Cannot ping outside private network
I can currently ping my internal network, but cannot ping anything beyond
that. This is causing problems too because payroll need to connect via
dns name or ip address.
If someone can help.
Mike
That worked! Thank you!
Mike
> Mike,
>
> > When I go into inetcfg, the bindings for both cards are set to
dynamic.
> > Nothing has changed from when it was working until now.
>
> Make sure that in you've enabled Network address translation for the
> PUBLIC iP address only (10.x.x.x). This is in inetcfg/bindings/select
> the public IP address/go to expert bind options/network address
> translation and have it configured to Dynamic only.
> Also, in inetcfg/protocol/tcpip make sure that packet forwarding is
enabled.
> Try again with IPFLT unloaded and let me know.
>
>
> --
> Cat
> NSC Volunteer Sysop
Similar Messages
-
ASA 5505 - Cannot ping outside natted interface
Hello,
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
Thank you in advance
the config are:
: Saved
ASA Version 8.2(1)
hostname ciscoasa
domain-name domain
enable password ********** encrypted
passwd ************ encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.88.188.122 255.255.255.248
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name domain
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
access-list outside_in extended permit tcp any host 172.88.188.123 eq www
access-list outside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 172.88.188.128
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:865943aa325eb75812628fec3b1e7249
: endYou are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Hairpinning would look like this in your scenario.
same-security-traffic permit intra-interface
global (inside) 1 interface
static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255 -
I can SSH from the outside but cannot ping ISP gateway from 2911
Hello all,
I came across a rather strange issue. I am able to SSH to the device from my home but while I am consoled in, I cannot ping the ISP gateway or any other IP's. As expected, all trace-routes fail without hitting the gateway as the first hop. I have been reading about the NVI0 interface and I decided to use it. Most of the sample cofigs on here use the "old" ip nat inside / outside on the appropriate interfaces. What do you guys suggest?
Here is the running config. It is rather simple since i did not add all the access-lists except the ones I thought necessary to test the circuit. Please point out any mistakes or errors. Thanks in advance!
Current configuration : 1679 bytes
! Last configuration change at 04:05:17 UTC Fri Sep 12 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname StandbyGZ-2911
boot-start-marker
boot-end-marker
enable secret 5 $1$BRaM$igChPMXLeHjgYR7EGk/Nb/
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
no ip domain lookup
ip domain name StandbyGZ.local
ip name-server 211.136.20.203
ip name-server 211.139.136.68
multilink bundle-name authenticated
license udi pid CISCO2911/K9 sn FGL174410H9
username StandbyGZ secret 5 $1$CXWC$m6kqTGbf0HDLCvkfU7.RA/
ip ssh version 2
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/1
description UPLINK TO CHINA MOBILE
ip address 183.x.x.x 255.255.255.128
ip access-group REMOTE-ADMIN-ACL in
no ip redirects
ip nat enable
duplex auto
speed auto
interface GigabitEthernet0/2
description CONNECTION TO LAN SWITCH 3650-CORE
ip address 10.10.1.254 255.255.254.0
no ip redirects
ip nat enable
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat source list LAN-NAT-ACL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 183.x.x.x
ip access-list standard LAN-NAT-ACL
permit 10.10.0.0 0.0.1.255
ip access-list extended REMOTE-ADMIN-ACL
permit tcp host 68.107.195.213 any eq 22 log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input ssh
transport output ssh
scheduler allocate 20000 1000
end
StandbyGZ-2911# sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 183.x.x.x YES NVRAM up up
GigabitEthernet0/2 10.10.1.254 YES NVRAM up up
NVI0 183.x.x.x YES unset up up
StandbyGZ-2911#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 183.233.184.129 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 183.233.184.129
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.0.0/23 is directly connected, GigabitEthernet0/2
L 10.10.1.254/32 is directly connected, GigabitEthernet0/2
183.233.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 183.x.x.x/25 is directly connected, GigabitEthernet0/1
L 183.x.x.x/32 is directly connected, GigabitEthernet0/1Hi Chris,
That is what how I am used to configure the NAT, but IOS 12.3 and on introduced interface NVI0, which according to cisco documentation should make applying the NAT statements "easier". IP nat enable has to be enabled on all interfaces and then NVI0 makes the "inside" and "outside" decisions. I was hoping that someone could clarify the real use of that NVI0 interface and if it causes problems. Apparently it cannot be removed from the config. -
Cannot ping windows 2008 r2 while it is possible for another machine in the same network
Hi,
Recently I have set up a new server with windows 2008 r2 enterprise OS which is a domain member server.
At network layer I have two networks one with 192.168.1.0/22 and another with 10.0.0.0/24 network IDs.
My problem is that I cannot ping the newly installed server from a specific machine. Server's IP address is 192.168.1.56 and the specific machine's IP address is 10.0.0.12 and it is a windows XP machine. Of course I have to say that this problem belongs
only to this WinXP machine and all the layer 3 issues are tested and correct. This issue happens while at the same time I can ping domain controller which also is a windows 2008 r2 enterprise box and its IP address is 192.168.1.53. It turns more complicated
when I learned I can ping the winxp machine and connect to it from new server through remote desktop. Firewall also is not the obstacle because I turned it off completely.
Can anybody help me fix the problem?
TIA
BijanHi,
Check the path ping from xp machine to server its timing out after reaching 192.168.1.254 , What kind of a device is 192.168.1.254 IP belongs to.
Tracing
route to sp45newfs.ph45.local [192.168.1.56]
over
a maximum of 30 hops:
0 B15-333.PH45.LOCAL [10.0.0.12]
1 192.168.1.254
2 * * *
Computing
statistics for 50 seconds...
Source to Here This Node/Link
Hop
RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 B15-333.PH45.LOCAL [10.0.0.12]
0/ 100 = 0% |
1 0ms 0/ 100 = 0% 0/ 100 = 0% (192.168.1.254)----------(Which device has this IP)
100/ 100 =100% |
2 --- (100/ 100 =100% )---(100% loss) 0/ 100 = 0% B15-333.PH45.LOCAL [0.0.0.0]
Trace
complete.
Regards,
Srivishnu.K -
Solaris 10 network status shows 'disconnected' & cannot ping out
Hi,
In my solaris 10 sparc t4-1 server, the network status shows 'disconnected'
I cannot ping to any servers in the lan.
Please help
thanksSounds like it's either infrastructure or faulty hardware. Are you sure the port is turned on that you are plugging into?
-
Certificate error when connecting to RemoteApp outside of private network
I have a server running Windows Server 2012 R2. It is configured as an all-in-one RDS server - all roles are installed on it. We've configured it primarily to use an application as a RemoteApp - the application is hosted at a different site, and this RDS
server is at that site. We have a site to site VPN set up, so that it is all a part of our domain. The issue I'm having seems related to the fact that our internal network is .local, but the certificate only has a single .com name, so that we can access it
from the Internet.
Everything works, though what I'm trying to clear up is a certificate error. When connecting to the RemoteApp from outside of our private network, we get the error "The server name on the certificate is incorrect." This occurs after entering
credentials. The public name of the server (rds.contoso.com) is different from the private name (server.contoso.local). We can proceed through the error and connect (though we'd like to fix it).
