Cico vpn and microsoft vpn

Similar Messages

• Performance end to end testing and comparison between MPLS VPN and VPLS VPN

  Hi,
  I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
  I would appreciate any support, guidence, advice.
  Thanks
  Shahbaz

  Hi Shahbaz,
  I am not completely sure I understand your request.
  MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
  From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
  Ingress PE impose 2 labels (at least)
  Core Ps swap top most MPLS label
  Egress PE removes last label exposing underlying packet or frame.
  So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
  About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
  Riccardo

• Cisco VPN and Microsoft Virtual PC (xp mode under Windows 7)

  I've installed XP under my users Windows 7 64 bit Enterprise.  Unfortunately I set up networking for DHCP so that the host and guest (too much vmware :) )  get two different IP's.
  So with Cisco anyconnect, I can't get the guest (i.e. the Win xp vm) to connect correctly.  I want to change networking back to bridged and try that, but for the life of me I can't find where the settings are.  I'm thinking that bridged (where
  I don't have to try the Cisco client in the vm might work better)
  But I"m in the US
  My users in Australia
  and right now I can't get remote tools to work on the host and talking this guy through it on the phone is not pleasant.
  Are there instructions somewhere, and where is the full downloadable documentation for this product. I can find online, can't find a full downloadable copy

  On Thu, 2 Sep 2010 14:34:57 +0000, Jim_St wrote:
  I've installed XP under my users Windows 7 64 bit Enterprise.=A0=20
  Unfortunately I set up networking for DHCP so that the host and guest=20
  (too much vmware :) )=A0 get two different IP's.
  So with Cisco anyconnect, I can't get the guest (i.e. the Win xp vm) to=20
  connect correctly.=A0 I want to change networking back to bridged and =
  try=20
  that, but for the life of me I can't find where the settings are.=A0 I'm=
  =20
  thinking that bridged (where I don't have to try the Cisco client in=20
  the vm might work better)
  But I"m in the US
  My users in Australia
  and right now I can't get remote tools to work on the host and talking=20
  this guy through it on the phone is not pleasant.
  Are there instructions somewhere, and where is the full downloadable=20
  documentation for this product. I can find online, can't find a full=20
  downloadable copy
  Bridged networking is what VMWare calls it and it works basically the
  same as the way you don't like here. The guest will interact with the
  NIC on the host and from the outsie it will present a second channel
  with a different MAC address. This channel will acquire an IP address
  of its own from the DHCP server.
  But no matter what you do, the host and guest will NEVER EVER get the
  same IP address!
  Additionally, Cisco VPN by design will shut down ALL other network
  interfaces when it connects the tunnel so the computer running Cisco
  VPN will be effectively disconnected from the local network and
  INSTEAD connected to the remote network. You cannot share this VPN
  tunnel to another local computer and this includes the host.
  Bo Berglund

• Netctl, systemd and 'external' vpn command

  I am trying to use netctl to connect to a vpn (a microsoft vpn). The `pon` command works, but I would like to use netctl  to set up routing, dns, et cetera. I am confused about how netctl and systemd should work together, and I have not found  any documentation where this is explained in a way that I can  follow.
  What I did gather, is that netctl delegates vpn connections to systemd. This is the contents of      /etc/systemd/system/myvpn.service:
  [Unit]
  Description=myvpn connection
  [Service]
  Type=forking
  ExecStart=/usr/bin/pon
  PIDFile=/var/run/ppp0.pid
  Unclear to me is how I should set up an additional netctl file, and how that one should make use of, or, being used by,  the systemd-file.
  Pointers are very much appreciated!

  Could very well be possible that I've been on the wrong track 
  But I cannot make the pppoe-configuration to work.
  * Where would I put the `pon`-command? I have grepped the files of netctl, but the pon-command is not built in... 
  * Why would I need to put in username and password? That is already handled by my chaps-secret file, that is pointed to    via the OptionsFile...
  * And what should I choose for the Interface? If I give it the name ppp0 (what is being used by pon), netctl complains as follows:
  Interface 'ppp0' does not exist
  Anyway, here is my current config:
  $ grep -vE '^(#|$)' /etc/netctl/myvpn
  Description='Example PPPoE connection'
  Interface=ppp0
  Connection=pppoe
  User='myuser'
  Password='mypassword'
  PPUnit=0
  OptionsFile=/etc/ppp/peers/myvpn
  IP=dhcp
  ConnectionMode='persist'
  DefaultRoute=false
  UsePeerDNS=false
  $ cat /etc/ppp/peers/myvpn
  pty "pptp <ip-address> --nolaunchpppd"
  name myvpn
  remotename FW-ROADWAR
  require-mppe-128
  require-mschap
  file /etc/ppp/myvpn.options
  ipparam myvpn
  $ cat /etc/ppp/myvpn.options
  lock
  # debug
  name vpn
  noauth
  user myusername
  # mppe required,no40,no56
  refuse-eap
  lcp-echo-failure 30
  lcp-echo-interval 20
  idle 0
  defaultroute
  maxfail 1

