Cannot access internal LAN after VPN connect

Similar Messages

• Cannot access internal network after Tiger upgrade

  I've just upgraded an eMac (1.25GHz, 768MB) from 10.3.9 to 10.4.6. Although I can get online, access Mail and all applications, I cannot access the internal network at all.
  I've updated to 10.4.9, but still no luck. I've restarted, logged in as a different user, logged out and in again, removed the 'com.apple.networkconfig.plist' file from the 'Library/Preferences' folder, but still doesn't work.
  I can see all the aliases to the other machines on the network in the sidebar, but clicking on them brings up a message "The alias xxxx could not be opened, because the original alias could not be found.".
  Other machines can see this on on the network. File Sharing is turned on.
  Any thoughts, I'm tearing my hair out a bit!
  Powerbook G4   Mac OS X (10.4.8)  

  no good, is an afpmounter error, i solved it with an
  Archive and Install
  http://docs.info.apple.com/article.html?artnum=107120-en
  maybe someone have a solution..
  i think is an error during the update (i had the same from panther to tiger)
  with A&I and half-hour, your machine work perfectly.

• After upgrading to Mountain Lion I am not able to access "security and privacy" button under "system preferences". I like to activate "find my mac" but cannot access privacy setting after upgrade. Kindly advice.

  After upgrading to Mountain Lion I am not able to access "security and privacy" button under "system preferences". I like to activate "find my mac" but cannot access privacy setting after upgrade. Kindly advice.

• Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows 7 64 Bit

  Users cannot access removable devices after you enable and then disable a Group Policy setting on Windows 7 64 bit machines.
  on the 32 bit machines I was able to apply this hotfix
  http://support2.microsoft.com/kb/2738898
  But it will not install on 64 bit machines. 
  Is there a hotfix for 64 bit?  If not, what is the work around?
  Thanks!
  Robert

  Select "Show hotfixes for all platforms and languages", then download x64 hotfix:
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• I cannot access my pictures when i connect my storm to my pc.

  I cannot access my pictures when i connect my storm to my pc.
  It just stoped showing me them all of a sudden. Anyone know why or how to fix it?

  Hi there!
  Since you say this started "all of a sudden" -- Anytime random strange behavior or sluggishness creeps in, the first thing to do is a battery pop reboot. With power ON, remove the back cover and pull out the battery. Wait about a minute then replace the battery and cover. Power up and wait patiently through the long reboot -- ~5 minutes. See if things have returned to good operation. Like all computing devices, BB's suffer from memory leaks and such...with a hard reboot being the best cure.
  Best!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Cannot access my Ipad after downloading latest download.  It wont accept my password.

  I cannot access my Ipad after downloading latest download.  The Ipad wont accept my password.  What can I do?

  Try the following:
  1. Restore:
  http://support.apple.com/kb/HT1414
  2. Recovery:
  http://support.apple.com/kb/HT1808

• Cisco ASA 5505 L2TP VPN cannot access internal network

  Hi,
  I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
  Can you jhelp me to find out the issue?
  I have Cisco ASA:
  inside network - 192.168.1.0
  VPN network - 192.168.168.0
  I have router 192.168.1.2 and I cannot ping or get access to this router.
  Here is my config:
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 198.X.X.A 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network net-all
  subnet 0.0.0.0 0.0.0.0
  object network vpn_local
  subnet 192.168.168.0 255.255.255.0
  object network inside_nw
  subnet 192.168.1.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool sales_addresses 192.168.168.1-192.168.168.254
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic net-all interface
  nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
  nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
  object network vpn_local
  nat (outside,outside) dynamic interface
  object network inside_nw
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.5-192.168.1.132 inside
  dhcpd dns 75.75.75.75 76.76.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy sales_policy internal
  group-policy sales_policy attributes
  dns-server value 75.75.75.75 76.76.76.76
  vpn-tunnel-protocol l2tp-ipsec
  username ----------
  username ----------
  tunnel-group DefaultRAGroup general-attributes
  address-pool sales_addresses
  default-group-policy sales_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
  : end
  Thanks for your help.