I implemented a fix that I found elsewhere to try to fix this. This was to add a custom RDP setting like so:
Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty "use redirection server name:i:1`nalternate full address:s:rds.contoso.com"
That seemed to make some progress, then we got another error. I made a change to the RD RAP in RD Gateway Manager - by default, it allowed access to Domain Computers (which rds.contoso.com did not exist as a domain computer). I modified it to allow
access to the rds.contoso.com name.
I now receive a different error message and that's where I'm stuck. The heading on the message is RemoteApp Disconnected. The text of the error is 'Remote Desktop can't find the computer "rds.contoso.com". This might mean that
"rds.contoso.com" does not belong to the specified network. Verify the computer name and domain that you are trying to connect to.'
Any thoughts on what I can do next? When I roll back the changes I've made, I'm again able to connect fine, I just have the certificate error again.Hi,
1. For changing the published FQDN I recommend you use Set-RDPublishedName cmdlet instead setting a custom rdp property on the collection:
Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
2. As you mentioned before you need to edit the RD RAP so that the FQDN that you are using is permitted, or set it to Allow users to connect to any network resource.
3. On your internal network (internal to the RDG), you need to create a DNS A record for the published FQDN (rds.contoso.com) that points to your server's private ip address.
I'm not sure how you have things configured right now in terms of network and DNS so it is tough to give you instructions on how to fix. Let me explain a bit. Normally with a VPN you would not need RD Gateway, although it is okay
if you want to use it. If you have things configured properly an external client will normally connect to the RDG using the FQDN specified for RDG, then the RDG will connect to the published FQDN for the RDS deployment.
In your case these two FQDNs would be the same, only when the client does a DNS lookup it should get the ip address that you want users to connect to for the RDG whereas when the RDG does a DNS lookup it should get the private ip address of the server.
Exactly how you need to configure your DNS entries will depend on your VPN and networking configuration.
Please give it a try using the information provided above and reply back here with your results and any further questions you may have.
Thanks.
-TP -
Cannot ping and scan ports of network printer
Hello,
I installed an Archlinux to my work place computer, and I configure everything, network is working I can ping Dns and other local hosts, but I cannot ping and scan ports of network printer HP Laserjet 1320n which is connected on same network in which all computers ip's are 10.0.2.X like and the priter IP is 169.254.154.167.
Cups is configured and working, I also install and configure according to wiki's avahi, nss-mdns, I try with dnsmasq, but nothing helps. The hp-setup and system-configure-printer is detecting printer, I add it and configure it, but I cannot print. Cannot connect and communicate with printers Jetdirect port.
Along with the Arch I have Ubuntu and WindowsXP installed, with them everything is working, I also install Manjaro but there was the same problem like in Arch.
Please help me! Thank you in advance.^ These addresses are known as autoconfiguration addresses
Addresses in the range 169.254.0.0 to 169.254.255.255 are used automatically by most network devices when they are configured to use IP, do not have a static IP Address assigned and are unable to obtain an IP address using DHCP.
http://www.iana.org/go/rfc5735 You shouldn't consider this problem fixed
Last edited by Spider.007 (2014-01-17 18:12:29) -
Cannot Ping IP available to PC on same network
I cannot ping/access an IP address that I can ping/access on a PC using the same WiFi connection.
Any idea on what may be causing this?GuRoo wrote:
I do not have a firewall turned on at all.
Hi Pete, welcome to the club! I'm no IT expert, but if your Windows PC and Macs are both using the same LAN, I can't see this having anything to do with a firewall. I have a similar issue on my home LAN, though I recently made a change in my router settings which may resolve it if I work on it again. (I have an HP Laserjet plugged into the same router as my Mac Mini G4... I couldn't get my wife's Wintel notebook to find it when I tried before, while it had been only too simple via the Mac, so my LAN issue is really just the opposite of yours).
GuRoo wrote:
This is the first thing ever to make me question my switch to Mac and it's one that has me about to throw it out the window and go back to buggy (but fixable) Windows.
LOL ... If you give us your address, I'm sure there'll be someone there to catch it! Seriously, though, I'm sure you'll have a solution shortly if your start your own thread on this issue. From my interpretation of the original poster's issue, I think this thread has to do with accessing a particular remote IP, a problem I'm also trying to resolve.
best of luck,
Lowell -
AnyConnect to ASA 5505 ver 8.4 unable to ping/access Inside network
My AnyConnect VPN connect to the ASA, however I cannot access my inside network hosts (tried Split Tunnel and it didn't work either). I plan to use a Split Tunnel configuration but I thought I would get this working before I implemented that configuration. My inside hosts are on a 10.0.1.0/24 network and 10.1.0.0/16 networks. My AnyConnect hosts are using 192.168.60.0/24 addresses.
I have seen other people that appeared to have similar posts but none of those solutions have worked for me. I have also tried several NAT and ACL configurations to allow traffic form my Inside network to the ANYConnect hosts and back, but apparently I did it incorrectly. I undestand that this ver 8.4 is supposed to be easier to perform NAT and such, but I now in the router IOS it was much simpler.
My configuration is included below.
Thank you in advance for your assistance.
Jerry
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password (removed)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic Generic_All_Network interface
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2c7362097b71bcada023c6bbfc45121
: endHi,
Yes, I have saved the config and did a write erase and reloaded the config, no difference. I rebuilt it once a couple of weeks ago, but that was before I had gotten this far with your assistance. I'll include my ASA and switches configs after this. Here is a little background (took it form the Firewall section issue just because it gives a little insight for the network). I have 2 3560s, one as a L3 switch the other L2 with an etherchannel between them (one of the cables was bad so I am waiting on the replacement to have 2 - Gigabit channels between the switches).
I think our issue with the VPN not getting to the Inside is posibly related to my DMZ issue not getting to the internet.
I am using 2 VLANs on my switch for Guests - one is wired and the other is wireless. I am trying to keep them separate because the wireless are any guest that might be at our restaurant that is getting on WiFi. The wired is for our Private Dining Rooms that vendors may need access and I don't want the wireless being able to see the wired network in that situation.
I have ports on my 3560s that are assigned to VLAN 20 (Guest Wired) and VLAN 22 (Guest Wireless). I am not routing those addresses within the 3560s (one 3560 is setup as a L3 switch). Those VLANs are being L2 switched to the ASA via the trunk to save ports (I tried separating them and used 2 ports on the ASA and it still didn't work). The ASA is providing DCHP for those VLANs and the routing for the DMZ VLANs. I can ping each of the gateways (which are the VLANs on the ASA from devices on the 3560s - 172.26.20.1 and 172.26.22.1. I have those in my DMZ off the ASA so it can control and route the data.
The 3560 is routing for my Corp VLANs. So far I have tested the Wired VLAN 10 (10.1.10.0/24) and it is working and gets to the Internet. I have a default route (0.0.0.0 0.0.0.0) from the L3 switch to e0/1 on the ASA and e0/1 is an Inside interface.
E0/0 on the ASA is my Outside interface and gets it IP from the upstream router (will be an AT&T router/modem when I move it to the building).
