ASA and Cisco VPN question

I am having an issue on a new ASA. I am able to connect to the customer?s network using the Cisco VPN client, but I am not able to PING or access anything on the customers network. What needs to be done to fix this???
There is a route on the customer?s router pointing back to the firewall for the IP range you get when you VPN in?
Thanks,
Chris

Thanks, please rate.
No, it is needed for pix as well. ASA 7.2, the command is "crypto isakmp nat-traversal".
It is necessary if vpn client is connecting behind nat. Allows ipsec to be encapsulated in udp port 4500. The transport tab I mentioned is in the connection entry properties, if you click modify. You will see enable transparent tunneling over udp.

Similar Messages

  • IPSec ikev2 between ASA and Cisco Router

    Hi,
    i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
    - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
    - Authentication with Certificats
    - integrity sha2
    I try a lot of configurations without success.
    Thanks for your help.
    Mic

    The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28800
    crypto ikev1 policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 28800
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 43200
    The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
    There are two (three) better options:
    Best option with very little needed configuration:
    Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
    Best option with a little stronger crypto but more configuration:
    Move to AnyConnect with IPsec/IKEv2. 
    Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
    For option 1) and 2) there is an extra license needed, but thats not very expensive.

  • Since I upgraded to Lion, my RSA securid token and Cisco VPN client doesn't work any longer. Anyone have suggestions on how to fix that?

    Since upgrading to Lion, I can no longer use VPN because my RSA securid token and CIsco VPN Client won't load. Any suggestioins out there?

    .

  • Ubuntu 9.10 and Cisco VPN

    I was wondering if anyone has gotten VPN to work properly under the new Ubuntu release, 9.10?
    In case you have, which version of VPN are you running and how did you patch the vpnclient source code to handle the 2.6.31 kernel?
    Erik

    The issues related to the Cisco VPN client have to do with the kernel version, which will affect both RH and Debian based systems -
    http://ilapstech.blogspot.com/2009/09/cisco-vpn-client-on-karmic-koala.html
    http://www.net-security.org/advisory.php?id=10892
    The first link has to do with Ubuntu 9.10 (Debian based). The second link is a Mandriva (RH based) site. The issues stem from kernels post 2.6.31rc3 and the architecture that was introduced. See both articles for more information.
    As far as this particular issue, good question. I'm still trying to figure this one out myself, but figured I would share what I've found thus far.

  • Mac Lion and Cisco VPN client problems

    I just installed Lion 10.7 on my iMac and can no longer use the downloaded Cisco VPN client to connect to Microsoft Remote Desktop and access the PC in my company's office. When I try to launch the VPN client I get Error 51. I used to be able to enter a command in the Terminal as a workaround to use the VPN client when that happened, but that no longer works. I have tried booting into 32-bit mode; doesn't work. I tried to use the Cisco client built into Lion using settings provided by my company. When I try to connect I get the following message: "The negotiation with the VPN server failed. Verify the server address and try reconnecting."
    I have searched the web looking for a solution. My company's tech department is stumped; the Apple Geniuses haven't been able to help. Does anyone have any ideas how I can use either the downloaded Cisco VPN client or the client built into Lion?
    Sent from Cisco Technical Support iPad App

    Here is the link which you can use to configure the inbuilt VPN client in MAC Lion.
    http://glazenbakje.wordpress.com/2011/07/28/how-to-create-a-cisco-vpn-connection-in-apple-mac-os-x-lion/
    Make sure you configure the attributes correctly.
    Secondly the inbuilt VPN client code of Lion is made in collaboration with Cisco so there will not be any issues of compatibility.
    Cheers,
    Rohan

  • Back To My Mac and Cisco VPN client

    I've used back to my mac for a while and love it. Recently I've had to start using the Cisco VPN client and every time I use it it says "Because Back to My Mac is turned on, your VPN connection cannot be established with the server. Would you like to turn off Back to My Mac?". Is there any way to run them both without having to keep starting and stopping back to my mac?

    I too have this issue.
    Every time I have to connect via VPN, I have to disable my Back to My Mac.
    Kinda *****.
    Any solution?

  • F3507g mobile broadband driver - Windows 7 - and Cisco Vpn issue

    Hi All,
    After 3 days trying to install / update latest drivers on my X200/ Windows 7 / 32b, it seems now that my F3507g is now installed correctly…
    I can go the a connection over internet and ping some servers BUT when I initiate my Cisco Vpn, ( working perfectly with my Ethernet connection and my Wifi 5300 AGN ) the connection is ok but no incoming or outgoing traffic !!!
    Any idea on how to solve that issue ?