  You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
  policy-map global_policy
    class inspection_default
      inspect icmp
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Vpn client can access internet but cannot access internal network

  I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....

  enable password ********** encrypted
  passwd ********** encrypted
  hostname Firewall
  domain-name aqswdefrgt.com.sg
  access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
  access-list nat permit tcp any host 65.165.123.142 eq smtp
  access-list nat permit tcp any host 65.165.123.142 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq smtp
  access-list nat permit tcp any host 65.165.123.143 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq www
  access-list nat permit tcp any host 65.165.123.152 eq smtp
  access-list nat permit tcp any host 65.165.123.152 eq pop3
  access-list nat permit tcp any host 65.165.123.152 eq www
  access-list nat permit tcp any host 65.165.123.143 eq https
  access-list nat permit icmp any any
  ip address outside 65.165.123.4 255.255.255.240
  ip address inside 192.168.1.2 255.255.255.0
  ip verify reverse-path interface outside
  ip local pool clientpool 192.168.50.1-192.168.50.50
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
  .255 0 0
  static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
  5.255 0 0
  static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
  .255.255 0 0
  access-group nat in interface outside
  route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa-server plexus protocol radius
  aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set myset esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map cisco 1 set transform-set myset
  crypto map dyn-map 20 ipsec-isakmp dynamic cisco
  crypto map dyn-map client authentication plexus
  crypto map dyn-map interface outside
  isakmp enable outside
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 40 authentication pre-share
  isakmp policy 40 encryption 3des
  isakmp policy 40 hash md5
  isakmp policy 40 group 2
  isakmp policy 40 lifetime 86400
  vpngroup vpn3000 address-pool clientpool
  vpngroup vpn3000 dns-server 192.168.1.55
  vpngroup vpn3000 wins-server 192.168.1.55
  vpngroup vpn3000 default-domain aqswdefrgt.com.sg
  vpngroup vpn3000 idle-time 1800
  vpngroup vpn3000 password ********
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80

• VPN clients cannot access inside LAN

  I have a vpn setup.  I can vpn in from either the outside (internet) or from inside my network.  Once I do that I can no longer ping or remote into the server I have setup on the 192.168.1.0/24 subnet.  I can ping from the 192.168.1.0 subnet to any other subnet but I cannot ping from the vpn subnet to any other subnet.  I know that I have some permits on Outside-IN and Inside-IN, this is only to make it easier to troubleshoot.  Thank you in advance.
  The VPN subnet is 192.168.2.0
  The Server subnet is 192.168.1.0
  the Internal client subnet is 10.0.0.0 /24
  Here is the config and the packet-tracer output
  RUNNING-CONFIG
  =====================
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network Axon
  network-object host 192.168.1.6
  object-group network VPN-Clients
  network-object 192.168.2.0 255.255.255.0
  object-group service HTTP-HTTPS tcp
  port-object eq www
  port-object eq https
  object-group service RDP tcp
  port-object eq 3389
  access-list Outside-IN extended permit ip any any
  access-list Inside-IN extended permit ip any any
  access-list Axon-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPool 192.168.2.2-192.168.2.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
  access-group Inside-IN in interface inside
  access-group Outside-IN in interface outside
  route outside 192.168.2.0 255.255.255.0 192.168.1.0 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no sysopt connection permit-vpn
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.5-192.168.1.36 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy VPNPolicy internal
  group-policy VPNPolicy attributes
  vpn-tunnel-protocol svc webvpn
  address-pools value VPNPool
  webvpn
    url-list none
    svc ask enable
  username test2 password sLyNkwX4lP/BSsCW encrypted privilege 0
  username test2 attributes
  vpn-group-policy VPNPolicy
  username fwaarmac password 5rABwjFzDBYcp0nJ encrypted privilege 15
  username fwaarmac attributes
  vpn-group-policy VPNPolicy
  username test1 password sLyNkwX4lP/BSsCW encrypted privilege 0
  username test1 attributes
  vpn-group-policy VPNPolicy
  username dan password vFpifCksRBgKm.0Q encrypted privilege 15
  username dan attributes
  vpn-group-policy VPNPolicy
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy VPNPolicy
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool VPNPool
  default-group-policy VPNPolicy
  tunnel-group VPN webvpn-attributes
  group-alias vpn enable
  group-url https://10.0.0.10/vpn enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:b8d7144e7d51265fa9a5f38e29f40269
  : end
  NAT / PACKET-TRACER
  ========================
  packet-tracer input outside tcp 192.168.2.1 3389 192.168.1.6 3389 detailed
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.0     255.255.255.0   inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group Outside-IN in interface outside
  access-list Outside-IN extended permit ip any any
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc95ea0e0, priority=12, domain=permit, deny=false
          hits=5247, user_data=0xc793c350, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 3
  Type: IP-OPTIONS
  Subtype:     
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc95e6d48, priority=0, domain=inspect-ip-options, deny=true
          hits=10050, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 4
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959fab8, priority=0, domain=host-limit, deny=false
          hits=5248, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 1 0.0.0.0 0.0.0.0
    match ip inside any outside any
      dynamic translation to pool 1 (10.0.0.10 [Interface PAT])
      translate_hits = 88, untranslate_hits = 7
  Additional Information:
  Forward Flow based lookup yields rule:
  out id=0xc962a5f8, priority=1, domain=nat-reverse, deny=false
          hits=415, user_data=0xc962a388, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule

  You would need to configure NAT exemption for the VPN client to access internal host:
  access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  nat (inside) 0 access-list nonat
  route inside 10.0.0.0 255.255.255.0 192.168.1.x
  access-list splitacl permit 192.168.1.0 255.255.255.0
  access-list splitacl permit 10.0.0.0 255.255.255.0
  group-policy VPNPolicy attributes
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value splitacl

• Unable to access vpn box internal address after vpn

  Hi all. My office network is protected by asa5510 firewall with vpn configured. When i vpn into my office network i could not access the firewall via the firewall's internal address using telnet etc even though i have already enable telnet. The firewall is my office network gateway. Below is my config. Pls advise. Thks in advance. Access to my office network is fine using vpn.
  hostname firewall
  domain-name default.domain.invalid
  enable password xxx
  names
  dns-guard
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 192.168.1x.x 255.255.255.0
  interface Ethernet0/1
  nameif DMZ
  security-level 50
  ip address 192.168.2x.x 255.255.255.0
  interface Ethernet0/2
  nameif outside
  security-level 0
  ip address 8x.x.x.x 255.255.255.240
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  passwd xxx
  ftp mode passive
  same-security-traffic permit inter-interface
  access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended deny ip any any
  access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
  access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224
  access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm-buffer-size 500
  logging asdm informational
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  mtu management 1500
  ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0
  no failover
  monitor-interface inside
  monitor-interface DMZ
  monitor-interface outside
  monitor-interface management
  asdm image disk0:/asdm-507.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 100 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 100 192.168.1x.0 255.255.255.0
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 8x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  group-policy vpn internal
  group-policy vpn attributes
  dns-server value 192.168.1x.x 192.168.1x.x
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  webvpn
  username ciscoadm password xxx encrypted privilege 15
  username ciscoadm attributes
  vpn-group-policy vpn
  webvpn
  http server enable
  http 192.168.1x.x 255.255.255.255 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection tcpmss 13800
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool addpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  telnet 192.168.1x.x 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0

  Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 192.168.1x.254 255.255.255.0
  interface Ethernet0/1
  nameif DMZ
  security-level 50
  ip address 192.168.2x.254 255.255.255.0
  interface Ethernet0/2
  nameif outside
  security-level 0
  ip address 8x.xx.xx.xx 255.255.255.240
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  passwd xxx
  ftp mode passive
  same-security-traffic permit inter-interface
  access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
  access-list inside_access_in extended permit esp any any
  access-list inside_access_in extended permit gre any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended deny ip any any
  access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
  access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0
  access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
  access-list prod standard permit host 192.168.1x.x
  access-list prod standard deny any
  pager lines 24
  logging enable
  logging asdm-buffer-size 500
  logging asdm informational
  mtu inside 1500
  mtu DMZ 1500
  mtu outside 1500
  mtu management 1500
  ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0
  no failover
  monitor-interface inside
  monitor-interface DMZ
  monitor-interface outside
  monitor-interface management
  asdm image disk0:/asdm-507.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 100 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 100 192.168.1x.0 255.255.255.0
  access-group inside_access_in in interface inside
  access-group DMZ_access_in in interface DMZ
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  group-policy vpnuser internal
  group-policy vpnuser attributes
  dns-server value 192.168.1x.x 192.168.1x.x
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value prod
  default-domain value mm.com
  webvpn
  username user password xxx encrypted privilege 15
  username user attributes
  vpn-group-policy vpnuser
  webvpn
  http server enable
  http 192.168.1x.x 255.255.255.255 inside
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection tcpmss 13800
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  tunnel-group vpnuser type ipsec-ra
  tunnel-group vpnuser general-attributes
  address-pool pool
  default-group-policy vpnuser
  tunnel-group vpnuser ipsec-attributes
  pre-shared-key *
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd dns 8x.x.1x.x 8x.x.x.x
  dhcpd lease 3600
  dhcpd ping_timeout 50
  dhcpd enable management

• VM cannot access Internet when host is connected to VPN

  Hello everyone,
  I have a little problem with my Hyper-V network. I use internal switch (external seems to have problems when I want to access the host via RDP and host has Wifi only).
  Now attached is my configuration as a wonderful picture. ;) My problem is this: I have a internal switch in Hyper-V which is used by the VMs. They can access the Internet because the host WiFi Adapter has Internet Sharing enabled. However, when I connect
  the host to the VPN, the VMs cannot access the internet anymore. I know it is not possible to share the VPN-Connection itself, but without any Internet I cannot connect the VMs to the VPN at all. So is there any way to connect the host to VPN and also the
  VMs?
  Thanks! :)
  Best,
  Chris

  Hi CBuntrock,
  Please try the following setps :
  Open network connection --> right click the vpn connection --> properties --> click tab Networking --> click the proper internet protocol version --> properties --> advanced --> tab ipsettings --> uncheck  "use defult gateway
  on remote network " --> ok
  Please try to access internet again from your VMs .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Cannot access internal web server from same lan

  i cant resolve one problem in may 1921 ISR router, i have a web server in my internal lan , i set up static nat for accessing that web server from outside and it works fine but i cannot view that site from internal workstations can you suggest me what to do. i need packets to go out the outgoing interface of router and then come back and enter the static nat wich will direct to the web server is it possible?
  static nat is
  ip nat inside source static tcp  <local web server adress> 80 <global address> 80
  also i have set up dinamic nat for outgoing trafic
  ip nat inside source list <access-list> interface <outgoing interface>   
  and it is working fine too.
  on external interface i have nat outside
  on internal interface i have nat inside

  This is not working because your router has a direct to your web server that is not through the outside interface which is needed for nat to occur, for this to work you need to setup a loopback interface as nat outside and policy route traffic to there for your server traffic
  Bu if your server is internal why do you need nat at all? Can you not use bind with views that might be simpler
  M
  Sent from Cisco Technical Support iPad App