• ASA 5505 Site to Site and Web VPN

  Hello all, I need to add a site to site tunnel from a an ASA 5505 (ver 8.05) to a Sonic wall appliance. The problem is, the ASA already has remote access VPN and anyconnect VPN configured. I'm not sure if its possible to add another secured tunnel to the device. Ive already got one NAT 0 statement.
  Thanks for your expert opinions!

  Hi,
  There should be no problem adding a Site to Site VPN on the ASA even if it has Client VPN configured.
  If you for example have an "inside" interface which has NAT0 configuration like
  nat (inside) 0 access-list NAT0
  You just add the needed ACL lines to that existing ACL for the L2L VPN.
  On the basis of the information you provided I dont see any problem configuring the L2L VPN on the ASA.
  - Jouni

• L3 vpn and VPLS on same SVI.

  Hi,
  Can anyone help me with this query?
  I am trying to connect a CE router with two redundant links to two seperate PEs. I need spanning tree to be run between the PEs for the resilence and failover so was thinking VPLS, but also need the CE to connect to a L3 vpn.
  Does anyone know if it is possible to have a vlan (SVI) in a VPLS instance and a L3 MPLS vpn?
  Thanks
  Wai-Lun

  Hello Wai,
  I may be wrong but I don't think you can at the same time over a single SVI to offer L3 VPN and L2 VPN services.
  However, I would suggest to divide your links/requirements: the two CE-PE1 and CE-PE2 links will be VRF access links from the PE point of view and you can use a dynamic protocol.
  Routing protols can provide all the failover and redundancy you are looking for.
  The PE Routers will be interconnected via MPLS backbone links.
  If you miss your own backbone infrastructure you can use CSC (Carrier Supporting Carrier) or lease simple EoMPLS /VPLS links from a provider (this may need some thoughts about MTU)
  hope to help
  best regards
  Giuseppe

• Can I connect to my microsoft network via VPN and download network files?

  Can I connect to my microsoft network via VPN and download network files to my iPad2?  If so, what app is required?

  There are several apps available from App Store but the one I use is iTeleport.
  Oops the Windows specific version is called Jaadu Remote Desktop for Windows
  Message was edited by: Joe Bailey to add Windows version

• VPN: iPAD IPSEC AND MICROSOFT TMG

  I have problem with connecting to my ipsec vpn on microsoft TMG.
  When i try connect (on ipsec with certificate) from windows xp and win7 to this vpn I dont have any problems.
  On My ipad I can only connect on L2tp with preshared key, but on ipsec with certificate still nothing.
  I try connecting on two certificates: on the same whot I have on pc, and on new only to ipad. On iphone configuration tool i install all certificates (CA root, CA sub, VPN on TMG, client cert with client authentication). In my cert i have external crl. I try to on certificate with additional SAN-s (VPN server FQDN and IP address)
  When I try connect on ipad to tmg ipsec vpn I found that error on logs:
  EventId: 4653
  An IPsec main mode negotiation failed.
  Local Endpoint:
       Local Principal Name:    -
       Network Address:    x.x.x.x
       Keying Module Port:    500
  Remote Endpoint:
       Principal Name:        -
       Network Address:    x.x.x.x
       Keying Module Port:    500
  Additional Information:
       Keying Module Name:    IKEv1
       Authentication Method:    Unknown authentication
  So maybe any one can help me ? Whot I do wrong ?
  Thanks a lot.

