ASA 5505 VPN HELP!!!

Similar Messages

• Cisco ASA 5505 VPN Help Needed

  Hi all.
  I am trying to connect to a VPN set up at a remote customer site. However it seems that connections cannot be established from inside my office network. I have tried from other sites and connections can be established. For obvious reasons, this is not a practical solution.
  I have run network monitoring within the ASDM at the time of various connection attempts and keep get the following message:
  194.75.53.148
  regular translation creation failed for protocol 47 src inside:192.168.0.81 dst outside:194.75.53.148
  My configuration is below:
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name xxx.local
  enable password SpSqlpxlX4bU60eP encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group XXXX
  ip address xxx.xxx.xxx.xxx 255.255.255.255 pppoe setroute
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address xxx.xxx.xxx.xxx 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name xxx.local
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq https
  port-object eq smtp
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit tcp any host abc.abc.com eq https
  access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_1
  access-list outside_access_in extended permit tcp any host abc.abc.com eq https
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  static (inside,outside) tcp abc smtp abc smtp netmask 255.255.255.255
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  static (inside,outside) tcp abc https abc https netmask 255.255.255.255
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.0.85 255.255.255.255 inside
  ssh timeout 5
  console timeout 0
  vpdn group abc request dialout pppoe
  vpdn group abc localname 02024658215@abc
  vpdn group abc ppp authentication pap
  vpdn username 02024658215@abc password ********* store-local
  dhcpd auto_config outside
  username manager password KDNz8d1FwKy7dzg2 encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:27b2bfc3a2fa63ce614199070bd1195f
  : end
  If I drill down into the error further it says that the ASA is not permitted to let traffic destined for a network or broadcast address through. The traffic is coming back to 192.168.0.81 which is neither of these.
  Maybe I am overlooking something simple but any help or guidance would be much appreciated.
  Thanks in advance.
  Ben Peacock.

  Hi,
  Try adding the following configuration
  policy-map global_policy
  class inspection_default
    inspect pptp
  And then try again.
  I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
  - Jouni

• Cisco ASA 5505 VPN help for local lan access.

  Hi all,
  I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
  I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
  Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
  What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
  Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
  Thanks all!
  Wen Qi

  Hi,
  Try adding the following configuration
  policy-map global_policy
  class inspection_default
    inspect pptp
  And then try again.
  I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
  - Jouni

• ASA 5505 & VPN Client blocking access to local lan

  I have setup a IPSec vpn client connection to a Cisco ASA 5505, when I connect to the unit it fully authenticates and issues me an ip address on the local lan however when I attempt to connect to any service on the local lan the following message is displayed in the log can you help:
  Teardown UDP connection 192.168.110.200 53785 192.168.110.21 53 outside:192.168.110.200/53785(LOCAL\username) to inside 192.168.110/53
  See the attached file for a sanitised version of the config.