• Unable to Access Company LAN via VPN

  Hello,
  I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
  The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
  On the Cisco VPN client I can see lots of sent packets but none received.
  I think it could be to do with the NAT but from the examples I have seen I believe it should work.
  I have attached the complete running-config, as I could well have missed something.
  Many Thanks for any help on this...
  FWBKH(config)# show running-config           
  : Saved
  ASA Version 8.2(2)
  hostname FWBKH
  domain-name test.local
  enable password XXXXXXXXXXXXXXX encrypted
  passwd XXXXXXXXXXXXXXXX encrypted
  names
  name 9.9.9.9 zscaler-uk-network
  name 10.8.50.0 inside-network-it
  name 10.8.112.0 inside-servers
  name 17.7.9.10 fwbkh-out
  name 10.8.127.200 fwbkh-in
  name 192.168.10.0 bkh-vpn-pool
  interface Vlan1
  nameif inside
  security-level 100
  ip address fwbkh-in 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address fwbkh-out 255.255.255.248
  interface Vlan3
  nameif vpn
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Ethernet0/0
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown    
  interface Ethernet0/7
  shutdown
  banner login Trespassers will be Shot, Survivors will be Prosecuted!!!!
  banner motd Trespassers will be Shot, Survivors will be Prosecuted!!!!
  banner asdm Trespassers will be Shot, Survivors will be Prosecuted!!!!
  boot system disk0:/asa822-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.local
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_UDP_1 udp
  port-object eq 4500
  port-object eq isakmp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 log warnings inactive
  access-list inside_access_in extended permit ip inside-network-it 255.255.255.0 any inactive
  access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www
  access-list inside_access_in extended permit ip inside-servers 255.255.255.0 any log warnings
  access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq www
  access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq https
  access-list outside_nat0_outbound extended permit ip bkh-vpn-pool 255.255.255.0 10.8.0.0 255.255.0.0
  access-list outside_access_in extended permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 log errors inactive
  access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any
  access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
  access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
  access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu vpn 1500
  ip local pool UK-VPN-POOL 192.168.10.10-192.168.10.60 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-631.bin
  no asdm history enable
  arp timeout 14400
  nat-control  
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 10.8.0.0 255.255.0.0 dns
  nat (outside) 0 access-list outside_nat0_outbound outside
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 17.7.9.10 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 10.8.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint BKHFW
  enrollment self
  subject-name CN=FWBKH
  crl configure
  crypto ca certificate chain BKHFW
  certificate fc968750
      308201dd 30820146 a0030201 020204fc 96875030 0d06092a 864886f7 0d010105
      05003033 310e300c 06035504 03130546 57424b48 3121301f 06092a86 4886f70d 
      ccc6f3cb 977029d5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb
      7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c53 f2
    quit
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.8.0.0 255.255.0.0 inside
  ssh timeout 30
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy UK-VPN-USERS internal
  group-policy UK-VPN-USERS attributes
  dns-server value 10.8.112.1 10.8.112.2
  vpn-tunnel-protocol IPSec svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value UK-VPN-USERS_splitTunnel
  default-domain value test.local
  address-pools value UK-VPN-POOL
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol webvpn
  username admin password XXXXXXXXXXXXXXXXX encrypted privilege 15
  username karl password XXXXXXXXXXXXXXX encrypted privilege 15
  tunnel-group UK-VPN-USERS type remote-access
  tunnel-group UK-VPN-USERS general-attributes
  address-pool UK-VPN-POOL
  default-group-policy UK-VPN-USERS
  tunnel-group UK-VPN-USERS ipsec-attributes
  pre-shared-key *****
  tunnel-group IT-VPN type remote-access
  tunnel-group IT-VPN general-attributes
  address-pool UK-VPN-POOL
  default-group-policy UK-VPN-USERS
  tunnel-group IT-VPN ipsec-attributes
  pre-shared-key *****
  class-map ALLOW-USER-CLASS
  match access-list USER-ACL
  class-map type inspect http match-all ALLOW-URL-CLASS
  match not request header from regex ALLOW-ZSGATEWAY
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map type inspect http ALLOW-URL-POLICY
  parameters
  class ALLOW-URL-CLASS
    drop-connection
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect ip-options
  policy-map ALLOW-USER-URL-POLICY
  class ALLOW-USER-CLASS
    inspect http
  service-policy global_policy global
  service-policy ALLOW-USER-URL-POLICY interface inside
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:00725d3158adc23e6a2664addb24fce1
  : end

  Hi Karl,
  Please make the following changes:
  ip local pool VPN_POOL_UK_USERS 192.168.254.1-192.168.254.254
  access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 192.168.254.0 255.255.255.0
  no nat (outside) 0 access-list outside_nat0_outbound outside
  access-list UK-VPN-USERS_SPLIT permit 10.8.0.0 255.255.0.0
  group-policy UK-VPN-USERS attributes
  split-tunnel-network-list value UK-VPN-USERS_SPLIT
  no access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
  no access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
  access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 192.168.254.0 255.255.255.0
  management-access inside
  As you can see, I did create a new pool, since you already have an interface in the 192.168.10.0/24 network, which does affect the VPN clients.
  Once you are done, connect the client and try:
  ping 10.8.127.200
  Does it work?
  Try to ping other internal IPs as well.
  Let me know how it goes.
  Portu.
  Please rate any helpful posts
  Message was edited by: Javier Portuguez

