Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

Similar Messages

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Cisco ASA 5505 doesn't forware incoming connection to LAN

  Hello everybody.
  I just got a Cisco asa 5505 with the next OS and ASDM info
  ASA 5505 OS 8.4(3) ASDM 6.47
  I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
  Problem 1
  I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
  Problem 2.
  I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
  Facts:
  SMTP.
  Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
  PORT 6001 (outside)
  this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
  Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
  I will appreciate any help.
  Thanks a lot..
  CONFIGURATION.
  : Saved
  ASA Version 8.4(3)
  hostname saturn1
  domain-name mydominio.com
  enable password SOMEPASS encrypted
  passwd SOMEPASS encrypted
  names
  name 192.168.250.11 CAPITOLA-LAN
  name 192.168.250.15 OBIi110-LAN
  name 192.168.250.21 DRP1260-LAN
  name 192.168.250.22 HPOJ8500-LAN
  name 192.168.250.30 AP-W77-NG-LAN
  name 192.168.250.97 AJ-DTOP-PC-LAN
  name 192.168.250.96 SWEETHEART-PC-LAN
  name 192.168.250.94 KIDS-PC-LAN
  name XX.YY.ZZ.250 EXTERNALIP
  name XX.YY.ZZ.251 EXTERNALIP2
  name XX.YY.ZZ.1 GTWAY
  dns-guard
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.250.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address EXTERNALIP 255.255.255.0
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name mydominio.com
  object network CAPITOLA-LAN
  host 192.168.250.11
  object network EXTERNALIP
  host XX.YY.ZZ.250
  description Created during name migration
  object network CAPITOLA-PUBLIC
  host XX.YY.ZZ.251
  object network capitola-int
  host 192.168.250.11
  object network capitola-int-vnc
  host 192.168.250.11
  object network aj-dtop-int-vnc
  host 192.168.250.97
  object network sweetheart-int-vnc
  host 192.168.250.96
  object network kids-int-vnc
  host 192.168.250.94
  object network VPNNetwork
  subnet 10.10.20.0 255.255.255.0
  object network InsideNetwork
  subnet 192.168.250.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network capitola-int-smtp
  host 192.168.250.11
  object-group service capitola-int-smtp-service tcp
  port-object eq smtp
  object-group service capitola-int-services tcp
  port-object eq smtp
  port-object eq https
  port-object eq www
  port-object eq 444
  object-group service capitola-int-vnc-service tcp
  port-object eq 6001
  object-group service aj-dtop-int-vnc-service tcp
  port-object eq 6002
  object-group service sweetheart-int-vnc-service tcp
  port-object eq 6003
  object-group service kids-int-vnc-service tcp
  port-object eq 6004
  access-list incoming extended permit icmp any any
  access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
  access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
  access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
  access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
  access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
  access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
  access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any object VPNNetwork
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
  object network capitola-int
  nat (any,any) static XX.YY.ZZ.251
  object network capitola-int-vnc
  nat (inside,outside) static interface service tcp 5900 6001
  object network aj-dtop-int-vnc
  nat (inside,outside) static interface service tcp 5900 6002
  object network sweetheart-int-vnc
  nat (inside,outside) static interface service tcp 5900 6003
  object network kids-int-vnc
  nat (inside,outside) static interface service tcp 5900 6004
  object network obj_any
  nat (inside,outside) dynamic interface
  object network capitola-int-smtp
  nat (any,outside) static interface service tcp smtp smtp
  access-group incoming in interface outside
  route outside 0.0.0.0 0.0.0.0 GTWAY 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http server idle-timeout 2
  http server session-timeout 1
  http 192.168.1.0 255.255.255.0 inside
  http CAPITOLA-LAN 255.255.255.255 inside
  http AJ-DTOP-PC-LAN 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh CAPITOLA-LAN 255.255.255.255 inside
  ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
  ssh timeout 15
  console timeout 0
  vpn-addr-assign local reuse-delay 2
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password SOMEPASS encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect pptp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
  : end
  asdm image disk0:/asdm-647.bin
  no asdm history enable

  Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
  access list rule:
  access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
  nat rule:
  nat (inside,outside) source static server interface service voip-range voip-range
  - 'server' is a network object *
  - 'voip-range' is a service group range
  I'd assume you can do something similar here in combination with my earlier comment:
  access-list incoming extended permit tcp any any eq 5900
  Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

• Cisco ASA 5505 SSL VPN

  Hi Everyone,
  In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
  I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if  I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
  I need help to solve this mystery. Please find attached the ASA config: #show run
  I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
  Best regards,
  BEN

  If you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
  I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA.