So for a simple diagram:
PC (172.26.20.21/24) -----3560 (L2) ------Trunk----(VLAN 20 - DMZ/ VLAN 22 - DMZ2)---- ASA -----Outside ------- Internet (via router/modem)
I will be back at this tomorrow morning - I've been up since 4pm yesterday and it is almost 3pm.
Thank you for all of your assistance.
Jerry
Current ASA Config:
ASA Version 8.4(4)
hostname mxfw
domain-name moxiefl.com
enable password $$$$$$$$$$$$$$$ encrypted
passwd $$$$$$$$$$$$$$$$ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
switchport access vlan 20
interface Ethernet0/5
switchport trunk allowed vlan 20,22
switchport mode trunk
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif dmz
security-level 50
ip address 172.26.20.1 255.255.255.0
interface Vlan22
nameif dmz2
security-level 50
ip address 172.26.22.1 255.255.255.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name moxiefl.com
same-security-traffic permit inter-interface
object network Generic_All_Network
subnet 0.0.0.0 0.0.0.0
object network INSIDE_Hosts
subnet 10.1.0.0 255.255.0.0
object network AnyConnect_Hosts
subnet 192.168.60.0 255.255.255.0
object network NETWORK_OBJ_192.168.60.0_26
subnet 192.168.60.0 255.255.255.192
object network DMZ_Network
subnet 172.26.20.0 255.255.255.0
object network DMZ2_Network
subnet 172.26.22.0 255.255.255.0
object network INSIDE
subnet 10.0.1.0 255.255.255.0
access-list capdmz extended permit icmp host 172.26.20.22 host 208.67.222.222
access-list capdmz extended permit icmp host 208.67.222.222 host 172.26.20.22
access-list capout extended permit icmp host 192.168.1.231 host 208.67.222.222
access-list capout extended permit icmp host 208.67.222.222 host 192.168.1.231
access-list capvpn extended permit icmp host 192.168.60.20 host 10.1.10.23
access-list capvpn extended permit icmp host 10.1.10.23 host 192.168.60.20
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list SPLIT-TUNNEL standard permit 10.0.1.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.1.0.0 255.255.0.0
access-list capins extended permit icmp host 10.1.10.23 host 10.0.1.1
access-list capins extended permit icmp host 10.0.1.1 host 10.1.10.23
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu dmz2 1500
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (inside,outside) source static INSIDE_Hosts INSIDE_Hosts destination static AnyConnect_Hosts AnyConnect_Hosts route-lookup
nat (dmz,outside) source dynamic Generic_All_Network interface
nat (dmz2,outside) source dynamic Generic_All_Network interface
nat (inside,outside) after-auto source dynamic Generic_All_Network interface
route inside 10.1.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn anyconnect.moxiefl.com
subject-name CN=AnyConnect.moxiefl.com
keypair AnyConnect
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 439a4452
3082026c 308201d5 a0030201 02020443 9a445230 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566
6c2e636f 6d312530 2306092a 864886f7 0d010902 1616616e 79636f6e 6e656374
2e6d6f78 6965666c 2e636f6d 301e170d 31333039 32373037 32353331 5a170d32
33303932 35303732 3533315a 3048311f 301d0603 55040313 16416e79 436f6e6e
6563742e 6d6f7869 65666c2e 636f6d31 25302306 092a8648 86f70d01 09021616
616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181009a d9f320ff e93d4fdd cb707a4c
b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d5
fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7
6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76
1d56d11d da3d039a 0e714849 e6841ff2 5483b102 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d
0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06
092a8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a8348
5e62d6cd 47257243 e430a758 2b367543 065d4ceb 582bf666 08ff7be1 f89287a2
ac527824 b11c2048 7fd2b50d 35ca3902 6aa00675 e4df7859 f3590596 b1d52426
1e97a52c 4e77f4b0 226dec09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba
0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd address 10.0.1.20-10.0.1.40 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
dhcpd address 172.26.20.21-172.26.20.60 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd enable dmz
dhcpd address 172.26.22.21-172.26.22.200 dmz2
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz2
dhcpd enable dmz2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value moxiefl.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
username user1 password $$$$$$$$$$$$$ encrypted privilege 15
username user2 password $$$$$$$$$$$ encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f6d9bbacca2a5c8b5af946a8ddc12550
: end
L3 3560 connects to ASA via port f0/3 routed port 10.0.1.0/24 network
Connects to second 3560 via G0/3 & G0/4
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560a
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
ip dhcp excluded-address 10.1.10.1 10.1.10.20
ip dhcp excluded-address 10.1.12.1 10.1.12.20
ip dhcp excluded-address 10.1.14.1 10.1.14.20
ip dhcp excluded-address 10.1.16.1 10.1.16.20
ip dhcp excluded-address 10.1.30.1 10.1.30.20
ip dhcp excluded-address 10.1.35.1 10.1.35.20
ip dhcp excluded-address 10.1.50.1 10.1.50.20
ip dhcp excluded-address 10.1.80.1 10.1.80.20
ip dhcp excluded-address 10.1.90.1 10.1.90.20
ip dhcp excluded-address 10.1.100.1 10.1.100.20
ip dhcp excluded-address 10.1.101.1 10.1.101.20
ip dhcp pool VLAN10
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN12
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN14
network 10.1.14.0 255.255.255.0
default-router 10.1.14.1
option 150 ip 10.1.13.1
ip dhcp pool VLAN16
network 10.1.16.0 255.255.255.0
default-router 10.1.16.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN30
network 10.1.30.0 255.255.255.0
default-router 10.1.30.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN35
network 10.1.35.0 255.255.255.0
default-router 10.1.35.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN50
network 10.1.50.0 255.255.255.0
default-router 10.1.50.1
option 43 hex f104.0a01.6564
ip dhcp pool VLAN80
network 10.1.80.0 255.255.255.0
default-router 10.1.80.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN90
network 10.1.90.0 255.255.255.0
default-router 10.1.90.1
dns-server 208.67.222.222 208.67.220.220
ip dhcp pool VLAN100
network 10.1.100.0 255.255.255.0
default-router 10.1.100.1
ip dhcp pool VLAN101
network 10.1.101.0 255.255.255.0
default-router 10.1.101.1
ip dhcp pool VLAN40
dns-server 208.67.222.222 208.67.220.220
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 1 downstream
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
power inline never
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/3
description Interface to MXFW E0/1
no switchport
ip address 10.0.1.2 255.255.255.0
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
switchport mode access
shutdown
power inline never
interface FastEthernet0/6
switchport mode access
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
power inline never
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
switchport mode access
shutdown
power inline never
interface FastEthernet0/10
switchport mode access
shutdown
power inline never
interface FastEthernet0/11
switchport mode access
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 50
switchport mode access
interface FastEthernet0/18
switchport mode access
shutdown
power inline never
interface FastEthernet0/19
switchport mode access
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
switchport mode access
shutdown
power inline never
interface FastEthernet0/22
switchport mode access
shutdown
power inline never
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/24
switchport access vlan 35
switchport mode access
power inline never
interface FastEthernet0/25
switchport mode access
shutdown
power inline never
interface FastEthernet0/26
switchport mode access
shutdown
power inline never
interface FastEthernet0/27
switchport mode access
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 50
switchport mode access
interface FastEthernet0/34
switchport mode access
shutdown
power inline never
interface FastEthernet0/35
switchport mode access
