Configuración VPN

Similar Messages

• VPN use with iPad 4

  Estoy buscando información sobre la configuración del iPad, iMac, iPhone; mediante server con el VPN a fin de compartir archivos

  yes you can setup ipad vpn like this
  A virtual private network (VPN) extends a private network across public networks like the Internet. It enables a host computer to send and receive data across shared or public networks as if they were an integral part of the private network with all the functionality, security and management policies of the private network.[1] This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. vpn error 800

• VPN de sitio a sitio

  Hola tengo un problema que me gustaría solucionar:
  Tengo instalado un router EPC3825 y quiero crear una VPN entre este y otro rv110w, el problema es que entre uno y otro hay un router de telefónica necesario para la configuración de red.
  Mi pregunta es que debería hacer con el router intermedio, como deberia configurarlo etc.
  Muchas gracias.

  Hi
  I'm working on the same problem.
  I have Routers with a L2L VPN for management and clients behind the router establishing VPN to central site.
  Sometimes the management VPN gets lost and if I take a look to "sh ip nat trans" I can see that there are two nat translations:
  (roIP=router outside IP, cLIP=client LAN IP, csVPNg=central site VPN gateway)
  Pro Inside global Inside local Outside local Outside global
  udp roIP:500 cLIP:500 csVPNg:500 csVPNg:500
  udp roIP:4500 cLIP:4500 csVPNg:4500 csVPNg:4500
  This naturally collides with the routers management VPN connection from roIP:500 to csVPNg:500.
  Astonishing is that it works for a certain time.
  Until now I didn't find a solution.
  The only thing I have in mind is to change the routers VPN to another UDP-Port or TCP.
  But maybe there's an easier solution?
  Stephan

• Jabber call to voice mail fails with fast busy over VPN

  I have an issue that I ran into with CIPC phones over a VPN.  If a CIPC phone called over a VPN and started ringing a phone the call would fail with fast busy at the time the call would be forwarded to voicemail.  I found the issue was when remote the CIPC phone would negotiate the g.729 codec, when forwarded to a voicemail pilot over a SIP trunk set to g.711 the call would fail due to codec missmatch when no transcoders are present.
  So now I am running into what I believe to be the same issue with Jabber, when on premise the calls to voice mail work just fine, but when remote they fail.  I can directly call the voicemail pilot without error, but if calling a phone the call gets fast busy at the point we are forwarded to voicemail.  Even though all my regions are set to talk to all other regions on G.711 and the voicemail SIP trunk is set to G.711, I believe with the new features in CUCM9 that a lower speed codec has been negotiated since the we are going over the VPN, or Jabber has done this as it knows it's over VPN (not sure).  WIth CIPC I could go into the settings and turn off the Optimize for Bandwidth check box and the call would negotiate G.711.  With Jabber I can't find anything that would tell my Jabber client to stay on G.711 and I can only imagine this is a codec missmatch as the following are true.
  1. CIPC and Jabber share the same line
  2. VPN established and CIPC optimised for low bandwidth un-checked
  3. Over the same VPN the CIPC phone can leave a voicemail
  4. Over the same VPN the Jabber client gets fast busy once forwarded to voicemail
  5. Voicemail environment is Exchange-UM over SIP trunk
  6. SIP trunk is assigned a Device Pool, that is assigned to a region that all other regions communicate G.711 to
  7. On CIPC if optimised for low bandwidth is checked I get the exact same issue as I get with the Jabber client (fast busy when forwarded to voicemail)
  Would anyone know what I can do in CUCM 9 to fix this issue, as said no issue when all devices are on premise.  Wondering if there is a service parameter or a way to change the codec selection so the Jabber client attempts to always negotiate G.711.  The correct answer would be to get some PVDM DSP resources and kick up a transcoder in my resource group, and that may be what I talk them into doing if I have no other options.                  