• Cisco ASA 5505 as VPN client

  Hello all thanks for looking,
  I need to know how to setup my cisco asa 5505 as a vpn client to services like HMA or privateinternet and other paid VPN services. If someone else has already written a guide to this then that would be great. What I want to do is route all my secure traffice through the asa and have it go across the internet as encrypted VPN stuff and have my other stuff that does not need to be encrypted just go through to my other router. 
  Thanks in advance,

  If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• CISCO ASA 5505 bandwidth Controll and split

  Dear All,
  Below am giving the infrastructure which i like to do please help me.
  I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
  in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
  i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
  each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
  after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
  Cisco Adaptive Security Appliance Software Version 7.2(4)
  Device Manager Version 5.2(4)
  Compiled on Sun 06-Apr-08 13:39 by builders
  System image file is "disk0:/asa724-k8.bin"
  so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.  
  Thanks 
  Lalu R.S

  There's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
  You can do some crude controls with QoS - the configuration guide chapter on doing that is here.

• Cisco ASA 5505 IPSEC, one endpoint behind NAT device

  We have two Cisco ASA 5505 devices.
  Both are identical, however, one of them is behind a NAT device.
  We are attempting to create an IPSEC network.
  Site fg:
  <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
  ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
  Site be:
  <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
  ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
  USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
  USG1: UDP port 500/4500 forwarded to 192.168.4.50
  It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
  We verified / attempted the following:
  - NAT excemption on both sides for IPSEC subnets
  - Mirror image crypto maps
  - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
  - Toggled between static to dynamic crypto maps on ASA1
  Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
  Does anyone have any idea?
  195.txt contains show running-config of ASA3
  212.txt contains show running-config of ASA1
  log.txt contains somewhat entire log snipper of ASA1

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.

• Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts

  I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
  Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
  I suspect it may be an issue with my firewall, but I am not really sure where to begin.
  Here is a copy of my config, any pointers or tips are aprpeciated:
  hostname mcfw
  enable password Pt8fQ27yMZplioYq encrypted
  passwd 2qaO2Gd6IBRkrRFm encrypted
  names
  interface Ethernet0/0
  switchport access vlan 400
  interface Ethernet0/1
  switchport access vlan 400
  interface Ethernet0/2
  switchport access vlan 420
  interface Ethernet0/3
  switchport access vlan 420
  interface Ethernet0/4
  switchport access vlan 450
  interface Ethernet0/5
  switchport access vlan 450
  interface Ethernet0/6
  switchport access vlan 500
  interface Ethernet0/7
  switchport access vlan 500
  interface Vlan400
  nameif outside
  security-level 0
  ip address 58.13.254.10 255.255.255.248
  interface Vlan420
  nameif public
  security-level 20
  ip address 192.168.20.1 255.255.255.0
  interface Vlan450
  nameif dmz
  security-level 50
  ip address 192.168.10.1 255.255.255.0
  interface Vlan500
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  ftp mode passive
  clock timezone JST 9
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network DM_INLINE_NETWORK_1
  network-object host 58.13.254.11
  network-object host 58.13.254.13
  object-group service ssh_2220 tcp
  port-object eq 2220
  object-group service ssh_2251 tcp
  port-object eq 2251
  object-group service ssh_2229 tcp
  port-object eq 2229
  object-group service ssh_2210 tcp
  port-object eq 2210
  object-group service DM_INLINE_TCP_1 tcp
  group-object ssh_2210
  group-object ssh_2220
  object-group service zabbix tcp
  port-object range 10050 10051
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  group-object zabbix
  port-object eq 9000
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service http_8029 tcp
  port-object eq 8029
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.20.10
  network-object host 192.168.20.30
  network-object host 192.168.20.60
  object-group service imaps_993 tcp
  description Secure IMAP
  port-object eq 993
  object-group service public_wifi_group
  description Service allowed on the Public Wifi Group. Allows Web and Email.
  service-object tcp-udp eq domain
  service-object tcp-udp eq www
  service-object tcp eq https
  service-object tcp-udp eq 993
  service-object tcp eq imap4
  service-object tcp eq 587
  service-object tcp eq pop3
  service-object tcp eq smtp
  access-list outside_access_in remark http traffic from outside
  access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
  access-list outside_access_in remark ssh from outside to web1
  access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
  access-list outside_access_in remark ssh from outside to penguin
  access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
  access-list outside_access_in remark http from outside to penguin
  access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
  access-list outside_access_in remark ssh from outside to hub & studio
  access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
  access-list outside_access_in remark dns service to hub
  access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
  access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
  access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
  access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
  access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
  access-list public_access_in remark General web access. (HTTP, DNS & ICMP and  Email)
  access-list public_access_in extended permit object-group public_wifi_group any any
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
  pager lines 24
  logging enable
  logging timestamp
  logging buffered notifications
  logging trap notifications
  logging asdm debugging
  logging from-address [email protected]
  logging recipient-address [email protected] level warnings
  logging host dmz 192.168.10.90 format emblem
  logging permit-hostdown
  mtu outside 1500
  mtu public 1500
  mtu dmz 1500
  mtu inside 1500
  ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
  ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 60
  global (outside) 1 interface
  global (dmz) 2 interface
  nat (public) 1 0.0.0.0 0.0.0.0
  nat (dmz) 1 0.0.0.0 0.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
  static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
  static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
  static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
  static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
  static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
  static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group public_access_in in interface public
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  http 59.159.40.188 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp dmz
  sysopt noproxyarp inside
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map public_map interface public
  crypto isakmp enable outside
  crypto isakmp enable public
  crypto isakmp enable inside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 59.159.40.188 255.255.255.255 outside
  ssh 192.168.0.0 255.255.255.0 inside
  ssh timeout 20
  console timeout 0
  dhcpd dns 61.122.112.97 61.122.112.1
  dhcpd auto_config outside
  dhcpd address 192.168.20.200-192.168.20.254 public
  dhcpd enable public
  dhcpd address 192.168.10.190-192.168.10.195 dmz
  dhcpd enable dmz
  dhcpd address 192.168.0.200-192.168.0.254 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics host number-of-rate 2
  no threat-detection statistics tcp-intercept
  ntp server 130.54.208.201 source public
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 61.122.112.97 61.122.112.1
  vpn-tunnel-protocol l2tp-ipsec
  group-policy CiscoASA internal
  group-policy CiscoASA attributes
  dns-server value 61.122.112.97 61.122.112.1
  vpn-tunnel-protocol IPSec
  username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN_Pool
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group ocmc type remote-access
  tunnel-group ocmc general-attributes
  address-pool OfficePool
  tunnel-group ocmc ipsec-attributes
  pre-shared-key *****
  tunnel-group CiscoASA type remote-access
  tunnel-group CiscoASA general-attributes
  address-pool VPN_Pool
  default-group-policy CiscoASA
  tunnel-group CiscoASA ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  smtp-server 192.168.10.10
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
  : end
  asdm location 192.168.10.10 255.255.255.255 inside
  asdm location 192.168.0.29 255.255.255.255 inside
  asdm location 58.13.254.10 255.255.255.255 inside
  no asdm history enable

  Hi Conor,
  What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
  Regards,
  Umair

• ASA 5505 IPSEC VPN connected but can't access to LAN

  ASA : 8.2.5
  ASDM: 6.4.5
  LAN: 10.1.0.0/22
  VPN Pool: 172.16.10.0/24
  Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
  I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
  Below is my configure, do I mis-configure anything?
  ASA Version 8.2(5)
  hostname asatest
  domain-name XXX.com
  enable password 8Fw1QFqthX2n4uD3 encrypted
  passwd g9NiG6oUPjkYrHNt encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.1.253 255.255.252.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.240
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name vff.com
  access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
  access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging trap warnings
  logging asdm informational
  logging device-id hostname
  logging host inside 10.1.1.230
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server AD protocol nt
  aaa-server AD (inside) host 10.1.1.108
  nt-auth-domain-controller 10.1.1.108
  http server enable
  http 10.1.0.0 255.255.252.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.1.0.0 255.255.252.0 inside
  ssh timeout 20
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy vpntest internal
  group-policy vpntest attributes
  wins-server value 10.1.1.108
  dns-server value 10.1.1.108
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpntest_splitTunnelAcl
  default-domain value XXX.com
  split-tunnel-all-dns disable
  backup-servers keep-client-config
  address-pools value vpnpool
  username admin password WeiepwREwT66BhE9 encrypted privilege 15
  username user5 password yIWniWfceAUz1sUb encrypted privilege 5
  username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
  tunnel-group vpntest type remote-access
  tunnel-group vpntest general-attributes
  address-pool vpnpool
  authentication-server-group AD
  authentication-server-group (inside) AD
  default-group-policy vpntest
  strip-realm
  tunnel-group vpntest ipsec-attributes
  pre-shared-key BEKey123456
  peer-id-validate nocheck
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
  : end