shutdown
power inline never
interface FastEthernet0/36
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
switchport mode access
shutdown
power inline never
interface FastEthernet0/38
switchport mode access
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
switchport mode access
shutdown
power inline never
interface FastEthernet0/42
switchport mode access
shutdown
power inline never
interface FastEthernet0/43
switchport mode access
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport mode access
shutdown
power inline never
interface GigabitEthernet0/1
description Interface to MXC2911 Port G0/0
no switchport
ip address 10.1.13.2 255.255.255.0
interface GigabitEthernet0/2
shutdown
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 10.1.10.1 255.255.255.0
interface Vlan12
ip address 10.1.12.1 255.255.255.0
interface Vlan14
ip address 10.1.14.1 255.255.255.0
interface Vlan16
ip address 10.1.16.1 255.255.255.0
interface Vlan20
ip address 172.26.20.1 255.255.255.0
interface Vlan22
ip address 172.26.22.1 255.255.255.0
interface Vlan30
ip address 10.1.30.1 255.255.255.0
interface Vlan35
ip address 10.1.35.1 255.255.255.0
interface Vlan40
ip address 10.1.40.1 255.255.255.0
interface Vlan50
ip address 10.1.50.1 255.255.255.0
interface Vlan80
ip address 172.16.80.1 255.255.255.0
interface Vlan86
no ip address
shutdown
interface Vlan90
ip address 10.1.90.1 255.255.255.0
interface Vlan100
ip address 10.1.100.1 255.255.255.0
interface Vlan101
ip address 10.1.101.1 255.255.255.0
router eigrp 1
network 10.0.0.0
network 10.1.13.0 0.0.0.255
network 10.1.14.0 0.0.0.255
passive-interface default
no passive-interface GigabitEthernet0/1
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/3 10.0.1.1
ip route 192.168.60.0 255.255.255.0 FastEthernet0/3 10.0.1.1 2
ip http server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
L3 3560 Route Table (I added 192.168.60.0/24 instead of just using the default route just in case it wasn't routing for some reason - no change)
mx3560a#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
S 192.168.60.0/24 [2/0] via 10.0.1.1, FastEthernet0/3
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.80.0 is directly connected, Vlan80
172.26.0.0/24 is subnetted, 2 subnets
C 172.26.22.0 is directly connected, Vlan22
C 172.26.20.0 is directly connected, Vlan20
10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C 10.1.10.0/24 is directly connected, Vlan10
D 10.1.13.5/32 [90/3072] via 10.1.13.1, 4d02h, GigabitEthernet0/1
C 10.1.14.0/24 is directly connected, Vlan14
C 10.1.13.0/24 is directly connected, GigabitEthernet0/1
C 10.1.12.0/24 is directly connected, Vlan12
C 10.0.1.0/24 is directly connected, FastEthernet0/3
C 10.1.30.0/24 is directly connected, Vlan30
C 10.1.16.0/24 is directly connected, Vlan16
C 10.1.40.0/24 is directly connected, Vlan40
C 10.1.35.0/24 is directly connected, Vlan35
C 10.1.50.0/24 is directly connected, Vlan50
C 10.1.90.0/24 is directly connected, Vlan90
C 10.1.101.0/24 is directly connected, Vlan101
C 10.1.100.0/24 is directly connected, Vlan100
S* 0.0.0.0/0 [1/0] via 10.0.1.1, FastEthernet0/3
I have a C2911 for CME on G0/1 - using it only for that purpose at this time.
L2 3560 Config it connects to the ASA as a trunk on e0/5 of the ASA and port f0/3 of the switch - I am using L2 switching for the DMZ networks from the switches to the ASA and allowing the ASA to provide the DHCP and routing out of the network. DMZ networks: 172.26.20.0/24 and 172.26.22.0/24.
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
hostname mx3560b
boot-start-marker
boot-end-marker
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
no aaa new-model
system mtu routing 1500
crypto pki trustpoint TP-self-signed-3877365632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3877365632
revocation-check none
rsakeypair TP-self-signed-3877365632
crypto pki certificate chain TP-self-signed-3877365632
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383737 33363536 3332301E 170D3933 30333031 30303031
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373733
36353633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DF81 DA515E0B 7FC760CF 2CC98400 42DCA007 215E4DDE D0C3FBF2 D974CE85
C46A8700 6AE44C2C 79D9BD2A A9297FA0 2D9C2BE4 B3941A2F 435AC4EA 17E89DFE
34EC8E93 63BD4CDF 784E91D7 2EE0093F 06CC97FD 83CB818B 1ED624E6 F0F5DA51
1DE4B8A7 169EED2B 40575B81 BADDE052 85BA9D19 4C206DCB 00878FF3 89E74028
B3F30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 086D7833 35363062 2E301F06 03551D23 04183016 80147125
78CE8540 DB95D852 3C0BD975 5D9C6EB7 58FC301D 0603551D 0E041604 14712578
CE8540DB 95D8523C 0BD9755D 9C6EB758 FC300D06 092A8648 86F70D01 01040500
03818100 94B98410 2D9CD602 4BD16181 BCB7C515 77C8F947 7C4AF5B8 281E3131
59298655 B12FAB1D A6AAA958 8473483C E993D896 5251770B 557803C0 531DEB62
A349C057 CB473F86 DCEBF8B8 7DDE5728 048A49D0 AB18CE8C 8257C00A C2E06A63
B91F872C 5F169FF9 77DC523B AB1E3965 C6B67FCC 84AE11E9 02DD10F0 C45EAFEA 41D7FA6C
quit
port-channel load-balance src-dst-mac
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/1
switchport access vlan 50
switchport mode access
interface FastEthernet0/2
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,22
switchport mode trunk
power inline never
interface FastEthernet0/4
switchport mode access
shutdown
power inline never
interface FastEthernet0/5
shutdown
power inline never
interface FastEthernet0/6
shutdown
power inline never
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/8
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/9
shutdown
power inline never
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/11
shutdown
power inline never
interface FastEthernet0/12
switchport access vlan 40
switchport mode access
interface FastEthernet0/13
switchport access vlan 40
switchport mode access
interface FastEthernet0/14
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/15
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/16
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
power inline never
interface FastEthernet0/18
shutdown
power inline never
interface FastEthernet0/19
shutdown
power inline never
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/21
shutdown
power inline never
interface FastEthernet0/22
shutdown
power inline never
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/24
shutdown
power inline never
interface FastEthernet0/25
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/26
shutdown
power inline never
interface FastEthernet0/27
shutdown
power inline never
interface FastEthernet0/28
switchport access vlan 40
switchport mode access
interface FastEthernet0/29
switchport access vlan 40
switchport mode access
interface FastEthernet0/30
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/31
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/32
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/33
switchport access vlan 20
switchport mode access
power inline never
interface FastEthernet0/34
shutdown
power inline never
interface FastEthernet0/35
shutdown
power inline never
interface FastEthernet0/36
switchport mode access
switchport voice vlan 14
spanning-tree portfast
interface FastEthernet0/37
shutdown
power inline never
interface FastEthernet0/38
shutdown
power inline never
interface FastEthernet0/39
switchport access vlan 30
switchport mode access
power inline never
interface FastEthernet0/40
switchport access vlan 90
switchport mode access
power inline never
interface FastEthernet0/41
shutdown
power inline never
interface FastEthernet0/42
shutdown
power inline never
interface FastEthernet0/43
shutdown
power inline never
interface FastEthernet0/44
switchport access vlan 40
switchport mode access
interface FastEthernet0/45
switchport access vlan 40
switchport mode access
interface FastEthernet0/46
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/47
switchport access vlan 40
switchport mode access
shutdown
interface FastEthernet0/48
switchport access vlan 40
switchport mode access
shutdown
interface GigabitEthernet0/1
shutdown
interface GigabitEthernet0/2