  We have been getting the exact same thing for almost a year now... since switching to FiOS Digital Voice in May of last year!  Every time I call in to report it they 'escalate' the issue but it never gets resolved.  The problem seems to be in the initial connection.  Most of the time it works fine but, several times a month, after I call to get messages and it starts to play the new message it goes dead and I get the busy signal.  I get the same message when I call back:  “I’m sorry – that account is in use at this time.  Please try again later!”  I have even called in with my cell phone and get the same message!  I HAVE EVEN used the Internet to see if I could get my messages and, when I hit Play, I get a pop-up saying: “Your Voice Mail box is currently in being accessed; please try again later.  If the problem continues, please contact our Customer Support Center at 1-888-553-1555. We apologize for any inconvenience.”  This is obviously a software bug that Verizon has no clue on how to troubleshoot OR fix!!!  I wonder how many people have the problem and just don’t bother reporting it because of the hassle?  When it first started happening they destroyed my entire mailbox and I had to re-enter the complete mailbox setup again – 3 times!!!  NEVER let them talk you into that!!!  It’s their problem and they need to fix it!!!!!!!  I wish I could go back to the ‘normal’ voicemail we originally had… they want hundred$ to switch back because I’d be breaking my #$@%^&* contract!  Good luck if you have Verizon………

• Phone Service disconnected over VPN

  Hello,
  I'm using Version 9.2.1 (147214) of Jabber for OS X and I'm using a VPN to connect to my work network with AnyConnect Secure Mobility Client.
  My issue is that Phone Services are disconnected while the Voicemail and Meeting Accounts are functioning as expected.
  My server settings are configured automatically, and I'm using the same saved credentials that work when I'm at the office.
  Any ideas?
  - Ken

  This issue is fixed.
  Once I changed the automatic configuration of the CCMCIP from an IP address to the hostname that my CUCM uses, my phone service registered across the VPN.

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• Remote Access VPN Clients Cannot Access inside LAN

  I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
  : Saved
  ASA Version 8.2(1)
  hostname ASA5505
  domain-name default.domain.invalid
  enable password eelnBRz68aYSzHyz encrypted
  passwd eelnBRz68aYSzHyz encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group dataDSL
  ip address 76.244.75.57 255.255.255.255 pppoe
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.9.1 255.255.255.0
  interface Vlan10
  nameif outside_cable
  security-level 0
  ip address 50.84.96.178 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Netbios udp
  port-object eq 139
  port-object eq 445
  port-object eq netbios-ns
  object-group service Netbios_TCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.100.177
  network-object host 192.168.100.249
  object-group service Web_Services tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_10
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_11
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_3
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_4
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_5
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_6
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_7
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_8
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_9
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network VPN
  network-object 192.168.255.0 255.255.255.0
  access-list outside_access_in extended permit icmp any host 76.244.75.61
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
  access-list dmz_access_in remark Quickbooks
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
  access-list dmz_access_in remark Quickbooks range
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
  access-list dmz_access_in remark QB
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
  access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
  access-list dmz_access_in remark Printer
  access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
  access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
  access-list dmz_access_in remark QB probably does not need any udp
  access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark QB included in other rule range
  access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark May be required for Quickbooks
  access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
  access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500 
  mtu outside_cable 1500
  ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
  ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside_cable) 10 interface
  nat (inside) 0 access-list nonat-in
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
  static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  access-group outside_cable_access_in in interface outside_cable
  route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.100.0 255.255.255.0 inside
  http 204.107.173.0 255.255.255.0 outside
  http 204.107.173.0 255.255.255.0 outside_cable
  http 0.0.0.0 0.0.0.0 outside_cable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_cable_map interface outside_cable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp enable outside_cable
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.100.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh 204.107.173.0 255.255.255.0 outside
  ssh 204.107.173.0 255.255.255.0 outside_cable
  ssh 0.0.0.0 0.0.0.0 outside_cable
  ssh timeout 15
  console timeout 0
  vpdn group dataDSL request dialout pppoe
  vpdn group dataDSL localname [email protected]
  vpdn group dataDSL ppp authentication pap
  vpdn username [email protected] password *********
  dhcpd address 192.168.100.30-192.168.100.99 inside
  dhcpd dns 192.168.100.5 68.94.156.1 interface inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  group-policy cad_supplies_RAVPN internal
  group-policy cad_supplies_RAVPN attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
  split-tunnel-network-list value Local_LAN_Access
  client-firewall none
  client-access-rule none
  username swinc password BlhBNWfh7XoeHcQC encrypted
  username swinc attributes
  vpn-group-policy cad_supplies_RAVPN
  username meredithp password L3lRjzwb7TnwOyZ1 encrypted
  username meredithp attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone1 attributes
  vpn-group-policy VPNPHONE
  username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone2 attributes
  vpn-group-policy VPNPHONE
  username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone3 attributes
  vpn-group-policy VPNPHONE
  username oethera password WKJxJq7L6wmktFNt encrypted
  username oethera attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
  username markh attributes
  vpn-group-policy cad_supplies_RAVPN
  tunnel-group DefaultRAGroup general-attributes
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cad_supplies_RAVPN type remote-access
  tunnel-group cad_supplies_RAVPN general-attributes
  address-pool VPN_IP_range
  default-group-policy cad_supplies_RAVPN
  tunnel-group cad_supplies_RAVPN ipsec-attributes
  pre-shared-key *
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool VPN_Phone
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1500
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
  : end