• Window 8.1 system unable to access network shares via VPN connection

  Is there something inherent to Windows 8.1 that prevents it from accessing shares on a domain?
  I know that it cannot join a domain, but does that also mean that it cannot access shares which are on a domain?
  My problem is that I have several user that are running windows 8.1 that are connecting to our network via a VPN.
  The users have domain accounts but their computers as windows 8.1 cannot joined to the domain.
  So to access network shares they have to use their domain credentials to create a VPN connection.
  Once connected the user can RDP to systems on the domain using their domain accounts, so I know that their user names/passwords and permissions are correct. They can access these systems using the computer name, so I don't feel that I have a DNS issue.
  They can see the shares on our file server, but when they try to access their departments shared file, they receive an access denied message. There are a few shares that are completely wide open, shared to all users and all departments but they cannot access
  those shares either.
  You can ping the file server, from the the client when they are connected to the VPN but you just cannot access any of the shares.
  So...
  I am thinking that it has something to do with windows 8.1 and not being able to join a domain, but I cannot find anything to explicitly support this thought.
  Other users running a variety different OS (windows 7, OSX, Linux) can all access the shares without any problems via the VPN, so I am a little stumped.

  I have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
  This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
  I can see all the shares, so dns seems to be fine right?
  So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
  When I try to create a mapped drive by machine name I receive the following message:
  Windows cannot access \\fileserver.dev.lan\all
  You do not have permissions to access \\fileserver.dev.lan. contact your network administrator  to request access.
  But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
  This only seems to happen on windows 8.1, which leads me to think that has something to do with OS. 
  I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem.

• Can't access internal network from VPN using PIX 506E

  Hello,
  I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
  Building configuration...
  : Saved
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password N/JZnmeC2l5j3YTN encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  hostname SwantonFw2
  domain-name *****.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside_access_in permit icmp any any
  access-list allow_ping permit icmp any any echo-reply
  access-list allow_ping permit icmp any any unreachable
  access-list allow_ping permit icmp any any time-exceeded
  access-list INSIDE-IN permit tcp interface inside interface outside
  access-list INSIDE-IN permit udp any any eq domain
  access-list INSIDE-IN permit tcp any any eq www
  access-list INSIDE-IN permit tcp any any eq ftp
  access-list INSIDE-IN permit icmp any any echo
  access-list INSIDE-IN permit tcp any any eq https
  access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  access-list swanton_splitTunnelAcl permit ip any any
  access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  no pager
  mtu outside 1500
  mtu inside 1500
  ip address outside 192.168.1.150 255.255.255.0
  ip address inside 192.168.0.35 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool VPN_Pool 192.168.240.1-192.168.240.254
  pdm location 0.0.0.0 255.255.255.0 outside
  pdm location 192.168.1.26 255.255.255.255 outside
  pdm location 192.168.240.0 255.255.255.0 outside
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 192.168.0.0 255.255.255.0 0 0
  access-group outside_access_in in interface outside
  access-group INSIDE-IN in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup swanton address-pool VPN_Pool
  vpngroup swanton dns-server 192.168.1.1
  vpngroup swanton split-tunnel swanton_splitTunnelAcl
  vpngroup swanton idle-time 1800
  vpngroup swanton password ********
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.0.36-192.168.0.254 inside
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  username scott password hwDnqhIenLiwIr9B encrypted privilege 15
  username norm password ET3skotcnISwb3MV encrypted privilege 2
  username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
  username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
  username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
  username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
  username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
  username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
  username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
  username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
  username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
  terminal width 80
  Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
  : end
  [OK]
  Any help will be greatly appreciated

  Bj,
  Are you trying to access network resources behind the inside interface?
  ip address inside 192.168.0.35 255.255.255.0
  If so, please make the following changes:
  1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
          vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
  3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  4- isakmp nat-traversal 30
  Let me know how it goes.
  Portu.
  Please rate any helpful posts