switchport access vlan 40
switchport mode access
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface Vlan1
no ip address
ip classless
ip http server
ip http secure-server
ip sla enable reaction-alerts
line con 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end -
2851 router vpn to 851 router lan clients cannot ping
Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
So some stripped-down configs:
For the 2851:
no service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router2851
boot-start-marker
boot-end-marker
no logging buffered
no logging console
enable password mypassword2
no aaa new-model
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.6.1
ip dhcp excluded-address 172.20.6.254 172.20.15.254
ip dhcp pool Internal_2000
import all
network 172.20.0.0 255.255.240.0
domain-name myseconddomain.int
default-router 172.20.0.1
lease 7
no ip domain lookup
multilink bundle-name authenticated
voice-card 0
no dspfarm
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-2995823027
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.53.254.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.53.254.aaa
set peer 216.53.254.aaa
set transform-set ESP-3DES-SHA
match address 100
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 216.189.223.bbb 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
no shut
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 172.20.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.15.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 permit ip 172.20.0.0 0.0.15.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner motd ~This is a private computer system for authorized use only. And Stuff~
line con 0
line aux 0
line vty 0 4
privilege level 15
password mypassword
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
And for the 851:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router851
boot-start-marker
boot-end-marker
logging buffered 52000 debugging
no logging console
enable password mypassword
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.21.1.1 172.21.1.100
ip dhcp pool Internal_2101
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
domain-name mydomain.int
dns-server 172.21.1.10
lease 4
ip cef
ip domain name mydomain.int
ip name-server 172.21.1.10
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-3077836316
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.189.223.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.189.223.bbb
set peer 216.189.223.bbb
set transform-set ESP-3DES-SHA2
match address 100
bridge irb
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description $ETH-WAN$
ip address 216.53.254.aaa 255.255.254.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
no shut
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 172.21.1.0 255.255.255.0 BVI1
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.21.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
bridge 1 route ip
banner motd ~This is a private computer system for authorized use only. And Stuff.~
line con 0
password mypassword
no modem enable
line aux 0
line vty 0 4
password mypassword
scheduler max-task-time 5000
end
Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
Regards,
Ted.Hi,
First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
1.In the RRAS server,Open Routing and Remote Access.
2.Right-click the server name,then click
properties.
3.On the General tab,select
IPv4 Router check box,and then click Local area network(LAN) routing only.
Then,announce the 172.16.0.0 network to the router.
To learn more details about enabling LAN routing, please refer to the link below,
http://technet.microsoft.com/en-us/library/dd458974.aspx
Best Regards,
Tina -
FlexVPN Cannot Ping From Spoke LAN only
Topology:
Hub:
(hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP
Spoke:
(hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP
I have full reachability from both routers.
Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0
Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1
Partial reachability from lan hosts
Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)
Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24
Any help would be appreciatedWe've been working with these confs for a while, so they aren't as clean as they could be, but here they are
---HUB---
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname HUB
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP
server-private 10.0.1.15 key xxxxx
aaa authentication login default local
aaa authentication login xxxxxVPN_VPN_XAUTH local
aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP
aaa authorization exec default local
aaa authorization network default local
aaa authorization network xxxxxVPN_VPN_GROUP local
aaa authorization network FLEXVPN_AUTH-Z_LIST local
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
ip domain name xxxxx.net
ip name-server 166.102.165.13
ip name-server 166.102.165.11
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group VPN_GROUP
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
crypto pki trustpoint FLEXVPN_RA_TP
enrollment terminal
serial-number none
fqdn vpn.xxxxx.net
ip-address none
subject-name cn=vpn.xxxxx.net
revocation-check crl
eckeypair FLEXVPN_RA_TP-Key
crypto pki certificate chain FLEXVPN_RA_TP
certificate 460000.. nvram:xxxxx#2.cer
certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer
license udi pid CISCO1921/K9 sn xxxxx
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
redundancy
crypto ikev2 authorization policy default
pool FLEX_SPOKES_POOL
route set interface
crypto ikev2 authorization policy FLEXVPN_RA_LOCAL_POLICY
pool FLEXVPN_RA_POOL
dns 10.0.1.15
netmask 255.255.255.0
def-domain xxxxx.net
route set access-list FLEXVPN_RA_ACL
crypto ikev2 proposal SHA1-only
encryption aes-cbc-256
integrity sha1
group 5
crypto ikev2 policy SHA1-only
match fvrf any
proposal SHA1-only
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 profile FLEXVPN_RA_IKEv2_PROFILE
match identity remote key-id xxxxx.net
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint FLEXVPN_RA_TP
dpd 60 2 on-demand
aaa authentication eap FLEXVPN_AUTH-C_LIST
aaa authorization group eap list FLEXVPN_AUTH-Z_LIST FLEXVPN_RA_LOCAL_POLICY
virtual-template 10
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto logging session
crypto isakmp client configuration group xxxxxVPN
key xxxxx
pool xxxxxVPN_POOL
acl xxxxxVPN_ACL
netmask 255.255.255.0
crypto isakmp profile xxxxxVPN_IKE_PROFILE
match identity group xxxxxVPN
client authentication list xxxxxVPN_VPN_XAUTH
isakmp authorization list xxxxxVPN_VPN_GROUP
client configuration address respond
virtual-template 100
crypto ipsec transform-set xxxxxVPN_SET esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile xxxxxVPN_IPSEC_PROFILE
set transform-set xxxxxVPN_SET
set isakmp-profile xxxxxVPN_IKE_PROFILE
crypto ipsec profile FLEXVPN_RA_IPSEC_PROFILE
set ikev2-profile FLEXVPN_RA_IKEv2_PROFILE
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback100
ip address 172.31.100.1 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Virtual-Template1 type tunnel
description FlexVPN hub-to-spokes
ip unnumbered Loopback100
ip mtu 1400
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface Virtual-Template10 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEXVPN_RA_IPSEC_PROFILE
interface Dialer0
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password xxxxx
ppp pap sent-username [email protected] password xxxxx
no cdp enable
router eigrp 1
distribute-list EIGRP_SUMMARY_PFLIST out Virtual-Template1
network 10.0.1.0 0.0.0.255
network 172.30.200.0 0.0.0.255
network 172.31.100.1 0.0.0.0
passive-interface GigabitEthernet0/0
ip local pool xxxxxVPN_POOL 172.30.255.1 172.30.255.254
ip local pool FLEX_SPOKES_POOL 172.31.100.10 172.31.100.254
ip local pool FLEXVPN_RA_POOL 172.30.200.1 172.30.200.254
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.30.200.0 255.255.255.0 Null0
ip access-list standard FLEXVPN_RA_ACL
permit 10.0.1.0 0.0.0.255