  Hi,
  You have your "group-policy" set so that you have excluding some networks from being tunneled.
  In this access-list named Local_LAN_Access you specify "0.0.0.0"
  Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
  This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
  - Jouni

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• ASA VPN QUESTION

  Hi All
  The question is pretty simple. I can successfully connect  to my ASA 5505  firewall via cisco vpn client 64 bit , i can ping any ip  address on the LAN behind ASA but none of the LAN computers can see or  ping the IP Address which is assigned to my vpn client from the ASA VPN  Pool.
  The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
  I would appreciate some help pls
  Here is the config:
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password J7NxNd4NtVydfOsB encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.0.11 EXCHANGE
  name x.x.x.x WAN
  name 192.168.30.0 VPN_POOL2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address WAN 255.255.255.252
  interface Ethernet0/0
  switchport access vlan 2
  <--- More --->
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa724-k8.bin
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nk-acl extended permit tcp any interface outside eq smtp
  access-list nk-acl extended permit tcp any interface outside eq https
  access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list VPN_NAT outside
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
  static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group nk-acl in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  snmp-server host inside 192.168.0.16 community public
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd dns 217.27.32.196
  dhcpd address 192.168.0.100-192.168.0.200 inside
  dhcpd dns 192.168.0.10 interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy customerVPN internal
  group-policy customerVPN attributes
  dns-server value 192.168.0.10
  vpn-tunnel-protocol IPSec
  password-storage enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value customerVPN_splitTunnelAcl
  default-domain value customer.local
  username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
  username xxx attributes
  vpn-group-policy TUNNEL1
  username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
  username xxx attributes
  vpn-group-policy PAPAGROUP
  username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
  username xxx attributes
  vpn-group-policy customerVPN
  username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
  tunnel-group customerVPN type ipsec-ra
  tunnel-group customerVPN general-attributes
  address-pool VPN_POOL2
  default-group-policy customerVPN
  tunnel-group customerVPN ipsec-attributes
  pre-shared-key *
  tunnel-group-map default-group DefaultL2LGroup
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
  : end
  ciscoasa#                           

  Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
  Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
  I will remember to ask about that at Cisco Live next month.