  This is a sanitised version of the crypto dump, I have changed the user and IP addresses
  ASA5505MAN# debug crypto ikev1 7
  ASA5505MAN# debug crypto ipsec 7
  ASA5505MAN# Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fbc167de) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
  Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
  Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb72)
  Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb72)
  Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
  Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
  Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=515fbf7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2fe7cf10) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
  Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
  Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb73)
  Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb73)
  Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
  Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
  Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=e450c971) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=e6c212e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload
  Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload
  Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb74)
  Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb74)
  Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload
  Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload
  Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=af5953c7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  This is the isakmp dump
  ASA5505MAN# show crypto isakmp
  IKEv1 SAs:
     Active SA: 2
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 2
  1   IKE Peer: x.x.x.x
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  2   IKE Peer: x.x.x.x
      Type    : user            Role    : responder
      Rekey   : no              State   : AM_ACTIVE
  There are no IKEv2 SAs
  Global IKEv1 Statistics
    Active Tunnels:              1
    Previous Tunnels:           40
    In Octets:              322076
    In Packets:               2060
    In Drop Packets:            84
    In Notifys:               1072
    In P2 Exchanges:            35
    In P2 Exchange Invalids:     0
    In P2 Exchange Rejects:      0
    In P2 Sa Delete Requests:   24
    Out Octets:             591896
    Out Packets:              3481
    Out Drop Packets:            0
    Out Notifys:              2101
    Out P2 Exchanges:          275
    Out P2 Exchange Invalids:    0
    Out P2 Exchange Rejects:     0
    Out P2 Sa Delete Requests: 284
    Initiator Tunnels:         231
    Initiator Fails:           221
    Responder Fails:            76
    System Capacity Fails:       0
    Auth Fails:                 54
    Decrypt Fails:               0
    Hash Valid Fails:            0
    No Sa Fails:                30
  Global IKEv2 Statistics
    Active Tunnels:                          0
    Previous Tunnels:                        0
    In Octets:                               0
    In Packets:                              0
    In Drop Packets:                         0
    In Drop Fragments:                       0
    In Notifys:                              0
    In P2 Exchange:                          0
    In P2 Exchange Invalids:                 0
    In P2 Exchange Rejects:                  0
    In IPSEC Delete:                         0
    In IKE Delete:                           0
    Out Octets:                              0
    Out Packets:                             0
    Out Drop Packets:                        0
    Out Drop Fragments:                      0
    Out Notifys:                             0
    Out P2 Exchange:                         0
    Out P2 Exchange Invalids:                0
    Out P2 Exchange Rejects:                 0
    Out IPSEC Delete:                        0
    Out IKE Delete:                          0
    SAs Locally Initiated:                   0
    SAs Locally Initiated Failed:            0
    SAs Remotely Initiated:                  0
    SAs Remotely Initiated Failed:           0
    System Capacity Failures:                0
    Authentication Failures:                 0
    Decrypt Failures:                        0
    Hash Failures:                           0
    Invalid SPI:                             0
    In Configs:                              0
    Out Configs:                             0
    In Configs Rejects:                      0
    Out Configs Rejects:                     0
    Previous Tunnels:                        0
    Previous Tunnels Wraps:                  0
    In DPD Messages:                         0
    Out DPD Messages:                        0
    Out NAT Keepalives:                      0
    IKE Rekey Locally Initiated:             0
    IKE Rekey Remotely Initiated:            0
    CHILD Rekey Locally Initiated:           0
    CHILD Rekey Remotely Initiated:          0
  IKEV2 Call Admission Statistics
    Max Active SAs:                   No Limit
    Max In-Negotiation SAs:                 12
    Cookie Challenge Threshold:          Never
    Active SAs:                              0
    In-Negotiation SAs:                      0
    Incoming Requests:                       0
    Incoming Requests Accepted:              0
    Incoming Requests Rejected:              0
    Outgoing Requests:                       0
    Outgoing Requests Accepted:              0
    Outgoing Requests Rejected:              0
    Rejected Requests:                       0
    Rejected Over Max SA limit:              0
    Rejected Low Resources:                  0
    Rejected Reboot In Progress:             0
    Cookie Challenges:                       0
    Cookie Challenges Passed:                0
    Cookie Challenges Failed:                0
  Global IKEv1 IPSec over TCP Statistics
  Embryonic connections: 0
  Active connections: 0
  Previous connections: 0
  Inbound packets: 0
  Inbound dropped packets: 0
  Outbound packets: 0
  Outbound dropped packets: 0
  RST packets: 0
  Recevied ACK heart-beat packets: 0
  Bad headers: 0
  Bad trailers: 0
  Timer failures: 0
  Checksum errors: 0
  Internal errors: 0
  ASA5505MAN#
  and this is the ipsec dump
  ASA5505MAN# show crypto ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.110.200/255.255.255.255/0/0)
        current_peer: x.x.x.x, username: username
        dynamic allocated peer ip: 192.168.110.200
        #pkts encaps: 778, #pkts encrypt: 778, #pkts digest: 778
        #pkts decaps: 1959, #pkts decrypt: 1959, #pkts verify: 1959
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 778, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/54599
        path mtu 1500, ipsec overhead 82(52), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: 532B60D0
        current inbound spi : 472C8AE7
      inbound esp sas:
        spi: 0x472C8AE7 (1194101479)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
           slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 26551
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x532B60D0 (1395351760)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
           slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 26551
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      Crypto map tag: outside_map0, seq num: 1, local addr: x.x.x.x
        access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.0.0 255.255.0.0
        local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
        current_peer: x.x.x.x
        #pkts encaps: 39333117, #pkts encrypt: 39333117, #pkts digest: 39333117
        #pkts decaps: 24914965, #pkts decrypt: 24914965, #pkts verify: 24914965
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 39333117, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: F6943017
        current inbound spi : E6CDF924
      inbound esp sas:
        spi: 0xE6CDF924 (3872258340)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 163840, crypto-map: outside_map0
           sa timing: remaining key lifetime (kB/sec): (3651601/15931)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xF6943017 (4136906775)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 163840, crypto-map: outside_map0
           sa timing: remaining key lifetime (kB/sec): (3561355/15931)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  ASA5505MAN#