  Hi
  The application in Itunes is indeed free however in order to use it you will need to have a special anyconnect mobile licence loaded onto the Cisco ASA. The licence can be ordered through a Cisco registered partner with part code L-ASA-AC-M-55XX= (XX=05,10,20,40,50,80 depending on the model).
  Alex

• VPN and Exchange server blocks internet access

  i had some difficulty configuring Entourage to connect to an Exchange server after establishing a VPN. When the VPN was up, but the Entourage was not working, I could use Safari or any other web access without problems. After getting the Entourage account running, it was populating the folders for what seemed like hours, so i wanted to do other things while waiting. Safari and AOL would not connect. Apparently Microsoft has figured out another way to mess with you on a Mac. Anyone had this problem?

  It turns out that it's the VPN that is blocking web access. The first time I configured it a couple of months ago, it connected, and I could do whatever I wanted. When I tried to use the VPN the other day, all my settings had been erased for some reason and I had to reconfigure. It connected, I got into Entourage, used it, but when I tried to go to a web site Safari wouldn't connect. I closed Entourage, no dice. Today I connected without going into Entourage and Safari wouldn't connect. Without the VPN, Safari behaves itself. I have a PC upstairs with the same VPN and it allows use of your browser.
  I connected to a different VPN host and still no browser on the Mac. Can not figure out what has happened.

• VPN and Certificates fun

  I've been trying to get the iPhone VPN to work with a self-signed cert to no avail. I generated the cert using Windows 2008r2 certificate services, exported the server and root and put into the ICU and my Cisco vpn (using ipsec of course).
  In the ICU VPN section, under Identifity Certificate, it doesn't seem to recognize that I have the certs loaded. Please see http://imgur.com/KypuN. The server name and certs match where they should, and I know I'm missing something obvious here, but just can't find the problem.
  Any help would be appreciated.

  I was able to find the issue. I have tested the Scenario with a Surface RT 8.1. I enrolled the device to SCCM/Intune and get a certficate with NDES. Then I have added a VPN Connection and try to connect. Windows ask for SmartCard. But
  the certficate isn't Smartcard. So I added second VPN Connection to a Microsoft VPN and try to connect with same certificate. No question about Smartcard and the connection is established fine. Than I could remind the Options of certficate profiles (TPM or
  Software Key Storage). I' ve selected TPM in my initial configuration. I changed it to Software Key Storage and reenroll to Intune to force certficate deployment. After receiving the new certificate I tried again on my Surface and the Juniper VPN Connection
  were established. I reenrolled my Windows Phone to Intune and after I received the new certificate I were able to connect my Windows Phone to Juniper VPN too.
  So I think the Problem is that the Juniper 3rd Party api is not allowed to access TPM or it is done the wrong way.
  I hope this helps.
  Kind regards
  Denis  
   

• How do i use an active directory group for vpn and not all user

  hi all,
  i have an asa 5515x...
  how do i use a particular group in active directory to have vpn/anyconnect access?  right now i believe it's for all user on my current config,
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  !integrate with active directory
  aaa-server LDAPSERVERS protocol ldap
  aaa-server LDAPSERVERS (vlan192) host 10.0.0.2
  ldap-base-dn dc=company,dc=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password 12345678
  ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com
  server-type auto-detect
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.
  thanks for any comment you may add.

  The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.
  DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that.

• IpSec VPN and NAT don't work togheter on HP MSR 20 20

  Hi People,
  I'm getting several issues, let me explain:
  I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
  I'm missing something but i don't know what it is !!!!, See below the configuration.
  Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
  Note: I just have only One public Ip address.
  version 5.20, Release 2207P41, Standard
  sysname HP
  nat address-group 1 186.177.159.93 186.177.159.93
  domain default enable system
  dns proxy enable
  telnet server enable
  dar p2p signature-file cfa0:/p2p_default.mtd
  port-security enable
  acl number 2001
  rule 0 permit source 192.168.100.0 0.0.0.255
  rule 5 deny
  acl number 3000
  rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
  vlan 1
  domain system
  access-limit disable
  state active
  idle-cut disable
  self-service-url disable
  ike proposal 1
  encryption-algorithm 3des-cbc
  dh group2
  ike proposal 10
  encryption-algorithm 3des-cbc
  dh group2
  ike peer vpn-test
  proposal 1
  pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
  remote-address <Public Ip from VPN Peer>
  local-address 186.177.159.93
  nat traversal
  ipsec proposal vpn-test
  esp authentication-algorithm sha1
  esp encryption-algorithm 3des
  ipsec policy vpntest 30 isakmp
  connection-name vpntest.30
  security acl 3000
  pfs dh-group2
  ike-peer vpn-test
  proposal vpn-test
  dhcp server ip-pool vlan1 extended
  network mask 255.255.255.0
  user-group system
  group-attribute allow-guest
  local-user admin
  password cipher .]@USE=B,53Q=^Q`MAF4<1!!
  authorization-attribute level 3
  service-type telnet
  service-type web
  cwmp
  undo cwmp enable
  interface Aux0
  async mode flow
  link-protocol ppp
  interface Cellular0/0
  async mode protocol
  link-protocol ppp
  interface Ethernet0/0
  port link-mode route
  nat outbound 2001 address-group 1
  nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
  ip address dhcp-alloc
  ipsec policy vpntest
  interface Ethernet0/1
  port link-mode route
  ip address 192.168.100.1 255.255.255.0
  interface NULL0
  interface Vlan-interface1
  undo dhcp select server global-pool
  dhcp server apply ip-pool vlan1