• ASA 5505 VPN client LAN access problem

  Hello,
  I'm not expert in ASA and routing so I ask some support the following case.
  There is a Cisco VPN client (running on Windows 7) and an ASA5505.
  The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
  The Skype works well but I cannot access devices in the interface inside via VPN connection.
  Can you please check my following config and give me advice to correct NAT or VPN settings?
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password wDnglsHo3Tm87.tM encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
  access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 1 10.0.0.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (outside) 1 10.0.0.0 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.33 inside
  dhcpd dns xx.xx.xx.xx interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server value 84.2.44.1
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem enable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy XXXXXX internal
  group-policy XXXXXX attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
  username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
  username XXXXXX attributes
  vpn-group-policy XXXXXX
  username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
  tunnel-group XXXXXX type ipsec-ra
  tunnel-group XXXXXX general-attributes
  address-pool VPNPOOL
  default-group-policy XXXXXX
  tunnel-group XXXXXX ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
  : end
  ciscoasa#
  Thanks in advance!
  fbela

  config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
  Need to add - config#same-security-traffic permit intra-interface
                                   #access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
                                   #nat (inside) 0 access-list nonat
  Please add and test it.
  Thanks
  Ajay

• SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

  Hi,
  Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
  some relevant config
  webvpn
  enable wan
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy vpnpolicy1 internal
  group-policy vpnpolicy1 attributes
  vpn-tunnel-protocol svc
  tunnel-group admins type remote-access
  tunnel-group admins general-attributes
  address-pool sslpool2
  default-group-policy vpnpolicy1
  username myuser password 1234567890 encrypted privilege 15
  username myuser  attributes
  vpn-group-policy vpnpolicy1
  Debug:
  asa01# debug webvpn 255
  INFO: debug webvpn  enabled at level 255.
  asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from default
  webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
  webvpn_add_auth_handle: auth_handle = 17
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5138]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: (myuser) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2938]
  webvpn_session.c:http_webvpn_create_session[184]
  WebVPN: error creating WebVPN session!
  webvpn_remove_auth_handle: auth_handle = 17
  webvpn_free_auth_struct: net_handle = CD5734D0
  webvpn_allocate_auth_struct: net_handle = CD5734D0
  webvpn_free_auth_struct: net_handle = CD5734D0

  AnyConnect says:
  "The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
  The following message was received from the secure gateway: Host or network is 0"
  Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
  ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
  asa01# debug webvpn 255
  INFO: debug webvpn  enabled at level 255.
  asa01# debug http 255
  debug http enabled at level 255.
  asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from default
  webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
  webvpn_add_auth_handle: auth_handle = 22
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5138]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: (myuser) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2938]
  HTTP: net_handle->standalone_client [0]
  webvpn_session.c:http_webvpn_create_session[184]
  webvpn_session.c:http_webvpn_find_session[159]
  WebVPN session created!
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_remove_auth_handle: auth_handle = 22
  webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CC894AA8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  Close 1043041832
  webvpn_free_auth_struct: net_handle = CC894AA8