    Yes, this is a problem with the IPSEC VPN NDIS driver binding your Mobile Broadband driver. You need to read this article and it is explains why and how to work around this issue:
    http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7
    Good luck 

  • 10.4.8 and Cisco/VPN problem solved

    Hi,
    This and related issues have arisen in threads on the past month, regarding the Cisco VPN v 4.9005 (and perhaps other VPN software) not working the same after the 10.4.8 upgrade. The problems relate to either not making a VPN connection, or data transfer after the successful connection is made, once the upgrade happened.
    The workaround was to run the Network Setup Assistant every time to do the connection properly before launching the VPN. But this is a pain.
    The eventual solution was simple, although effecting it was not straightforward. It was necessary to do a clean install of the VPN client. This is something that I could not accomplish manually, despite suggestions from the discussion group as to which files to remove, because it was difficult to find all the files that the install put it. But, at least on my machines, it could be done by command line in Terminal - cd to /usr/local/bin, ls vpn_uninstall to see if it is there, and if so, sudo ./vpn_uninstall.
    I don't know if other machines can do this or if this was part of our local IT install, but IT WORKED. I AM FREE!
    Wayne

    that's odd....
    I'm running cisco client 4.6.04 on OS X 10.4.8 and VNC without any problems...
    the only difference is my radius server is an NT box, but I can AFP and VNC to my Mac on that network.

  • New 2.4 Macbook and Cisco VPN problems?

    Is anyone else using the new MacBook Pro's with Cisco VPN? I cannot get the software to work, I get an error 51 "unable to connect to VPN subsystem" at every launch. I've ininstalled and reinstalled the cisco software, I'm using the latest VPN 4.9. I've got a 2.3 macbook pro sitting right next to it, and it runs the cisco software fine. Something with the Santa Rosa set? Any help would be greatly appreciated. I have no other network issues. All the software is up to date, system, cisco, etc. Thanks...

    Fixed my own problem, appears it's Parallels related, after I reinstalled the new parallels 3.0, cisco started working fine. Whew....;-) Hope this helps others.

  • IPhone OS 3.0 - internet tethering and Cisco VPN Client

    Hello,
    The latest OS for the iPhone allows users to tether their iPhone to a Mac/PC so that the user can browse the internet through the carriers mobile 3G network.
    I can confirm that internet tethering works on my Macbook Pro, but the following error is displayed when i load the CiscoVPN Client (version 4.9.01 (0100))
    "Error 51: Unable to communicate with the VPN subsystem.
    Please make sure that you have at least one network interface that is cuurently active and has an ip address and start this application again."
    Does this mean that the Cisco VPN client cannot see the internet connection supplied by the iPhone even though i can browse the internet while this error is being displayed??
    Regards,
    Eddie S

    Same problem here and I'm wondering the same. I also noticed that the same error comes also when my ethernet connection and iPhone tethering are active at the same time. Then there really should be a connection.
    Despite that, I have the same problem and using bluetooth tethering doesn't solve this. Still the same error even though Internet connection works otherwise fine.
    Any suggestions? Have Cisco tested this?
    I'm using MacBook Pro 13" OS X 10.5.8, iPhone 3GS 3.0.1 with official finnish carrier Sonera, Cisco Systems VPN Client 4.9.01 (0100)

  • So what is ActiveSync and Cisco VPN

    Sorry if I sound like an idiot here, but I'm not really up on all the technology. What I am wondering is what is this Microsoft ActiveSync and Cisco IPsec VPN that was talked about in today's press conferance?
    Also, I am kind of fuzzy about what the difference between this "push email" and what us iPhone owners have?
    Finially, I am more than likely younger than most of the posters here, and I was hoping for an MMS and AIM app. How are those looking?
    Thank you for your help, and I apologize for my ignorance

    ActiveSync is the Microsoft protocal which allows Over the Air (OTA) syncing with an exchange server. Its a vital program for getting businesses on board with the iPhone
    Cisco VPN is a very popular Virtual Private Network protocol. Again, vital for getting the iPhone in the hands of business professionals.
    Push email is an email system that sends the email to the device the moment it is received, rather than waiting for the device to poll the server to check for new messages.
    Aim is looking very good, since they demoed it at the Roadmap event. MMS is still on the fence since we won't know if the developers will have the ability to tap into that part of the OS until they get the change to really play around with the SDK.

  • AFP Freeze and Cisco VPN Client w/ new Macbook Pro

    I have an Intel Core Duo Macbook Pro with all software updates installed and running Cisco VPN client v4.9.01 (0030). If I try to connect to one of my clients via VPN and then connect to one of the server shares, afp basically freezes. I have added a snip of the log below. BUT - I take the same laptop onsite and try to connect to the same server, it works like a champ. I have tried the VPN connection from multiple source points (ie, different ISPs and routers/firewalls) and wired and wireless and all result in the same. I am frustrated and running out of options. Note that the same problem occurred with the previous Cisco VPN client and I thought the newer version would fix it - id didn't. Any help would be much appreciated.
    tia,
    Bill
    Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: doing reconnect on /Volumes/ADVSERV
    Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: connect to the server /Volumes/ADVSERV
    Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Opening session /Volumes/ADVSERV
    Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Logging in with uam 10 /Volumes/ADVSERV
    Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Restoring session /Volumes/ADVSERV
    Oct 27 16:05:01 my-computer KernelEventAgent[59]: tid 00000000 received VQ_NOTRESP event (1)
    Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: doing reconnect on /Volumes/ADVSERV
    Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: connect to the server /Volumes/ADVSERV
    Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Opening session /Volumes/ADVSERV
    Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Logging in with uam 10 /Volumes/ADVSERV
    Oct 27 16:06:03 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Restoring session /Volumes/ADVSERV
    Oct 27 16:06:03 my-computer KernelEventAgent[59]: tid 00000000 received VQ_NOTRESP event (1)

    Hi Bill,
    Do you have any comparison data on services that DO work? I don't connect remotely to any Apple services so can't vouch for AFP always working, but have no issues with RDP services for Windows servers. Running 4.9.00 (0050). I have however just quickly VPN'd to a client and successfully opened an AFP share and browsed around over VPN - didn't even hesitate in establishing the connection.
    When you mention taking the machine onsite i am assuming that you directly access the AFP shares and not via VPN, hence confirming that the VPN software is potentially the issue?
    Are you running IPSEC over UDP or TCP? My transport is over UDP.
    Good luck,
    Justin

  • Cisco ASA 5505, Cisco VPN Client and Novell Netware

    Hi,
    Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
    I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
    When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
    The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • Not able to telnet or ssh to outside interface of ASA and Cisco Router

    Dear All
    Please help me with following question, I have set up testing lab, but still not work.
    it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
    Hub -- Juniper SRX
    Spoke One - Cisco ASA with version 9.1(5)
    spoke two - Cisco router with version 12.3
    site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
    Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
    Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
    When I tested it, of cause site to site vpn still up and running.
    Thanks
    YK

    Hello YK,
    On this case on the ASA, you should have the following:
    CConfiguring Management Access Over a VPN Tunnel
    If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
    To specify an interface as a mangement-only interface, enter the following command:
    hostname(config)# management access management_interface
    where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
    You can define only one management-access interface
    Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
      SSH
    - ssh 0 0 outside
    - aaa authentication ssh console LOCAL
    - Make sure you have a default RSA key, or create a new one either ways, with this command:
        *crypto key generate rsa modulus 2048
    Telnet
    - telnet 0 0 outside
    - aaa authentication telnet console LOCAL
    Afterwards, if this works you can define the subnets that should be permitted.
    On the router:
    !--- Step 1: Configure the hostname if you have not previously done so.
    hostname Router
    !--- aaa new-model causes the local username and password on the router
    !--- to be used in the absence of other AAA statements.
    aaa new-model
    username cisco password 0 cisco
    !--- Step 2: Configure the router's DNS domain.
    ip domain-name yourdomain.com
    !--- Step 3: Generate an SSH key to be used with SSH.
    crypto key generate rsa
    ip ssh time-out 60
    ip ssh authentication-retries 3
    !--- Step 4: By default the vtys' transport is Telnet. In this case, 
    !--- Telnet and SSH is supported with transport input all
    line vty 0 4
    transport input All
    *!--- Instead of aaa new-model, the login local command may be used.
    no aaa new-model
    line vty 0 4
      login local
    Let me know how it works out!
    Please don't forget to Rate and mark as correct the helpful Post!
    David Castro,
    Regards,

  • ASA 5510 Anyconnect VPN question-"Hairpin" vpn connection on same external interface

    I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
    Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
    Is this possible?
    Thanks,
    Tommy

    When we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
    I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
    If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.
    Regards,
    Anuj

Maybe you are looking for

  • Error in Posting of Vendore Excise Inv.

    Hi, I have been facing one error while posing of Vendor Excise Inv. against incoming materials using T.Code: J1IEX. When I try to post Excise Inv. against 'Vendor Excise Inv. / Internal Excise Inv.' I am getting Error msg "All Part I entries have bee

  • Lion tabs to a different app on wakeup from sleep

    I'm seeing this issue on both my MBP and Air which are shut and opened with some regularity. Both machines are on 10.7.2. I can have any number of applications open but say I've just got two open, Terminal and TextEdit (although it happens with any t

  • Text edges are ridged and not smooth

    I have FCE and I used livetype to add some annimated text to my video project. But when I add the text to my FCE project on playback the text edges are ridged and not smooth. How can I correct this. F.Y.I. my video projects are in HD, not sure if tha

  • Client copy using Client Export... Failed .. Need ur advice

    Hi guiys how ru all doin... I hope some one can help me oout in this issue.iam working on sap 4.6c, windows 2003 server, oracle9.2.0. we need to take client copy from production client 300 to dev server using client export method so I have performed

  • Two WRT54GL off HughesSatellite Modem: sudden problems!

    Greetings, I have been running - very successfully - a dual router setup off a HughesNet satellite system (standard plan, no static address) to operate distinct wireless networks in my business. All thanks to the generous, patient, and irreplaceable