu
I've installed W10 TP Build 9926 onto W7 Ultimate 64-bit. It works almost fine, except inability of Left clicking on Start-Menu. The Left-click has no effect, or my screen does't change to Start screen. The Right-click works, i.e. context menu appear