• ASA5510 VPN not working after upgrade from 8.2 to 8.3

  Hi,
  I have recently upgraded a customer ASA5510 to version 8.3.
  After upgrade web access etc is working fine however VPN is down.
  The config looks very different after the upgrade plus what looks to be duplicate entries.
  I suspect its an access list issue but I'm not sure.
  If anyone has any ideas based on the config below it would be greatly appreciated as I'm at a loss....?!
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password NvZgxFP5WhDo0hQl encrypted
  passwd FNeDAwBbhVaOtVAu encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif Outside
  security-level 0
  ip address 217.75.8.203 255.255.255.248
  interface Ethernet0/1
  nameif Inside
  security-level 100
  ip address 192.168.1.254 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  management-only
  boot system disk0:/asa832-k8.bin
  ftp mode passive
  clock timezone GMT/IST 0
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup Inside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network obj-192.168.1.2-04
  host 192.168.1.2
  object network obj-192.168.1.7-04
  host 192.168.1.7
  object network obj-192.168.1.0-02
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.0-02
  subnet 192.168.2.0 255.255.255.0
  object network obj-10.1.2.0-02
  subnet 10.1.2.0 255.255.255.0
  object network obj-192.168.1.224-02
  subnet 192.168.1.224 255.255.255.240
  object network obj-192.168.1.9-02
  host 192.168.1.9
  object network obj-192.168.1.2-05
  host 192.168.1.2
  object network obj-192.168.1.103-02
  host 192.168.1.103
  object network obj-192.168.1.7-05
  host 192.168.1.7
  object network NETWORK_OBJ_10.1.2.0_24
  subnet 10.1.2.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group network obj-192.168.1.2-02
  object-group network obj-192.168.1.7-02
  object-group network obj-192.168.1.0-01
  object-group network obj-192.168.2.0-01
  object-group network obj-10.1.2.0-01
  object-group network obj-192.168.1.224-01
  object-group network obj-192.168.1.9-01
  object-group network obj-192.168.1.2-03
  object-group network obj-192.168.1.103-01
  object-group network obj-192.168.1.7-03
  object-group network obj-192.168.1.2
  object-group network obj-192.168.1.7
  object-group network obj-192.168.1.0
  object-group network obj-192.168.2.0
  object-group network obj-10.1.2.0
  object-group network obj-192.168.1.224
  object-group network obj-192.168.1.9
  object-group network obj-192.168.1.2-01
  object-group network obj-192.168.1.103
  object-group network obj-192.168.1.7-01
  object-group network obj_any
  object-group network obj-0.0.0.0
  object-group network obj_any-01
  object-group service MonitcomUDP udp
  port-object range 3924 3924
  access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
  access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
  access-list Outside_access_in extended permit icmp any any
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
  access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
  access-list Outside_access_in extended permit udp any any eq 4500 inactive
  access-list Outside_access_in extended permit udp any any eq isakmp inactive
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Inside_access_in extended permit ip any any
  access-list Inside_access_in extended permit icmp any any
  access-list RemoteVPN_splitTunnelAcl standard permit any
  access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
  pager lines 24
  logging enable
  logging asdm warnings
  mtu Outside 1500
  mtu Inside 1500
  mtu management 1500
  ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
  ip verify reverse-path interface Outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any Outside
  icmp permit any Inside
  asdm location 192.168.1.208 255.255.255.252 Inside
  asdm location 192.168.1.103 255.255.255.255 Inside
  asdm location 192.168.1.6 255.255.255.255 Inside
  asdm location 192.168.1.7 255.255.255.255 Inside
  asdm location 192.168.1.9 255.255.255.255 Inside
  no asdm history enable
  arp timeout 14400
  nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02 unidirectional
  nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02 unidirectional
  nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
  nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
  object network obj-192.168.1.2-04
  nat (Outside,Inside) static 217.75.8.204
  object network obj-192.168.1.7-04
  nat (Outside,Inside) static 217.75.8.206
  object network obj-192.168.1.0-02
  nat (Inside,Outside) dynamic interface
  object network obj-192.168.1.9-02
  nat (Inside,Outside) static 217.75.8.201
  object network obj-192.168.1.2-05
  nat (Inside,Outside) static 217.75.8.204
  object network obj-192.168.1.103-02
  nat (Inside,Outside) static 217.75.8.205
  object network obj-192.168.1.7-05
  nat (Inside,Outside) static 217.75.8.206
  access-group Outside_access_in in interface Outside
  access-group Inside_access_in in interface Inside
  route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server DellServerAAA protocol radius
  aaa-server DellServerAAA (Inside) host 192.168.1.4
  key test
  http server enable
  http 62.17.29.2 255.255.255.255 Outside
  http 82.141.224.155 255.255.255.255 Outside
  http 63.218.54.8 255.255.255.252 Outside
  http 213.79.44.213 255.255.255.255 Outside
  http 192.168.1.0 255.255.255.0 Inside
  http 10.1.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection timewait
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ipsec df-bit clear-df Outside
  crypto ipsec df-bit clear-df Inside
  crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
  crypto map Outside_map 1 match address Outside_1_cryptomap
  crypto map Outside_map 1 set peer 89.127.172.29
  crypto map Outside_map 1 set transform-set ESP-3DES-SHA
  crypto map Outside_map 60 match address Outside_cryptomap_60
  crypto map Outside_map 60 set peer 89.105.114.98
  crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
  crypto map Outside_map interface Outside
  crypto isakmp identity key-id nattingreallymatters
  crypto isakmp enable Outside
  crypto isakmp enable Inside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  telnet 192.168.1.0 255.255.255.0 Inside
  telnet timeout 5
  ssh 82.141.224.155 255.255.255.255 Outside
  ssh 62.17.29.2 255.255.255.255 Outside
  ssh 213.79.44.213 255.255.255.255 Outside
  ssh 192.168.1.0 255.255.255.0 Inside
  ssh timeout 5
  console timeout 0
  management-access Inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RemoteVPN internal
  group-policy RemoteVPN attributes
  wins-server value 192.168.1.31
  dns-server value 192.168.1.31
  default-domain value freefoam.ie
  username freefoam password JLYaVf7FqRM2LH0e encrypted
  username cork password qbK2Hqt1H5ttJzPD encrypted
  tunnel-group 193.114.70.130 type ipsec-l2l
  tunnel-group 193.114.70.130 ipsec-attributes
  pre-shared-key ******
  tunnel-group 89.127.172.29 type ipsec-l2l
  tunnel-group 89.127.172.29 ipsec-attributes
  pre-shared-key ******
  tunnel-group 89.105.114.98 type ipsec-l2l
  tunnel-group 89.105.114.98 ipsec-attributes
  pre-shared-key *****
  tunnel-group RemoteVPN type remote-access
  tunnel-group RemoteVPN general-attributes
  address-pool VPNPool
  authentication-server-group DellServerAAA
  default-group-policy RemoteVPN
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:0dc16fe893bd4bba6fdf6b7eed93e553