• ASA 5505 VPN can't access connected network

  I have an ASA 5505 with ipsec VPN configured on it.  I am able to  connect to the ASA but I can't ping a connected network.  I get a dhcp  assigned address in the network I am trying to reach but can't access  that network on Vlan5.  Please help.
  I attached the config.

  I think final questions, can you have two nat statements that point to the same acl ie.
  access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
  access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
  nat (inside) 0 access-list no_nat
  nat (inside) 1 192.168.9.0 255.255.255.0
  nat (fw-civic) 0 access-list no_nat
  nat (fw-civic) 1 192.168.5.0 255.255.255.0
  Or do I need to create a new acl for the fw-civic interface?
  Thanks

• ASA 5505 VPN Connection Issue

  Good morning everyone,
  At my last position I was IT Director whose area of expertise was database and application development. All of the company's networking planning and maintainence I entrusted to my sysadmin, Salvadore. Back in 2004 we began implementing major changes in the network. Salvadore recommended SonicWALL firewalls. He did a fantastic job of securing our valuable server assets. Among the many improvements Salvadore established VPN access to the datacenter assets for mobile employees. What I remember especially well was the ease-of-use: start the VPN Client then RDP to a server or connect with SQL Server, in addition to connecting to all devices on my home network. It was absolutely beautiful!
  Fast forward to today. I have since retired. I do a little bit of daytrading on the side for entertainment. I leased a dedicated server to run an application that runs continuously 24 hours a day, 5 days a week. I contacted Salvadore to do a security audit on the server. As expected the server was under constant assault by bots trying to hack the RDP port. Salvadore recommended a firewall. The datacenter host offered us two choices of Cisco firewalls, one of which we chose: ASA 5505.
  Today I have a secure server which pleases me. The one thing that bothers me however is that I lose access to my home network devices while the VPN Client is connected. Here are the symptoms:
  I cannot send an email with Outlook as I normally do by relaying off of my Internet provider's SMTP server.
  I cannot connect to the TradeStation servers with my TradeStation application using login credentials that are authorized for my home network only.
  I cannot access my Seagate network storage drive.
  This is what I discovered:
  My wireless adapter (which I use from this laptop) identifies itself as "Wireless LAN adapter Wireless Network Connection" in IPCONFIG. IPv4 address is 192.168.0.5. Default Gateway: 192.168.0.1.
  After I connect the VPN Client, IPCONFIG reports a new adapter: "Ethernet adapter Local Area Connection 2". IPv4 address is 10.0.10.4. Default Gateway: 10.0.10.1.
  When I launch Windows Task Manager and click on the Networking tab, I see those two adapters.
  When launch IE and go to bandwidthplace.com to run a test, I see all of the network traffic going over "Ethernet adapter Local Area Connection 2".
  When I disconnect VPN and then rerun the bandwidth test, I see that all of the network traffic now goes over "Wireless LAN adapter Wireless Network Connection".
  This explains all of the symptoms:
  My Internet Provider will only allow me to relay off of their email servers if I am connected to their network.
  TradeStation refuses connection to their network because my credentials do not match my network address.
  There is no Seagate network storage device on the remote server network.
  My questions to the Cisco Support Community are:
  Is this the best I can hope for?
  Must all traffic be routed through the VPN connection?
  Is there any way to route traffic destined for 10.0.*.* through VPN and everything else through the default connection?
  Thank you everyone for your help. I would be happy to provide additional detailed information.