permit 10.0.2.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 10.0.4.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.200.0 0.0.0.255
permit 172.31.254.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
ip access-list extended xxxxxVPN_ACL
permit ip 172.30.255.0 0.0.0.255 any
permit ip 10.0.1.0 0.0.0.255 any
permit ip 172.31.254.0 0.0.0.255 any
ip prefix-list EIGRP_SUMMARY_PFLIST seq 10 permit 10.0.1.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 20 permit 172.30.200.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 30 permit 172.31.100.1/32
access-list 1 permit 10.0.1.0 0.0.0.255
route-map EIGRP_SUMMARY_RMAP permit 10
match ip address prefix-list EIGRP_SUMMARY_PFLIST
control-plane
banner motd Cxxxxx
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
line vty 5 15
transport input all
scheduler allocate 20000 1000
ntp update-calendar
ntp server 1.pool.ntp.org
ntp server 0.pool.ntp.org prefer
end
---SPOKE---
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SPOKE
boot-start-marker
boot system flash:c880data-universalk9-mz.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
no ip bootp server
ip domain name xxxxx.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
license udi pid CISCO881-SEC-K9 sn FTX1740854N
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
crypto ikev2 authorization policy default
route set interface
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback101
ip address 172.31.101.3 255.255.255.255
interface Tunnel0
description FlexVPN tunnel
ip address negotiated
ip mtu 1400
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source Vlan1
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address dhcp
no ip unreachables
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1 type tunnel
description FlexVPN spoke-to-spoke
ip unnumbered Loopback101
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile default
interface Vlan1
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.1.15
no ip unreachables
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip access-list standard INTERNET_BOUND_ACL
permit 10.0.3.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.255.0 0.0.0.255
permit 172.31.100.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 172.30.200.0 0.0.0.255
access-list 99 permit 10.0.3.0
control-plane
banner motd xxxxx
line con 0
no modem enable
line aux 0
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
ntp update-calendar
ntp server 0.pool.ntp.org prefer
ntp server 1.pool.ntp.org
end -
ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's
Hello All,
I'm an ASA Newb.
I feel like I have tried everything posted and still no success.
PROBLEM: When connected to the SSL VPN I cannot ping any internal host's. I cannot ping anything on this inside?
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname MCASA01
domain-name mydomain.org
enable password xxbtzv6P4Hqevn4N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 VLAN
name 192.168.5.0 VPNPOOL
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname MC_DNS
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 11.11.11.202 255.255.255.252
interface Vlan3
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mydomain.org
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
keypair digicert.key
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 00b63edadf5efa057ea49da56b179132e8
3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 66.180.96.12 64.238.96.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 4000 interface inside
dhcpd domain mydomain.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 64.147.116.229 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNGP internal
group-policy VPNGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
username GaryC attributes
vpn-group-policy VPNGP
tunnel-group MCVPN type remote-access
tunnel-group MCVPN general-attributes
address-pool VPNPOOL
default-group-policy VPNGP
tunnel-group MCVPN webvpn-attributes
group-alias MCVPN enable
group-url https://11.11.11.202/MCVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
: end
My goal is to allow Remote Users to RDP(3389) through VPN.
Thank you,
Gary
Message was edited by: Gary CulwellHello Jon,
Thank you so much for your response. Clients will not be connect to a specific RDP server. I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access. So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
Would you say this would work:
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
Do you have examples?
Thank you,
Gary -
Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host
Hi:
Need your great help for my new ASA 5505 (8.4)
I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
ASA Version 8.4(3)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.29.8.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 177.164.222.140 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ABCtech.com
same-security-traffic permit inter-interface
object network obj_any
subnet 172.29.8.0 255.255.255.0
object service RDP
service tcp source eq 3389
object network orange
host 172.29.8.151
object network WAN_173_164_222_138
host 177.164.222.138
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
object network guava
host 172.29.8.3
object service L2TP
service udp source eq 1701
access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135
access-list inside_access_in extended deny tcp any eq 135 any
access-list inside_access_in extended deny udp any eq 135 any
access-list inside_access_in extended deny udp any any eq 135
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
89
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
w
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
tps
access-list outside_access_in extended permit gre any host 177.164.222.138
access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
01
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
.88.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit udp any any eq isakmp
access-list inside_in extended permit udp any eq isakmp any
access-list inside_in extended permit udp any any
access-list inside_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static orange interface service RDP RDP
nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
lex route-lookup
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
WW
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
_HTTPS
nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Guava protocol nt
aaa-server Guava (inside) host 172.29.8.3
timeout 15
nt-auth-domain-controller guava
user-identity default-domain LOCAL
http server enable
http 172.29.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 173.190.123.138
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.29.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcprelay server 172.29.8.3 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ABCtech_VPN internal
group-policy ABCtech_VPN attributes
dns-server value 172.29.8.3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunnel_User
default-domain value ABCtech.local
group-policy GroupPolicy_10.8.8.1 internal
group-policy GroupPolicy_10.8.8.1 attributes
vpn-tunnel-protocol ikev1 ikev2
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 10.8.8.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group ABCtech type remote-access
tunnel-group ABCtech general-attributes
address-pool ABC_HQVPN_DHCP
authentication-server-group Guava
default-group-policy ABCtech_VPN
tunnel-group ABCtech ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 173.190.123.138 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
Regards,
Julio
Security Trainer -
Anyconnect VPN peers cannot ping, RDP each other
I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1). I have a remote access VPN set up and the remote access users are able to log in and access LAN resources. I can ping the VPN peers from the remote LAN. My problem that the VPN peers cannot ping (RDP, ectc..) each other. Pinging one VPN peer from another reveals the following error in the ASA Log.
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure.