  Hi,
  Many thanks for your reply.
  Finally got access to implement your suggestions.
  Initially none of the VPN's were up.
  After making the change the two VPN's came up.
  However only data via the first VPN is possible.
  Accessing resources on the 10.1.2.0 network is still not possible.
  Attached is the latest config, any input is greatly appreciated;
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password NvZgxFP5WhDo0hQl encrypted
  passwd FNeDAwBbhVaOtVAu encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif Outside
  security-level 0
  ip address 217.75.8.203 255.255.255.248
  interface Ethernet0/1
  nameif Inside
  security-level 100
  ip address 192.168.1.254 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  management-only
  boot system disk0:/asa832-k8.bin
  ftp mode passive
  clock timezone GMT/IST 0
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup Inside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network obj-192.168.1.2-04
  host 192.168.1.2
  object network obj-192.168.1.7-04
  host 192.168.1.7
  object network obj-192.168.1.0-02
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.0-02
  subnet 192.168.2.0 255.255.255.0
  object network obj-10.1.2.0-02
  subnet 10.1.2.0 255.255.255.0
  object network obj-192.168.1.224-02
  subnet 192.168.1.224 255.255.255.240
  object network obj-192.168.1.9-02
  host 192.168.1.9
  object network obj-192.168.1.2-05
  host 192.168.1.2
  object network obj-192.168.1.103-02
  host 192.168.1.103
  object network obj-192.168.1.7-05
  host 192.168.1.7
  object network NETWORK_OBJ_10.1.2.0_24
  subnet 10.1.2.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group network obj-192.168.1.2-02
  object-group network obj-192.168.1.7-02
  object-group network obj-192.168.1.0-01
  object-group network obj-192.168.2.0-01
  object-group network obj-10.1.2.0-01
  object-group network obj-192.168.1.224-01
  object-group network obj-192.168.1.9-01
  object-group network obj-192.168.1.2-03
  object-group network obj-192.168.1.103-01
  object-group network obj-192.168.1.7-03
  object-group network obj-192.168.1.2
  object-group network obj-192.168.1.7
  object-group network obj-192.168.1.0
  object-group network obj-192.168.2.0
  object-group network obj-10.1.2.0
  object-group network obj-192.168.1.224
  object-group network obj-192.168.1.9
  object-group network obj-192.168.1.2-01
  object-group network obj-192.168.1.103
  object-group network obj-192.168.1.7-01
  object-group network obj_any
  object-group network obj-0.0.0.0
  object-group network obj_any-01
  object-group service MonitcomUDP udp
  port-object range 3924 3924
  access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
  access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
  access-list Outside_access_in extended permit icmp any any
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
  access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
  access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
  access-list Outside_access_in extended permit udp any any eq 4500 inactive
  access-list Outside_access_in extended permit udp any any eq isakmp inactive
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Outside_access_in remark Allow webmail access
  access-list Outside_access_in remark Allow Hansa Live access
  access-list Outside_access_in remark Monitcom
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark ESS Access
  access-list Outside_access_in remark Allow TMS Web Access
  access-list Inside_access_in extended permit ip any any
  access-list Inside_access_in extended permit icmp any any
  access-list RemoteVPN_splitTunnelAcl standard permit any
  access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
  access-list global_access extended permit ip any any
  access-list Outside_cryptomap_80_3 extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list Split-tunnel standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm warnings
  mtu Outside 1500
  mtu Inside 1500
  mtu management 1500
  ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
  ip verify reverse-path interface Outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any Outside
  icmp permit any Inside
  asdm image disk0:/asdm-647.bin
  asdm location 192.168.1.208 255.255.255.252 Inside
  asdm location 192.168.1.103 255.255.255.255 Inside