  I change  a Machine's gateway to this ASA and capture again, now we can see some reply.
  All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
  what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
  add two gateways to all PCs and swtichwes?
  1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
    10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
    19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
    20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
    21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
    22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
    23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

• Cisco ASA 5505 L2TP VPN cannot access internal network

  Hi,
  I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
  Can you jhelp me to find out the issue?
  I have Cisco ASA:
  inside network - 192.168.1.0
  VPN network - 192.168.168.0
  I have router 192.168.1.2 and I cannot ping or get access to this router.
  Here is my config:
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 198.X.X.A 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network net-all
  subnet 0.0.0.0 0.0.0.0
  object network vpn_local
  subnet 192.168.168.0 255.255.255.0
  object network inside_nw
  subnet 192.168.1.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool sales_addresses 192.168.168.1-192.168.168.254
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic net-all interface
  nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
  nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
  object network vpn_local
  nat (outside,outside) dynamic interface
  object network inside_nw
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.5-192.168.1.132 inside
  dhcpd dns 75.75.75.75 76.76.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy sales_policy internal
  group-policy sales_policy attributes
  dns-server value 75.75.75.75 76.76.76.76
  vpn-tunnel-protocol l2tp-ipsec
  username ----------
  username ----------
  tunnel-group DefaultRAGroup general-attributes
  address-pool sales_addresses
  default-group-policy sales_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
  : end
  Thanks for your help.

  You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
  policy-map global_policy
    class inspection_default
      inspect icmp
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Cisco ASA 5505 - IPsec Tunnel issue