Below is my ASA running-config:
ASA Version 8.3(1)
hostname ciscoasa
domain-name dental.local
enable password 9ddwXcOYB3k84G8Q encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.128
domain-name dental.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network RAVPN
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access remark VPN client local LAN access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VpnPeers remark allow vpn peers to ping each other
access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address [email protected]
logging recipient-address [email protected] level informational
logging rate-limit 1 600 level 6
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static RAVPN RAVPN
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
object network obj_any
nat (inside,outside) dynamic interface
object network RAVPN
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair billvpnkey
proxy-ldc-issuer
crl configure
crypto ca server
cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
issuer-name CN=ciscoasa
smtp from-address admin@ciscoasa
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
**hidden**
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 10bdec50
**hidden**
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.1.50-192.168.1.99 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
svc enable
tunnel-group-list enable
internal-password enable
smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value dental.local
webvpn
svc modules value vpngina
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
default-domain value dental.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.128
vpn-simultaneous-logins 4
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value RAVPN
split-tunnel-network-list value Local_LAN_Access
default-domain value dental.local
webvpn
url-list value DentalMarks
svc modules value vpngina
svc profiles value dellstudio type user
svc ask enable default webvpn
smart-tunnel enable SmartTunnelList
username wketchel1 password 5c5OoeNtCiX6lGih encrypted
username wketchel1 attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
username wketchel attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc modules none
svc profiles value DellStudioClientProfile type user
username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
username jenniferk attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group RAVPN webvpn-attributes
group-alias RAVPN enable
tunnel-group RAVPN ipsec-attributes
pre-shared-key *****
tunnel-group RAVPN ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group WebSSLVPN type remote-access
tunnel-group WebSSLVPN webvpn-attributes
group-alias WebSSLVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 173.194.64.108
prompt hostname context
hpm topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: endHi,
Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
I would suggest the following changes
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object-group network PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
The above should enable
Dynamic PAT for LAN and VPN users
NAT0 for the traffic between LAN and VPN
NAT0 for traffic between VPN users
You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
no nat (inside,any) source static any any destination static RAVPN RAVPN
no nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no object network obj_any
no object network RAVPN
In the event that you dont want to change the configurations that much you might be fine just by adding this
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
- Jouni -
Cisco 1941 Router-on-a-Stick w/ 11VLANs trunked to a Cisco 2960: From the Switch I can Ping a device in another VLAN, that device cannot ping back. Some devices can ping devices in other VLANs and the device in the other VLAN can successfully return the Ping. Have a look at the attached diagram.
Router Config:
show run
Building configuration...
Current configuration : 7224 bytes
! Last configuration change at 09:05:48 EDT Wed Aug 6 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -8 0
ip cef
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO1941/K9
object-group network Net_Obj_Group1
description This network group allows all 10.0.0.0 and Email Forwarder server through to the Plt PCs
205.191.0.0 255.255.0.0
10.0.0.0 255.0.0.0
object-group network Net_Obj_Group2
description This Network Group includes the Host IPs allowed through the Plant Router
host 10.194.28.23
host 10.194.28.25
host 10.194.28.26
host 10.194.28.27
host 10.194.28.28
host 10.194.28.29
host 10.194.28.37
host 10.194.28.39
host 10.194.28.40
host 10.194.28.70
host 10.194.28.130
host 10.194.28.131
host 10.194.28.132
host 10.194.28.133
host 10.194.28.134
host 10.194.28.135
host 10.194.28.136
host 10.194.28.137
host 10.194.28.138
host 10.194.28.139
host 10.194.28.140
host 10.194.28.141
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Port Ge0/0 to IT Enterprise network Switch GE1/0/38
ip address 10.194.28.111 255.255.255.0
ip access-group 105 in
ip access-group 106 out
ip nat outside
ip virtual-reassembly in
shutdown
duplex full
speed auto
no mop enabled
interface GigabitEthernet0/1
description Port to Plant PCN-K/L24 Sw1 Port 0/24
no ip address
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1.102
description Port to VLAN 102
encapsulation dot1Q 102
ip address 192.168.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.104
description Port to VLAN 104
encapsulation dot1Q 104
ip address 192.168.104.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.105
description Port to VLAN 105
encapsulation dot1Q 105
ip address 192.168.105.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.106
description Port to VLAN 106
encapsulation dot1Q 106
ip address 192.168.106.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.107
description Port to VLAN 107
encapsulation dot1Q 107
ip address 192.168.107.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.111
description Port to VLAN 111
encapsulation dot1Q 111
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.117
description Port to VLAN 117
encapsulation dot1Q 117
ip address 192.168.117.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.121
description Port to VLAN 121
encapsulation dot1Q 121
ip address 192.168.121.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.125
description Port to VLAN 125
encapsulation dot1Q 125
ip address 192.168.125.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.150
description Port to to VLAN 150
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.999
description Port to VLAN 999
encapsulation dot1Q 999
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
no ip http secure-server
ip nat inside source static 192.168.102.201 10.194.28.23
ip nat inside source static 192.168.121.201 10.194.28.25
ip nat inside source static 192.168.106.251 10.194.28.26
ip nat inside source static 192.168.107.245 10.194.28.27
ip nat inside source static 192.168.102.251 10.194.28.28
ip nat inside source static 192.168.150.201 10.194.28.29
ip nat inside source static 192.168.107.179 10.194.28.37
ip nat inside source static 192.168.111.201 10.194.28.39
ip nat inside source static 192.168.105.201 10.194.28.40
ip nat inside source static 192.168.106.21 10.194.28.70
ip nat inside source static 192.168.107.146 10.194.28.130
ip nat inside source static 192.168.107.156 10.194.28.131
ip nat inside source static 192.168.107.161 10.194.28.132
ip nat inside source static 192.168.107.181 10.194.28.133
ip nat inside source static 192.168.107.191 10.194.28.134
ip nat inside source static 192.168.106.202 10.194.28.135
ip nat inside source static 192.168.106.212 10.194.28.136
ip nat inside source static 192.168.117.190 10.194.28.137
ip nat inside source static 192.168.117.100 10.194.28.138
ip nat inside source static 192.168.106.242 10.194.28.139
ip nat inside source static 192.168.125.100 10.194.28.140
ip nat inside source static 192.168.125.99 10.194.28.141
ip nat outside source static 10.194.28.23 10.194.28.23
ip nat outside source static 10.194.28.25 10.194.28.25
ip nat outside source static 10.194.28.26 10.194.28.26
ip nat outside source static 10.194.28.27 10.194.28.27
ip nat outside source static 10.194.28.28 10.194.28.28
ip nat outside source static 10.194.28.29 10.194.28.29
ip nat outside source static 10.194.28.37 10.194.28.37
ip nat outside source static 10.194.28.39 10.194.28.39
ip nat outside source static 10.194.28.40 10.194.28.40
ip nat outside source static 10.194.28.70 10.194.28.70
ip nat outside source static 10.194.28.130 10.194.28.130
ip nat outside source static 10.194.28.131 10.194.28.131
ip nat outside source static 10.194.28.132 10.194.28.132
ip nat outside source static 10.194.28.133 10.194.28.133
ip nat outside source static 10.194.28.134 10.194.28.134
ip nat outside source static 10.194.28.135 10.194.28.135
ip nat outside source static 10.194.28.136 10.194.28.136
ip nat outside source static 10.194.28.137 10.194.28.137
ip nat outside source static 10.194.28.138 10.194.28.138
ip nat outside source static 10.194.28.139 10.194.28.139
ip nat outside source static 10.194.28.140 10.194.28.140
ip nat outside source static 10.194.28.141 10.194.28.141
ip route 0.0.0.0 0.0.0.0 10.194.28.1
access-list 105 permit ip object-group Net_Obj_Group1 object-group Net_Obj_Group2
access-list 106 permit ip object-group Net_Obj_Group2 object-group Net_Obj_Group1
dialer-list 1 protocol ip permit
control-plane
banner login ^CC
Login banner for Plant Router #01^C
banner motd ^CC
MOTD Banner for Plant Router^C
line con 0
password XXXXXXXXX
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXXXXXX
logging synchronous
login
transport input all
scheduler allocate 20000 1000
ntp server 10.199.100.92
end
Switch Config:
sh ru
Building configuration...