  asdm location 192.168.1.6 255.255.255.255 Inside
  asdm location 192.168.1.7 255.255.255.255 Inside
  asdm location 192.168.1.9 255.255.255.255 Inside
  no asdm history enable
  arp timeout 14400
  nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02
  nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02
  nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
  nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
  object network obj-192.168.1.2-04
  nat (Outside,Inside) static 217.75.8.204
  object network obj-192.168.1.7-04
  nat (Outside,Inside) static 217.75.8.206
  object network obj-192.168.1.0-02
  nat (Inside,Outside) dynamic interface
  object network obj-192.168.1.9-02
  nat (Inside,Outside) static 217.75.8.201
  object network obj-192.168.1.2-05
  nat (Inside,Outside) static 217.75.8.204
  object network obj-192.168.1.103-02
  nat (Inside,Outside) static 217.75.8.205
  object network obj-192.168.1.7-05
  nat (Inside,Outside) static 217.75.8.206
  nat (Inside,Outside) after-auto source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
  access-group Outside_access_in in interface Outside
  access-group Inside_access_in in interface Inside
  access-group global_access global
  route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server DellServerAAA protocol radius
  aaa-server DellServerAAA (Inside) host 192.168.1.4
  key test
  http server enable
  http 62.17.29.2 255.255.255.255 Outside
  http 82.141.224.155 255.255.255.255 Outside
  http 63.218.54.8 255.255.255.252 Outside
  http 213.79.44.213 255.255.255.255 Outside
  http 192.168.1.0 255.255.255.0 Inside
  http 10.1.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection timewait
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ipsec df-bit clear-df Outside
  crypto ipsec df-bit clear-df Inside
  crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
  crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map Outside_map 1 match address Outside_1_cryptomap
  crypto map Outside_map 1 set peer 89.127.172.29
  crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5
  crypto map Outside_map 60 match address Outside_cryptomap_60
  crypto map Outside_map 60 set peer 89.105.114.98
  crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
  crypto map Outside_map interface Outside
  crypto isakmp identity key-id nattingreallymatters
  crypto isakmp enable Outside
  crypto isakmp enable Inside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash md5
  group 5
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  no vpn-addr-assign aaa
  no vpn-addr-assign dhcp
  telnet 192.168.1.0 255.255.255.0 Inside
  telnet timeout 5
  ssh 82.141.224.155 255.255.255.255 Outside
  ssh 62.17.29.2 255.255.255.255 Outside
  ssh 213.79.44.213 255.255.255.255 Outside
  ssh 192.168.1.0 255.255.255.0 Inside
  ssh timeout 5
  console timeout 0
  management-access Inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable Outside
  anyconnect-essentials
  svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
  svc image disk0:/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy RemoteVPN internal
  group-policy RemoteVPN attributes
  wins-server value 192.168.1.31
  dns-server value 192.168.1.31
  vpn-tunnel-protocol IPSec svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split-tunnel
  default-domain value freefoam.ie
  username freefoam password JLYaVf7FqRM2LH0e encrypted
  username cisco password DfO7NBd5PZ1b0kZ1 encrypted privilege 15
  username cork password qbK2Hqt1H5ttJzPD encrypted
  tunnel-group 193.114.70.130 type ipsec-l2l
  tunnel-group 193.114.70.130 ipsec-attributes
  pre-shared-key ************
  tunnel-group 89.127.172.29 type ipsec-l2l
  tunnel-group 89.127.172.29 ipsec-attributes
  pre-shared-key ************
  tunnel-group 89.105.114.98 type ipsec-l2l
  tunnel-group 89.105.114.98 ipsec-attributes
  pre-shared-key ************
  tunnel-group RemoteVPN type remote-access
  tunnel-group RemoteVPN general-attributes
  address-pool VPNPool
  authentication-server-group DellServerAAA
  default-group-policy RemoteVPN
  tunnel-group RemoteVPN webvpn-attributes
  group-alias Anyconnect enable
  tunnel-group RemoteVPN ipsec-attributes
  pre-shared-key c0nnect10nParameter$
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:fae6b7bc25fcf39daffbcdc6b91c9d8e