  Hi Brian,
  you can route traffic destined to 10.0.*.* over the VPN and keep normal internet traffic unencrypted over the default connection - this setup is known as VPN Split Tunnelling.
  This doc shows how to setup the access control list and apply this to the tunnel policy.
  Hope this helps
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

• Asa 5505 vpn

  Hello, i have asa 5505. Users can connect to inside network (192.168.1.0) throught L2TP VPN and can ping inside network. Need to allow vpn users (192.168.2.0) to ping each other.
  interface Vlan1 
  nameif inside 
  security-level 100 
  ip address 192.168.1.1 255.255.255.0 
  interface Vlan2 
  nameif outside 
  security-level 0 
  ip address dhcp setroute 
  same-security-traffic permit inter-interface 
  access-list Local_LAN_Access remark VPN Client Local LAN Access 
  access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0 
  access-list Inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0 
  access-list Inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0 
  access-list Inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0 
  access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
  access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 
  access-list Local_LAN_Access_l2tp remark l2tp Client Local LAN Access 
  access-list Local_LAN_Access_l2tp standard permit 192.168.1.0 255.255.255.0 
  access-list Local_LAN_Access_l2tp standard permit 192.168.2.0 255.255.255.0 
  access-list vpn_l2tp extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
  access-list split-tunnel standard permit 192.168.1.0 255.255.255.0 
  access-list split-tunnel remark match Anyconn client to tunnel traffic 
  ip local pool l2tp-ipsec_address 192.168.2.100-192.168.2.114 mask 255.255.255.0 
  nat-control 
  global (inside) 2 192.168.1.101 
  global (inside) 3 192.168.1.102 
  global (outside) 1 interface 
  nat (inside) 0 access-list Inside_nat0_outbound 
  nat (inside) 1 192.168.1.0 255.255.255.0 
  nat (outside) 2 access-list vpn 
  nat (outside) 3 access-list vpn_l2tp 
  crypto ipsec transform-set trans esp-3des esp-sha-hmac 
  crypto ipsec transform-set trans mode transport 
  crypto dynamic-map dyno 10 set transform-set trans 
  crypto map vpn 65535 ipsec-isakmp dynamic dyno 
  crypto map vpn interface outside 
  crypto isakmp enable outside 
  crypto isakmp policy 1 
  authentication pre-share 
  encryption 3des 
  hash sha 
  group 2 
  lifetime 43200 
  crypto isakmp policy 10 
  authentication rsa-sig 
  encryption 3des 
  hash sha 
  group 2 
  lifetime 86400 
  crypto isakmp nat-traversal 30 
  vpn-addr-assign local reuse-delay 5 
  group-policy l2tp-ipsec_policy internal 
  group-policy l2tp-ipsec_policy attributes 
  dns-server value 192.168.1.10 
  vpn-tunnel-protocol l2tp-ipsec 
  split-tunnel-policy tunnelspecified 
  split-tunnel-network-list value Local_LAN_Access_l2tp

  Hello,
  You will have to configure hair pinning / u turning to get this working. Make sure the vpn pool is allowed in the split access-list for L2TP clients.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
  Hope this helps.
  Regards,
  Dinesh Moudgil
  P.S. Please rate helpful posts.