Current configuration : 6513 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname K24Sw01
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -5
clock summer-time EDT recurring
udld aggressive
crypto pki trustpoint TP-self-signed-593746944
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-593746944
revocation-check none
rsakeypair TP-self-signed-593746944
4B58BCE9 44
quit
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0
no ip address
interface GigabitEthernet0/1
description Trunk port for vlans 105, 111, 125 and 999 from K24Sw01 port Ge0/1 to P22Sw01 port Ge0/24
switchport trunk allowed vlan 105,111,125,999
switchport mode trunk
interface GigabitEthernet0/2
description Trunk port for vlans 150 and 999 from K24Sw01 port Ge0/2 to N25Sw01 port Ge0/26
switchport trunk allowed vlan 150,999
switchport mode trunk
interface GigabitEthernet0/3
description Trunk port for vlans 102, 104, 106, 107, 117 and 999 from K24Sw01 port Ge0/3 to K28Sw01 port Ge0/26
switchport trunk allowed vlan 102,104,106,107,117,999
switchport mode trunk
interface GigabitEthernet0/4
description Trunk port for vlans 102, 106, 107 and 999 from K24Sw01 port Ge0/4 to H23Sw01 port Ge0/26
switchport trunk allowed vlan 102,106,107,999
switchport mode trunk
interface GigabitEthernet0/5
description Trunk port for vlans 121, 125 and 999 from K24Sw01 port Ge0/5 to M21Sw01 port Ge0/24
switchport trunk allowed vlan 121,125,999
switchport mode trunk
interface GigabitEthernet0/6
description OPEN
spanning-tree portfast
interface GigabitEthernet0/7
description OPEN
spanning-tree portfast
interface GigabitEthernet0/8
description OPEN
spanning-tree portfast
interface GigabitEthernet0/9
description OPEN
spanning-tree portfast
interface GigabitEthernet0/10
description VLan 102 access port
switchport access vlan 102
spanning-tree portfast
interface GigabitEthernet0/11
description - VLan 104 access port
switchport access vlan 104
spanning-tree portfast
interface GigabitEthernet0/12
description - VLan 105 access port
switchport access vlan 105
spanning-tree portfast
interface GigabitEthernet0/13
description - VLan 106 access port
switchport access vlan 106
spanning-tree portfast
interface GigabitEthernet0/14
description - VLan 107 access port
switchport access vlan 107
spanning-tree portfast
interface GigabitEthernet0/15
description - VLan 111 access port
switchport access vlan 111
spanning-tree portfast
interface GigabitEthernet0/16
description - VLan 117 access port
switchport access vlan 117
spanning-tree portfast
interface GigabitEthernet0/17
description - VLan 121 access port
switchport access vlan 121
spanning-tree portfast
interface GigabitEthernet0/18
description - VLan 125 access port
switchport access vlan 125
spanning-tree portfast
interface GigabitEthernet0/19
description - VLan 150 access port
switchport access vlan 150
spanning-tree portfast
interface GigabitEthernet0/20
description - VLan 999 access port
switchport access vlan 999
spanning-tree portfast
interface GigabitEthernet0/21
description OPEN
spanning-tree portfast
interface GigabitEthernet0/22
description OPEN
spanning-tree portfast
interface GigabitEthernet0/23
description OPEN
spanning-tree portfast
interface GigabitEthernet0/24
description From ROUTER Gw ge0/1
switchport trunk allowed vlan 102,104-107,111,117,121,125,150,999
switchport mode trunk
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan102
ip address 192.168.102.253 255.255.255.0
interface Vlan104
no ip address
no ip route-cache
interface Vlan105
no ip address
no ip route-cache
interface Vlan106
no ip address
no ip route-cache
interface Vlan107
no ip address
no ip route-cache
interface Vlan111
no ip address
no ip route-cache
interface Vlan117
no ip address
no ip route-cache
interface Vlan121
no ip address
no ip route-cache
interface Vlan125
no ip address
no ip route-cache
interface Vlan150
no ip address
no ip route-cache
interface Vlan999
no ip address
no ip route-cache
ip default-gateway 192.168.102.1
ip http server
ip http secure-server
snmp-server engineID local 00000009020000019634C2C0
snmp-server community public RO
snmp-server location
snmp-server contact
banner motd ^CCC ADMIN USE ONLY! ^C
line con 0
session-timeout 10
password xxxxxx
logging synchronous
login
stopbits 1
line vty 0 4
session-timeout 10
password xxxxxxx
login
line vty 5 15
session-timeout 10
password xxxxxxxx
login
ntp server 10.199.100.92
end
K24Sw01#HI Mark,
Here is the my config:
Create sub-interfaces, set 802.1Q trunking protocol and ip address on each sub-interface
Router(config)#interface f0/0
Router(config-if)#no shutdown
(Note: The main interface f0/0 doesn’t need an IP address but it must be turned on)
Router(config)#interface f0/0.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.10.1 255.255.255.0
Router(config-subif)#interface f0/0.20
Router(config-subif)#encapsulation dot11 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
(Note: In the “encapsulation dot1q 10″ command, 10 is the VLAN ID this interface operates in)
Configure VLAN
Switch(config)#vlan 10
Switch(config-vlan)#name SALES
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name TECH
Set ports to access mode & assign ports to VLAN
Switch(config)#interface range fa0/1
Switch(config-if)#no shutdown
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 15
Switch(config-if)#interface range fa0/3
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)#interface range fa0/5
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode trunk
1. Please check all your port are up.
2. Check the config once again.
3. Make sure the swicth and router connection port configured as trunk and it should be up.
This config is working for me,
Regards
Dont forget to rate helpful posts.
Maybe you are looking for
-
Help needed in SYNCBO Creation
Hi I have created a syncbo following the steps mentioned in MDK document. When i execute the SyncBO with the emulator i am not finding any data.The steps i followed for creating the SyncBO are Defining the SyncBO for downloading with the BAPI wrappe
-
Error 'sysfail' in outbound que of SRM :Initial download - DNL_CUST_BASIS3
Dear Consultants, We are trying to replicate the product categories and material master from ECC system to SRM system for the first time. Performed all the middleware settings as per note 720819. When running the initia
-
Error With the Weblogic 10.3.6
[org.apache.axis2.deployment.RepositoryListener] - <Error occurred while loading modules from classpath> java.lang.NullPointerException at org.apache.axis2.deployment.RepositoryListener.loadClassPathModules(RepositoryListener.java:138) at org.apache.
-
Hi, I am working on a project where we extend an application built by a third party vendor. I've spent hours trying to determine the cause of some exceptions. The vendor transforms exceptions thrown by the application server or Oracle into their own
-
Userexit_field_modification in MV45AFZZ
Hi ABAP-gurus, I´ve used the above mentioned userexit to make a field editable. The field is VBAP-KTGRM. How I can store the entered content of this field? I thought that I can use userexit_move_field_to_vbap in the same include but it seems that the