• VPN client and radius or CAR

  Hello:
  I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
  the vpn client user needs to be authenticated by group id and password, and user id and password.
  How should I setup CAR, could someone provides me an example?
  I saw this sample, but there is no relationship between user and group.
  Any suggestions?
  thx
  [ //localhost/RADIUS/UserLists/Default/joe-coke ]
  Name = joe-coke
  Description =
  Password = <encrypted>
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ =
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  [ //localhost/RADIUS/UserLists/Default/group1 ]
  Name = group1
  Description =
  Password = <encrypted> (would be "cisco")
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ = group1profile
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
  AV-pairs:
  [ //localhost/RADIUS/Profiles/group1profile/Attributes ]
  cisco-avpair = ipsec:key-exchange=ike
  cisco-avpair = ipsec:tunnel-password=cisco123
  cisco-avpair = ipsec:addr-pool=pool1
  Service-Type = Outbound

  you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
  The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

• ASA 5505 VPN clients can't ping router or other clients on network

  I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
  : end
  Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
  Thanks.

  I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
  here is the runnign config again:
  Result of the command: "show startup-config"
  : Saved
  : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  asdm location Server 255.255.255.255 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:78864f4099f215f4ebdd710051bdb493

• Hi there, I am trying to connect to my server at work from home using a vpn connection. It connects fine and the time ticks along, but when i click go - connect to server, it comes up with connection failed. Please help!

  Hi there, I am trying to connect to my server at work from home using a vpn connection. It connects fine and the time ticks along, but when i click go - connect to server, it comes up with connection failed. Please help!

  ... when i click go - connect to server, it comes up with connection failed.
  If you're trying to connect to a Bonjour server on the remote network, that won't work over a layer 3 VPN. Use something like Hamachi or one of the SSH-tunnelling Bonjour proxy apps for that.