  Issue with IPsec Child SA
  Hi,
  I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
  hostname GARPR-COM1-WF01
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   description Failover Link
   switchport access vlan 950
  interface Ethernet0/1
   description Outside FW Link
   switchport access vlan 999
  interface Ethernet0/2
   description Inside FW Link
   switchport access vlan 998
  interface Ethernet0/3
   description Management Link
   switchport access vlan 6
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  interface Vlan1
   no nameif
   no security-level
   no ip address
  interface Vlan6
   nameif management
   security-level 100
   ip address 10.65.1.20 255.255.255.240
  interface Vlan950
   description LAN Failover Interface
  interface Vlan998
   nameif inside
   security-level 100
   ip address 10.65.1.5 255.255.255.252
  interface Vlan999
   nameif outside
   security-level 0
   ip address ************* 255.255.255.248
  boot system disk0:/asa922-4-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
   domain-name ***************
  object network North_American_LAN
   subnet 10.73.0.0 255.255.0.0
   description North American LAN
  object network Queretaro_LAN
   subnet 10.74.0.0 255.255.0.0
   description Queretaro_LAN
  object network Tor_LAN
   subnet 10.75.0.0 255.255.0.0
   description Tor LAN
  object network Mor_LAN
   subnet 10.76.0.0 255.255.0.0
   description Mor LAN
  object network Tus_LAN
   subnet 10.79.128.0 255.255.128.0
   description North American LAN
  object network Mtl_LAN
   subnet 10.88.0.0 255.255.0.0
   description Mtl LAN
  object network Wic_LAN
   subnet 10.90.0.0 255.254.0.0
   description Wic LAN
  object network Wic_LAN_172
   subnet 172.18.0.0 255.255.0.0
   description Wic Servers/Legacy Client LAN
  object network Mtl_LAN_172
   subnet 172.19.0.0 255.255.0.0
   description Mtl Servers/Legacy Client LAN
  object network Tor_LAN_172
   subnet 172.20.0.0 255.255.0.0
   description Tor Servers/Legacy Client LAN
  object network Bridge_LAN_172
   subnet 172.23.0.0 255.255.0.0
   description Bridge Servers/Legacy Client LAN
  object network Mtl_WLAN
   subnet 10.114.0.0 255.255.0.0
   description Mtl Wireless LAN
  object network Bel_WLAN
   subnet 10.115.0.0 255.255.0.0
   description Bel Wireless LAN
  object network Wic_WLAN
   subnet 10.116.0.0 255.255.0.0
   description Wic Wireless LAN
  object network Mtl_Infrastructure_10
   subnet 10.96.0.0 255.255.0.0
   description Mtl Infrastructre LAN
  object network BA_Small_Site_Blocks
   subnet 10.68.0.0 255.255.0.0
   description BA Small Sites Blocks
  object network Bel_LAN
   subnet 10.92.0.0 255.255.0.0
   description Bel LAN 10 Network
  object network LAN_172
   subnet 172.25.0.0 255.255.0.0
   description  LAN 172 Network
  object network Gar_LAN
   subnet 10.65.1.0 255.255.255.0
   description Gar LAN
  object network garpr-com1-wf01.net.aero.bombardier.net
   host **************
   description Garching Firewall
  object-group network BA_Sites
   description Internal Networks
   network-object object BA_Small_Site_Blocks
   network-object object Bel_LAN
   network-object object Bel_LAN_172
   network-object object Bel_WLAN
   network-object object Bridge_LAN_172
   network-object object Mtl_Infrastructure_10
   network-object object Mtl_LAN
   network-object object Mtl_LAN_172
   network-object object Mtl_WLAN
   network-object object Mor_LAN
   network-object object North_American_LAN
   network-object object Queretaro_LAN
   network-object object Tor_LAN
   network-object object Tor_LAN_172
   network-object object Tus_LAN
   network-object object Wic_LAN
   network-object object Wic_LAN_172
   network-object object Wic_WLAN
  access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
  access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap informational
  logging asdm informational
  logging host outside 172.25.5.102
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface Failover_Link Vlan950
  failover polltime interface msec 500 holdtime 5
  failover key *****
  failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
  route outside 0.0.0.0 0.0.0.0 ************* 1
  route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
  route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
  route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.65.1.0 255.255.255.0 inside
  http 172.25.5.0 255.255.255.0 inside
  http 10.65.1.21 255.255.255.255 management
  snmp-server host inside 172.25.49.0 community ***** udp-port 161
  snmp-server host outside 172.25.49.0 community *****
  snmp-server host inside 172.25.5.101 community ***** udp-port 161
  snmp-server host outside 172.25.5.101 community *****
  snmp-server host inside 172.25.81.88 poll community *****
  snmp-server host outside 172.25.81.88 poll community *****
  snmp-server location:
  snmp-server contact
  snmp-server community *****
  snmp-server enable traps syslog
  crypto ipsec ikev2 ipsec-proposal aes256
   protocol esp encryption aes-256
   protocol esp integrity sha-1
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association pmtu-aging infinite
  crypto map GARCH 10 match address 101
  crypto map GARCH 10 set pfs group19
  crypto map GARCH 10 set peer *******************
  crypto map GARCH 10 set ikev2 ipsec-proposal aes256
  crypto map GARCH 10 set security-association lifetime seconds 3600
  crypto map GARCH interface outside
  crypto ca trustpool policy
  no crypto isakmp nat-traversal
  crypto ikev2 policy 10
   encryption aes-256
   integrity sha256
   group 19
   prf sha256
   lifetime seconds 86400
  crypto ikev2 enable outside
  telnet 10.65.1.6 255.255.255.255 inside
  telnet timeout 5
  ssh stricthostkeycheck
  ssh 172.25.5.0 255.255.255.0 inside
  ssh 172.19.9.49 255.255.255.255 inside
  ssh 172.25.5.0 255.255.255.0 outside
  ssh 172.19.9.49 255.255.255.255 outside
  ssh timeout 30
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 30
  management-access inside
  dhcprelay server 172.25.81.1 outside
  dhcprelay server 172.25.49.1 outside
  dhcprelay enable inside
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 172.19.109.41
  ntp server 172.19.109.42
  ntp server 172.19.9.49 source outside
  tunnel-group ********* type ipsec-l2l
  tunnel-group ********* ipsec-attributes
   ikev2 remote-authentication pre-shared-key *****
   ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
  : end
  I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
  GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
            remote selector 172.19.0.0/0 - 172.19.255.255/65535
  where for destination network 10.92.0.0/16 there is only one child sa:
  GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
            remote selector 10.92.0.0/0 - 10.92.255.255/6553
  Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
  Thanks
  Jonathan