  ewaller wrote:
  What is under the switches tab?
  Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay.  I'll let it slide.  Watch the bumping as well.
  If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original)  back here, and you are golden.
  I had a bear of a time getting the microphone working on my HP DV4, but it does work.  I'll look at the set up when I get home tonight [USA-PDT].
  Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
  So here is what it is under the switches tab

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• Split Tunnel VPN and routing public ip traffic

  Hi Everyone,
      I have my split tunnel vpn working well but I need to make an adjustment. We have a few systems in the "cloud" and we only allow access from our corporate WAN IP to those servers. I need to be able to access those servers via VPN connection to the office. I added that public IP subnet to my interesting traffic and the vpn client is sending the traffic across the VPN as expected. The issue is that it somehow drops out inside the firewall it seems. Almost like it doesn't know how to route that request back out to the internet using it's own default gateway. Any thoughts as to what I may be missing, here is some of the relevant code
  same-security-traffic permit intra-interface
  ----Interesting Traffic------
  access-list vpnpool standard permit 10.1.1.0 255.255.255.0
  access-list vpnpool standard permit 10.31.26.0 255.255.255.0
  access-list vpnpool standard permit 10.31.61.0 255.255.255.0
  access-list vpnpool standard permit 10.31.3.128 255.255.255.192
  access-list vpnpool standard permit 10.31.40.128 255.255.255.240
  access-list vpnpool standard permit 10.31.40.64 255.255.255.192
  access-list vpnpool standard permit 50.57.0.0 255.255.0.0  -- Network of cloud servers
  ---Natting----------
  global (outside) 1 71.174.57.78
  global (dmz) 1 interface
  nat (inside) 0 access-list 101
  nat (inside) 1 10.1.1.0 255.255.255.0
  nat (qa) 1 200.200.200.0 255.255.255.0
  nat (dmz) 1 10.1.11.0 255.255.255.0
  nat (dmz2) 1 192.168.1.0 255.255.255.0
  ---Rules and Gateway-------
  access-group inbound in interface outside
  access-group dmz in interface dmz
  route outside 0.0.0.0 0.0.0.0 71.174.57.1 1
  ---VPN-----
  group-policy xxx-remote internal
  group-policy xxx-remote attributes
  wins-server value 10.1.1.5
  dns-server value 10.1.1.5 10.1.1.6
  vpn-idle-timeout 60
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  ipsec-udp enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpnpool
  default-domain value xxx.local
  split-dns value xxxx.local
  service-type remote-access
  tunnel-group xxx-vpn type remote-access
  tunnel-group xxx-vpn general-attributes
  address-pool vpnpool
  authentication-server-group (outside) RADIUS
  authentication-server-group (dmz) RADIUS
  default-group-policy xxx-remote
  tunnel-group xxx-vpn ipsec-attributes
  pre-shared-key xxxxx

  That was my mistake, I am mixing up code here. The fun of switching between new and old ASA code as well as routers
  Let's do it this way, this should fix the problem. Put the NAT command the way it was as follows:
  nat (Outside) 1 10.1.10.0 255.255.255.0
  Now we add a NAT0 for the Outside interface. You can reuse the ACL we made if you want or make a new one, your call since you have to administrate it.
  no access-list VPN-NAT
  access-list VPN-NAT0 permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.0.0.0
  nat (Outside) 0 access-list VPN-NAT0
  Now, this should properly NAT the traffic going to the Internet while excluding the traffic destined for your 10.0.0.0/8 subnet using the Nat 0.
  Sorry for the round about fix, but that should take care of it.