• ASA 5505 VPN configuration question

  I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
  The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
  Thanks for any help
  Thanks much

  Hi Kevin
  Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
  Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
  Regards

• ASA 5505 VPN One Way Traffic

  I am currently having an issue with two ASA 5505s.  One would be representing a Central office for a small business operating a L2L IPsec VPN using a dynamic map for a remote site that does not have a static IP address.
  I stripped the configuration down to the minimal possible for testing to get this working but ran into an issue where although I have my ISAKMP SA and my IPsec SA the tunnel is only passing traffic from my remote site with the dynamic address to the Central site with a static IP address.  The Central site with the static IP address will not pass traffic to the remote site.
  During my troubleshooting I came across two different issues.  I could at some points get traffic coming from the Central site to hit my ACL as interesting traffic to the remote site, but it would then not hit the ACL for no NAT.  I just could not figure out why the no NAT ACL wasn't working.  My configuration matched a few configurations I found online, but no joy on getting it to actually bypass NAT to the remote site. 
  I have had the same type of set-up working on ISRs with no issue, but I do not have the same amount of experience with ASAs so any help would be appriciated.  The Configurations I am using for the basic testing are below with the Hub being the Static IP site and the Spoke being a dynamic IP address site.
  ASA Version 8.0(2)
  hostname ASAHUB
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 12.15.44.176 255.255.255.192
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  shutdown
  interface Ethernet0/2
  shutdown    
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  access-list NONAT_INSIDE extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT_INSIDE
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 12.15.44.129 1
  route outside 192.168.20.0 255.255.255.0 12.15.44.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TEST esp-3des esp-md5-hmac
  crypto dynamic-map TEST 20 match address VPN
  crypto dynamic-map TEST 20 set transform-set TEST
  crypto map TEST 30 ipsec-isakmp dynamic TEST
  crypto map TEST interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal 10
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key *
  ASA Version 8.2(1)
  hostname ASASPOKE
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  shutdown
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  ftp mode passive
  access-list NONAT_INSIDE extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT_INSIDE
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TEST esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPN 10 match address VPN
  crypto map VPN 10 set peer 12.15.44.176
  crypto map VPN 10 set transform-set TEST
  crypto map VPN interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 12.xx.xx.xx type ipsec-l2l
  tunnel-group 12.xx.xx.xx ipsec-attributes
  pre-shared-key *

  Well I had pretty much given up on this, but today had a few extra minutes so I grabbed some ASAs that I had wiped for a different project, copied my configs back on them and actually ended up with a functional VPN passing traffic in both directions.  The only change that was made from the above configurations was with NAT traversal. 
  On the Configurations above the NAT traversal was configured only on the HUB ASA.  When I got the configuration to work correctly it was with the NAT traversal configured only on the Spoke/Remote ASA.  Does anyone know why that made the difference? 
  The final configs for both of the devices I used for testing are below. 
  ASA Version 8.0(2)
  hostname HUB
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 12.xx.xxx.xx 255.255.255.192
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  shutdown
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  access-list NONAT_INSIDE extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT_INSIDE
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 12.15.44.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TEST esp-3des esp-md5-hmac
  crypto dynamic-map TEST 20 match address VPN
  crypto dynamic-map TEST 20 set transform-set TEST
  crypto map TEST 30 ipsec-isakmp dynamic TEST
  crypto map TEST interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters  
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key cisco
  prompt hostname context
  Cryptochecksum:ac4003df5144c618b70555bf31b56e03
  : end        
  ASA Version 8.2(1)
  hostname ASASPOKE
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  shutdown    
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  ftp mode passive
  access-list NONAT_INSIDE extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT_INSIDE
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TEST esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPN 10 match address VPN
  crypto map VPN 10 set peer 12.xx.xxx.xx
  crypto map VPN 10 set transform-set TEST
  crypto map VPN interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal 10
  track 10 rtr 10 reachability
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  tunnel-group 12.xx.xxx.xx type ipsec-l2l
  tunnel-group 12.xx.xxx.xx ipsec-attributes
  pre-shared-key cisco
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:50a9d87c794db95b0f4cac127ee3c0fe
  : end

• ASA 5505 VPN Issue

  We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.

  Thanks for your reply. This is already set allong with the following.
  icmp permit any inside
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
  When I do an inspect on the ping packets from the remote LAN I get an interesting result.
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (ipsec-spoof) IPSEC Spoof detected

• ASA 5505 VPN with dhcp at endpoint

  I have a new customer that I installed an ASA 5505 to replace a Linksys VPN router.  They have a main office with a static IP address, 3 branch offices with static IP addresses and 2 branches that are doing DHCP from the ISP for their router address.  I have no problem getting the static VPNs up and running.  My problem is with the VPN connections that are doing DHCP.  I can go in and determine what IP they are currently using and setup a connection and it works fine.  The problem is of course when their IP address from the ISP changes, which seems to happen at least daily.  What is the proper way to setup a connection that is using DHCP?  Also, can you setup multiple connections this way?  Currently the 2 locations have different passwords setup in their routers.
  I need help ASAP as this customer is getting frustrated quickly.  I do not want to lose a customer that I just got over this.
  Thanks in advance,
  Steve

  Go to this link and scroll down to  Site to Site VPN (L2L) with IOS  and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L  IOS-to-ASA or ASA-to-IOS.
  The best solution obiosly is having  static IP addressing, make that clear with your client  , but  these exmaples are very good solution for your problem.
  Keep in mind that the DHCP dynamic side will  always be the initiator to  bring up the tunnel , not the static side.
  http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
  Regards

• CISCO ASA 5505 VPN problem in Windows 7

  I am using CISCO ASA 5505. Client PC with Windows XP can use IE to make the VPN connection normally.
  However, client PC with Windows 7 cannot use IE to make the VPN connection.
  It just show the error of "Internet Explorer cannot display the webpage"
  Would you please help?
  Thank you very much!

  Hi Timothy,
  Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
  Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
  Let me know if this helps.
  Thanks,
  Vishnu Sharma

• ASA 5505 vpn/OWA issue

  I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems.
  We recently configured vpn on the ASA 5505 and now no-one can connect to OWA since that time.
  Any thoughts?

  Have you been using the ASDM to configure the VPN? In that case, you may have removed the required portforwarding or modified the access-list that allows traffic from the outside.
  regards,
  Leo

• ASA 5505 VPN Ping Problems

  Hello everyone,
  First off, I apologize if this is something that I can google. My knowledge of network administration is all self-taught so if there is a guide to follow that I've missed please point me in the right direction, its often hard to Google terms for troubleshooting when your jargon isn't up to snuff.
  The chief issue is that when pinging internal devices while connected to the results are very inconsistent.
  Pinging 192.168.15.102 with 32 bytes of data:
  Reply from 192.168.15.102: bytes=32 time=112ms TTL=128
  Request timed out.
  Request timed out.
  Request timed out.
  We've set up a IPSec VPN connection to a remote Cisco ASA 5505. There are no issues connecting, connection seems constant, packets good etc. At this point I can only assume I have configuration issues but I've been looking at this for so long, and coupled with my inexperience configuring these settings I have no clue where to start. My initial thoughts are that the LAN devices I am pinging are not sending their response back or the ASA doesn't know how to route packets back?
  Here's a dump of the configuration:
  Result of the command: "show config"
  : Saved
  : Written by enable_15 at 12:40:06.114 CDT Mon Sep 9 2013
  ASA Version 8.2(5)
  hostname VPN_Test
  enable password D37rIydCZ/bnf1uj encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.15.0 internal-network
  ddns update method DDNS_Update
  ddns both
  interval maximum 0 4 0 0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  description VLAN to inside hosts
  nameif inside
  security-level 100
  ddns update hostname 0.0.0.0
  ddns update DDNS_Update
  dhcp client update dns server both
  ip address 192.168.15.1 255.255.255.0
  interface Vlan2
  description External VLAN to internet
  nameif outside
  security-level 0
  ip address xx.xx.xx.xx 255.255.255.248
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  name-server 216.221.96.37
  name-server 8.8.8.8
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended deny icmp interface outside interface inside
  access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
  access-list Remote_splitTunnelAcl standard permit internal-network 255.255.255.0
  access-list inside_nat0_outbound extended permit ip internal-network 255.255.255.0 192.168.15.192 255.255.255.192
  access-list inside_access_in remark Block Internet Traffic
  access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
  access-list inside_access_in remark Block Internet Traffic
  access-list inside_access_in extended permit ip interface inside interface inside
  access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192
  access-list inside_access_in remark Block Internet Traffic
  access-list inside_nat0_outbound_1 extended permit ip 192.168.15.192 255.255.255.192 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0
  ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any echo-reply outside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 0 access-list inside_nat0_outbound_1 outside
  nat (inside) 1 192.168.15.192 255.255.255.192
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group inside_access_ipv6_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http internal-network 255.255.255.0 inside
  http yy.yy.yy.yy 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection timewait
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  dhcpd address 192.168.15.200-192.168.15.250 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 192.168.15.101 source inside
  ntp server 192.168.15.100 source inside prefer
  webvpn
  group-policy Remote internal
  group-policy Remote attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Remote_splitTunnelAcl
  username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0
  username StockUser attributes
  vpn-group-policy Remote
  tunnel-group Remote type remote-access
  tunnel-group Remote general-attributes
  address-pool VPN_IP_Pool
  default-group-policy Remote
  tunnel-group Remote ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

  Hi Graham,
  My first question is do you have a site to site VPN or Remote access client VPN.
  After checking your configuration i see that you do not have any Site to SIte VPN configuration so i am assuming that you ara facing issue with the VPN client.
  And if i understood correctly you are able to connect the VPN client but you not able to access the internal resources properly.
  I would recommend you to tey and make teh following changes.
  Remove the following configuration first:
  nat (inside) 0 access-list inside_nat0_outbound_1 outside
  nat (inside) 1 192.168.15.192 255.255.255.192
  You do not need the 1st one and i do not understand the reason of the second one
  Second one is your pool IP subnet (192.168.15.200-192.168.15.250) and i am not sure why you have added this NAT.
  If possible change your Pool subnet all together because we do not recommend to use th POOL ip which is simlar to your local LAN.
  Try the above changes and let me know in case if you have any issue.
  Thanks
  Jeet Kumar

• ASA 5505 VPN can't access inside host

  I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
  part of config below
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map inside_dyn_map 20 set pfs
  crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  service-policy global_policy global
  group-policy xxxxxxx internal
  group-policy xxxxxxx attributes
  banner value xxxxx Disaster Recovery Site
  wins-server none
  dns-server value 24.xxx.xxx.xx
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  default-domain none
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout none
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools value xxxxxx
  smartcard-removal-disconnect enable
  client-firewall none
  webvpn
  functions url-entry
  vpn-nac-exempt none
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  tunnel-group xxxx type ipsec-ra
  tunnel-group xxxx general-attributes
  address-pool xxxx
  default-group-policy xxxx
  tunnel-group blountdr ipsec-attributes
  pre-shared-key *

  I get the banner and IP adress info...
  This is what the client log provides...
  1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
  AddRoute failed to add a route: code 87
  Destination 172.20.255.255
  Netmask 255.255.255.255
  Gateway 10.1.2.1
  Interface 10.1.2.5
  2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
  Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.