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks

• ASA 5505 IPSec VPN Question

  I have a number of ASA 5505 boxes which I need to reconfigure to work with a Watchguard XTM 850 over IPsec.  The 5505s were previously configured to connect back to a 5510 Firewall using EasyVPN.  With EasyVPN still enabled, the remote boxes attempt to make a connection back, but there are a few settings such as Identity and Encryption types I need to modify to connect to the Watchguard firewalls.  It appears that these settings cannot be changed with EasyVPN enabled.  If I disable it, and change the identity and authentication settings, the boxes do not attempt to make a connection back.  I'm not sure if what I am trying to do is even possible at this point, and I am in dire need of some direction.  

  It is not clear from this description what is the problem and it sounds like either some part of your config changes is not correct or that there is some mismatch between your config and the config of the remote device. A starting place would be to post your config (masking off sensitive information such as public addresses and passwords.
  HTH
  Rick

• Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

  I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
  Any assistance would be appreciated.
  ASA Version 8.2(1)
  hostname KRPS-FW
  domain-name lottonline.org
  enable password uniQue
  passwd uniQue
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.20.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  description Inside Network on VLAN1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  description Inside Network on VLAN1
  ftp mode passive
  dns server-group DefaultDNS
  domain-name lottonline.org
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDE_ACCESS_IN in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.20.30.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 1 match address KWPS-BITP
  crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
  crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
  crypto map VPNMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  ssh timeout 5
  console timeout 0
  management-access inside
  tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
  tunnel-group xxx.xxx.xxx.001 ipsec-attributes
  pre-shared-key somekey

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks

• Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across

  This is my first Cisco configuration ever so go easy on me.  A lot of the commands that I used here I don't really understand.  I got them from Googling configs.  I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
  The first VPN I setup, labeled vpn1 here works perfectly.  I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
  I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0).  I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN.  I'm using the address 10.4.0.1 to test pings.  The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
  Here is my config (edited for names and passwords)
  ciscoasa# show run
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password ********** encrypted
  passwd ********** encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ISP_DSL
  ip address pppoe setroute
  interface Vlan3
  no forward interface Vlan1
  nameif private
  security-level 100
  ip address 10.4.13.10 255.255.240.0
  ftp mode passive
  access-list 100 extended permit icmp any any
  access-list nonat remark ACL for Nat Bypass
  access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
  access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
  access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
  access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1492
  mtu private 1500
  ip local pool vpn1pool 192.168.2.100-192.168.2.110
  ip local pool vpn2pool 192.168.3.100-192.168.3.110
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (private) 0 access-list nonat
  access-group 100 in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 30 set transform-set strong-des
  crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
  crypto map vpn1 interface outside
  crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 11
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  vpdn group ISP_DSL request dialout pppoe
  vpdn group ISP_DSL localname [email protected]
  vpdn group ISP_DSL ppp authentication chap
  vpdn username [email protected] password **********
  dhcp-client update dns
  dhcpd auto_config outside
  dhcpd address 192.168.1.100-192.168.1.200 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy vpn2 internal
  group-policy vpn2 attributes
  vpn-idle-timeout 120
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_SplitTunnel
  group-policy vpn1 internal
  group-policy vpn1 attributes
  vpn-idle-timeout 120
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_SplitTunnel
  username cssadmin password ********** encrypted
  username vpn2user password ********** encrypted
  username vpn1user password ********** encrypted
  tunnel-group vpn1-VPN type remote-access
  tunnel-group vpn1-VPN general-attributes
  address-pool vpn1pool
  default-group-policy vpn1
  tunnel-group vpn1-VPN ipsec-attributes
  pre-shared-key **********
  tunnel-group vpn2-VPN type remote-access
  tunnel-group vpn2-VPN general-attributes
  address-pool vpn2pool
  default-group-policy vpn2
  tunnel-group vpn2-VPN ipsec-attributes
  pre-shared-key *****
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
  : end
  Theories:  after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24.  I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
  So, what do I do?  Maybe NAT the VPN traffic?  If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
  I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
  Thanks in advance for any insight you can provide.

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio