Connected dynamic VPN wan address change

I have a hub and spoke VPN. The spoke is dynamic.
If once the tunnel is established the WAN address changes the router doesn't know to start a new session and the VPN TAKES ages to come up as it still thinks it has an active tunnel.
Any idea how I can reduce the time for the tunnel to re-establish?

Hello Martin,
You got to change the security-association lifetime:
set security-association lifetime #
Give it a try and let us know.
Regards,
Julio

Similar Messages

EEM Script to Automate DHCP/NAT changes on WAN address

Hi all,
I'm new to eem scrpting.
I need to know if it's possible to write a simple script on a DHCP cilent used for a backup in a Call center.
If power is lost or a connection it lost to the WAN interface the address will change from time to time. It does happen.
I have a bunch of static nat and port forwarding statements that don't work after the address change.
Is there a way to tell the router "consider all of the subnet possible addresses in a /192 subnet situation" ?
Then translate all nat statements to the new WAN address?
Thanks
I'm not sure if I'm asking the right question yet but that is close.
Back up router is a DHCP client and changes addresses from time to time. The router is a 3825 running 12.3 adventerprise image.
It''s not going to be updated past that.
Thanks again
evan

Thanks Joseph,
I guess I can't do it in any case because of the IOS ver. it's actually 12.3 (11).
We have a lot of static port forwarding going on. I not sure how it's going to work when the WAN address changes.
I was looking for a way to keep all of the one to one static nat statements working to the inside servers. Eventually they have to get a static ip address for the backup.
Thanks again.
evan
p.s. how would one do it if we get the updated ios ver. I see problems coming if I don't take some proactive measure.
Someway to monitor the WAN address change and keep the port fowarding exactly the same and maybe notify someone that it did change as it's a DHCP client?

Problems accessing 1 remote desktop when connected with VPN

Hi everyone,
I have an ASA 5505 and have a problem where when I connect through VPN I can RDP into a server using its internal address but I cannot RDP to another server using its internal address.
The one I can connect to has an IP of 192.168.2.10 and the one I cannot connect to has an IP of 192.168.2.11 on port 3390.
Both rules are configured exactly the same except for the IP addresses and I cannot see why I cannot connect to this one server.
I am also able to connect to my camera system with an IP 192.168.2.25 on port 37777 and able to ping any other device on the internal network.
I've also tried pinging it and telneting to port 3390 with no success.
Here is the config.
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 3
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan3
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CTSG-LAN-OUT
range 10.1.1.10 10.1.1.49
object network CTSG-LAN-IN
subnet 192.168.2.0 255.255.255.0
object service RDP3389
service tcp destination eq 3389
description To DC
object network SERVER-IN
host 192.168.2.10
object network SERVER-OUT
host 10.1.1.50
object network CAMERA-IN-TCP
host 192.168.2.25
object network CAMERA-OUT
host 10.1.1.51
object service CAMERA-TCP
service tcp destination eq 37777
object network SERVER-Virt-IN
host 192.168.2.11
object network SERVER-Virt-OUT
host 10.1.1.52
object service RDP3390
service tcp destination eq 3390
description To VS for Master
object network CAMERA-IN-UDP
host 192.168.2.25
object service CAMERA-UDP
service udp destination eq 37778
object network CTSG-LAN-OUT-VPN
subnet 10.1.1.128 255.255.255.128
object network SERVER-Virt-IN-VPN
host 192.168.2.11
object network SERVER-IN-VPN
host 192.168.2.10
object network CAMERA-IN-VPN
host 192.168.2.25
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside1_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list inside1_access_in extended permit ip any any
access-list outside_access_in extended permit object RDP3389 any host 192.168.2.10
access-list outside_access_in extended permit object RDP3390 any host 192.168.2.11
access-list outside_access_in extended permit object CAMERA-TCP any host 192.168.2.25
access-list outside_access_in extended permit object CAMERA-UDP any host 192.168.2.25
pager lines 24
logging enable
logging buffer-size 10240
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAVPN 10.1.1.129-10.1.1.254 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static SERVER-IN-VPN SERVER-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static CAMERA-IN-VPN CAMERA-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static SERVER-Virt-IN-VPN SERVER-Virt-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
object network CTSG-LAN-IN
nat (inside,outside) dynamic interface
object network SERVER-IN
nat (inside,outside) static SERVER-OUT service tcp 3389 3389
object network CAMERA-IN-TCP
nat (inside,outside) static CAMERA-OUT service tcp 37777 37777
object network SERVER-Virt-IN
nat (inside,outside) static SERVER-Virt-OUT service tcp 3390 3390
access-group inside1_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP
-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SACTSGRO
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 15
dhcpd auto_config inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxx encrypted privilege 15
username admin attributes
vpn-group-policy DfltGrpPolicy
tunnel-group CTSGRA type remote-access
tunnel-group CTSGRA general-attributes
address-pool RAVPN
tunnel-group CTSGRA ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0140431e7642742a856e91246356e6a2
: end
Thanks for your help

Ok,
So you basically have configured the router so that you can connect directly to the ASA using the Cisco VPN Client. And also the objective was to in the end only allow traffic to the LAN through the VPN Client connection ONLY.
It would seem to me to achieve that, you would only need the following NAT configurations
VPN Client NAT0 / NAT Exempt / Identity NAT
object network LAN
subnet 192.168.2.0 255.255.255.0
object network VPN-POOL
subnet 10.1.1.128 255.255.255.128
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
The purpose of the above NAT configuration is simply to tell the ASA that dont do any kind of NAT when there is traffic between the LAN network of 192.168.2.0/24 and the VPN Pool of 10.1.1.128/25. This way if you have any additional hosts on the LAN that need to be connected to, you wont have to make any form of changes to the NAT configurations for the VPN client users. You just allow the connections in the ACL (explained later below)
Default PAT
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.2.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
This configurations purpose is just to replace the earlier Dynamic PAT rule on the ASA. I guess your router will be doing the translation from the ASA "outside" interface IP address to the routers public IP address and this configuration should therefore allow normal Internet usage from the LAN.
I would suggest removing all the other NAT configuration before adding these.
Controlling VPN clients access to internal resources
Also I assume that your current VPN client is configured as Full Tunnel. In other words it will tunnel all traffic to the the VPN connection while its active?
To control the traffic coming from the VPN Client users I would suggest that you do the following
Configure "no sysopt connection permit-vpn" This will change the ASA operation so that connections coming through a VPN connections ARE NOT allowed by default to bypass the "outside" interface ACL. Therefore after this change you can allow the connections you need in the "outside" interface ACL.
Configure any rules you need regarding the VPN client connections to the "outside" interface ACL. Though I guess they already exist since you are connecting there without the VPN also
I cant guarantee this with 100% certainty but it would seem to me that the above things should get you to the point where you can access the internal resources ONLY after when you have connected to the ASA through the VPN client connection. Naturally take precautions like configuration backups if you are going to do major configuration changes. Also if you are remotely managing the ASA then you also have the option to configure a timer on the ASA after which it will automatically reload. This could help in situations where a missconfiguration breaks you management connection and you have no other way to connect remotely. Then the ASA would simply reboot after the timer ran out and also reboot with the original configuration (provided you hadnt saved anything in between)
Why are you using a different port for the other devices RDP connection? I can understand it if its used through the Internet but if the RDP connection would be used through the VPN Client only then I dont think there is no need to manipulate the default port of 3389 on the server or on the ASA.
Also naturally if there is something on the actual server side preventing these connections then these configuration changes might not help at all.
Let me know if I have understood something wrong
- Jouni

How to deal with dynamic IP address changes

I have installed Fodero C3 and Oracle 10g successfully. Oracle 10g use web OEM console to manage database. However, my internet provider only provided me a dynamic IP address. When I installed Fedora C3, Linux server automatically picked a Hostname like " ip12-345-678-90.dc.dc.cox.net". After I created database, all database files also used this hostname. Then Oracle web OEM console worked fine. Due to the dynamic IP address assigned by ISP, their DHCP server changed the first part of IP address(ip12-345-678-90)frequently to another one. After IP address changed, I couldn't start up web OEM console and listener because they couldn't find correct hostname (IP address). I have talked to my ISP. It seems that it can not be solved. Anyone knows how to deal with this problem through 10g and OEM console themseleves. I also think about to configure Linux server to solve the problem. I really need your help. Thanks in advance

Thank all of you so much to respond my questions. I think I have solved the problem. Since the key point was that Oracle 10g OEM console could not work with the frequent changes of IP address made by my ISP. I just bought a 54G wireless router. Then connecting router to cable modem. The cable modem still gets the dynamic IP from ISP, but the router automatically assigned a static IP address to my Linux system with the range from 192.168.0.0 - 192.168.255.255. This IP was control by my router. It is nothing to do with ISP. So I re-created Oracle database with this new static IP. Then OEM console and listener can startup and connect to database without problem. I do think other guru's methods also will work. I just have no time to try them one by one. Thanks again. Your inputs make me learn many things.

VPN Router to Router with 192.168.1.1 WAN address

I have two WRVS4400N routers I'd like to create a VPN tunnel for.
One gets a WAN IPAddress totally external: 75.32.167.xxx from the DSL modem.
The other one is connected to an ADRAN 676 modem.
This modem has an external IP address (67.155.29.202), but assigns address 192.168.1.1 to the connection to the router.
I have the router configured to assign addresses 192.168.0.xxx to all computers on the LAN.
The VPN setup requires to define the WAN address as the external address, but my router only sees address 192.168.1.1 as the external address (coming from the ADRAN modem)
I hope this is not too convoluted and someone can help me. Following is an attempt at illustrating my setup:
10.10.10.1-->Router1--->75.32.167.147 ---->INTERNET--->
INTERNET-->67.155.29.202--->ADRAN modem--->192.168.1.1-->ROUTER2--->192.168.0.1
Thanks in advance
Rodolfo

You adran modem also operates as NAT router. You have to reconfigure the adran modem for bridge mode. In bridge mode the modem operates like any other simple modem. You then have to configure the router for your internet connection, e.g. use PPPoE with the username and password supplied by your ISP. With that your router will have the public IP address.
Otherwise, you would have to configure port forwarding and IPSec or GRE forwarding on the adran to pass the VPN traffic to the router. However, this may not work at all if the router is not able to handle VPN traffic through your NAT adran modem/router (my guess is it won't do it but I have not tested this).

Cannot connect to Web Service to change IP address

Already said, I have a LaserJet Professional P1606dn printer, had it for a while now. Someone sent a print job to it, nothing out of the ordinary, and all of a sudden, it printed that print job over and over. I checked in the print queue, nothing was there (not even on the server where the printer is stored). We save the printer settings and the driver on the print server and install it on machines through the server. We turned it off and waited a few minutes, then plugged it back in. It was okay until someone else sent a different print job. Started spitting out the print job from before (then one printing over and over). I did a factory reset on the printer. Needless to say, it changed the IP address (but did not change it to 192.168.x.x). It kept our domain's IP but the last number in the IP address changed. I figured the IP address would change and I was okay with that. Here's the problem: I printed a Configuration page with no issue and it gave me the IP address. However, when I try to log on to the printer via the Web Service (putting the IP address in a web browser), the page times out and says it can't be displayed. All I need to do is go in and change the IP address to a static IP address (back to the original IP address). Under "Network Information," the status says "An unknown error has occurr" but the rest of the sentence/error is cut off. I'm not sure if it gives an error code or just stops with "occurred" or what. And unfortunately, the printer does not have a display screen so the only way I can change it is through the Web Services via a web browser. I've tried Google Chrome (my default browser) and Internet Explorer. Both browsers timed out and said that the page couldn't be displayed.

Could be your network. What I would do is connect the printer directly to a computer using a crossover cable. I would recheck the ip address on the printer and make sure the computer has an address with the first 3 sets of number the same and the last digit on the computer 1 off from the one on the printer. Then use the web browser on the computer to see if you can attach to the printer. If you can you can then change the ip address to what you want. Keep in mind most times when you have the issue you are having the issue is the driver and the computer sending the print job. In other words the q may be empty but the printjob file in the windows subdirectory has not cleared. Sometimes you have to go in and physically delete the printer. It could be on the server, but sometimes it is on the local machine.

Logging dynamic vpn connections

How can I log dynamic vpn connections on a 2621 and pix 501? I have syslog syslog already setup and working.

You can use the Cisco Secure Access Control Server (ACS) for this. This is RADIUS/TACACS+ software that you can install on various versions of Windows Server 200x.
You can perform Authentication, Authorization and most import for you; Accounting. The server keeps track of who logged in, when he/she did that, how much traffic passed by, how long he/she stayed connected, etc etc.
More information on the Cisco Secure ACS can be found here: http://www.cisco.com/go/acs
Please rate if the post helps!
Regards,
Michael

How to change the Data base connection Dynamically

Hi
Hi create a crystal reports using crystal report 12.0 in this i use the standard wizard and local data base connection and create a dotnet programme for this .Now i want to change the database because because i want to instal it in client they use a different connection so i need to change the connection .How is it possible . PLzzzzz tell me it is urgen t
Addvance thnks

Hi
To change the database you can use DataSource Option that is present in the Menu Bar.
Go to Database
->Set Datasource Location
->Replace the current Data Source with the new Datasource.
Hope this helps
Shraddha

Connect to VPN but can't ping past inside interface

Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
    308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
    0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
    092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
    67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
    5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
    2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
    acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
    fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
    140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
    61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
    0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
    acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
    288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
    92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
    1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end

Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
    308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
    0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
    092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
    67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
    5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
    2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
    acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
    fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
    140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
    61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
    0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
    acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
    288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
    92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
    1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end

VPN client connected to VPN but can't ping or access to server

HI ,
i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
Software itself shown connected but request time out when ping.
Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
aaa new-model
aaa authentication login userauthen local
aaa authorization network adminmap group VPNClient
aaa authorization network groupauthor local
aaa authorization network map-singapore local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key emptyspace address 203.142.83.218 no-xauth
crypto isakmp keepalive 15 periodic
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group map-singapore
key cisco123
dns 192.168.6.3
domain cisco.com
pool ippool
acl 102
crypto isakmp profile VPNclient
   match identity address 27.54.43.210 255.255.255.255
   match identity group vpnclient
   client authentication list userauthen
   client configuration address respond
crypto ipsec security-association idle-time 86400
crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set DYNSET
set isakmp-profile VPNclient
reverse-route
crypto map VPNMAP client authentication list userauthen
crypto map VPNMAP isakmp authorization list map-singapore
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
crypto map VPNMAP 11 ipsec-isakmp
description VPN to ASA5520
set peer 203.142.83.218
set security-association lifetime kilobytes 14608000
set security-association lifetime seconds 86400
set transform-set REMSET
match address 100
interface GigabitEthernet0/0
ip address 27.54.43.210 255.255.255.240
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
crypto map VPNMAP
interface GigabitEthernet0/1
ip address 192.168.6.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex full
speed 100
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
ip local pool ippool 10.20.1.0 10.20.1.100
ip forward-protocol nd
ip pim bidir-enable
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.6.3 27.54.43.212
ip route 0.0.0.0 0.0.0.0 27.54.43.209
ip route 192.168.1.0 255.255.255.0 27.54.43.209
ip route 192.168.151.0 255.255.255.0 192.168.6.151
ip route 192.168.208.0 255.255.255.0 27.54.43.209
ip access-list extended RA_SING
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny   ip any any log
access-list 1 remark Local Network
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 192.168.151.0 0.0.0.255
access-list 2 remark VPNClient-range
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.168.6.0 0.0.0.255
access-list 10 permit 192.168.102.0 0.0.0.255
access-list 10 permit 192.168.151.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
access-list 101 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 120 deny   ip any any log
access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 120 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 120
control-plane
alias isakmp-profile sh crypto isakmp sa
alias exec ipsec sh crypto ipsec sa
banner motd ^CC^C

I did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.

10.9.2 Update Issue (VPN) - Eclipse Perl debugger issues while connected to VPN

This post was initially added to this discussion: 10.9.2 Mavericks update issues
I have yet another issue related to 10.9.2 update - Eclipse Perl debugger issues while connected to VPN...
One of the big changes introduced by 10.9.2 update - are VPN changes (security fixes). Unfortunately, whatever these changes are - they "broke" Eclipse (OpenSource IDE) debugger. I am not sure if *all* programming languages (Eclipse plugins) are affected by this, but I know for sure that 'Epic' (Perl plugin) debugger *stopped working* while system is connected through VPN.
Here is the error that gets “popped-up” in the Eclipse:
Timed out while waiting for Perl debugger connection
… and here is exact exception stack that gets printed:
Unable to connect to remote host: 130.10.210.74:5000
Compilation failed in require.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
main::BEGIN() called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
eval {...} called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
BEGIN failed--compilation aborted.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
Can't use an undefined value as a symbol reference at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 7596.
END failed--call queue aborted.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
(of course IP address changes dynamically for each VPN connection session)…
I was able to prove that this issue is related to 10.9.2 update:
Issue *does not* exist under 10.9.1 (I had to revert back to 10.9.1 to get it working again)
No updates were performed around the same time 10.9.2 update occurred (I verified that using Software Update log)
No configuration changes were introduced around the same time
Reverting back to 10.9.1 using Time Machine (thanks god I had backup !!!) fixed the issue
Steps to reproduce this issue:
In Eclipse, try to use 'Epic' (Perl plugin) to debug any perl script while *not* connected through VPNEpic debugger works
Connect to VPN
Start Epic debugger to debug same script
Debugger *does not* start, and "Timed out while waiting for Perl debugger connection" error pop-up comes up after some time. At the same time, exception stack (listed above) is printed in Eclipse's console
I am programmer/software developer, I work remotely (telecommute) and thus have to rely on use of VPN to connect to company's intranet. Perl - is primary language used by my team, and we use Eclipse IDE with Epic plugin - heavily. Use of Epic's debugger - is a *very large* aspect of my work, I cannot work without it. So in essense, 10.9.2 has *entirely* disrupted my ability to work! It took me almost a week to get back to normal work environment, and I cannot afford to let it happen again... I need Apple's development team resolve this VPN related issue, as soon as possible! Because of this issue, I am *stuck* with 10.9.1 and can not upgrade my laptop to any other versions. In fact, I had to disable system updates - just so I do not run into this issue again... I contacted Apple's Tech Support on 02/28 with this issue (Ref: 582428110), asking to raise trouble ticket. Since then, I tried to follow-up on that issue, but do not get any information. Please advise on the status:
is there a trouble ticket to track this issue?
is there any progress?
what's the ETA for an update that fixes this problem?
- Val
Message was edited by: vpogrebi

Am I the only one experiencing this issue ???

My Foscam IP Camera "times out" after one day - the IP address changes

Hey All,
I'm trying to set up my Foscam 8918 camera. I'm not so much concerened about being able to view it remotely as i can't even get the local (home) setup to work successfully for more than a day.
As far as I undertand it my IP address is dynamic and changes every day and I have to manually go into the foscam app and change the Local Camera Address 10.0.1.XX
Is there a way I can give the camera a static IP address? I've tried the port forwarding as instructed on this forum and I can't get it to connect.
Everything works until the IP address changes and then the camera times out.
Thanks for any insight.
I'm using the brand new apple router (the tower)
I'm using FoscamPro app on iphone 4S and ipad 2

In case you do want to be able to access your Foscam IP camera from the Internet. Note: I don't have this exact camera model, but the following worked for mine.
Camera Setup Part 1
Plug the camera into your router with your ethernet cable
Log onto the camera using the IP address given by the IP camera tool (IPCT) using the default login given on the bottom of the camera.
Choose Device Management, and then, Wireless LAN Settings.
Find your wireless network and input the login info.
The camera should now reset
802.11n AirPort Extreme (AEBSn) Setup (Note: I am assuming that you will be using version 6.x of the AirPort Utility from the iPad.)
Start the AirPort Utility > Select the (AEBSn) > Edit > Advanced > DHCP and NAT
Verify that the Router Mode = DHCP and NAT
From the DHCP and NAT window > Reservations > New Reservation...
Enter anything you like for the Description field.
Reserve address by: MAC Address
MAC Address: Enter the wireless MAC address of the IP camera
IPv4 Address: Enter the desired IP address you want reserved as a "Static IP" address for the camera. This address must be within the DHCP range of your AirPort. By default, this range is: 10.0.1.2 - 10.0.1.200.
Click Done
Go to the Advanced window > Port Settings > New Entry...
Entry Type: IPv4
Description: Leave blank or enter a desired description.
Public UDP Port(s): 8888
Public TCP Port(s): 8888
Private IP Address: Enter the Static IP address you created above.
Private UDP Port(s): 8888
Private TCP Port(s): 8888
Click Done
Allow the AEBSn to reset.
Camera Setup Part 2
Use the IPCT utility to obtain the network configuration settings.
Right (or Option)-click the IP address given in IPCT and choose Network Configuration.
Note these values. You may want to write them down.
Log onto the camera via a web browser, like Safari.
Go to Device Management > Basic Network Settings
Uncheck the box.
Input the settings from IPCT.
Verify that the port numbers used are the same as what you entered in the AirPort Utility's Port Mapping option.
Allow the camera to reset.
Optional, but recommended
Setup a Dynamic DNS account. This would take care of the issue of having a Dynamic WAN IP address that your ISP provides you. I would recommend DynDNS.
Go to https://www.dyndns.com/account/services/hosts/add.html
You will want to just set up a basic account.ollow the directions for setting up a basic account.
Once the account is set up, you will want to choose a web address to map directly to your camera. The Dynamic DNS service will assign a web address that will link to your Dynamic WAN IP address. The web address will stay the same even if the IP address changes.
When accessing the camera from a remote location, just tag on the port number to the web address. As as example, if the web address DynDNS assigns you is: www.myaddress.com, you would enter: www.myaddress.com:8888 into the web browser's address bar to access your camera.
Your camera should now be ready for both wireless access on your local network and from the Internet.

User cannot connect through VPN (Windows 2008 R2)

Hello,
TechNet has been a major help for some resent server and network problems our office has been having.
There is one ongoing issue that no matter how much I try to fix, it wants to be stubborn and refuse to work properly.
We have a user who has the necessary permissions to VPN using our router's IP address. Just recently, she found that she was unable to VPN. This was the beginning of our technical issues as after rebooting the router, our main server, and our QuickBooks
server, we lost internet and access to the main server. Those issues have been resolved. However, the user is still unable to VPN.
I have looked up every error code that has been presented when trying to connect to VPN (807 and 800 are the most frequent), and unfortunately, none of the solutions suggested worked. These errors occur when connecting through the WAN Miniport. I am trying
to find out if I am overlooking something.
What has been tried:
Router rebooted
Created new user in Active Directory
Deleting VPN Users group and readding to user
Changing tunneling protocol to L2TP instead of PPTP. Then, created a rule in Windows Advanced Firewall to allow UDP 1701.
Creating new VPN connection.
Confirmed with ISP that there are no issues with router
I am not extremely familiar with Windows 2008 R2 and every fix I see online is extremely in depth with not much walkthrough information.
I greatly appreciate any support anyone might be able to provide.
Thank you!

Hi ,
According to your description, my understanding is that the client can’t access the VPN with error code 800 and 807.
I have noticed that it failed to ping the VPN server form the client. The VPN server should be connected from the client without VPN connection established. I suggest you to turn off firewall temporarily on both sides of client and VPN server, then
try to ping the IP address of the VPN server’s interface which is connected to extranet network.
If ping failed, there might be network connectivity problem. If ping successfully, check to see if the port is open for turning traffic. Detailed troubleshooting steps you may reference the link below:
I received error 800, which says the VPN server is unreachable:
http://technet.microsoft.com/en-us/library/cc772616(WS.10).aspx#BKMK_1
Troubleshooting commom VPN related errors:
http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
If this problem still exits, does other user successfully access the VPN? Or just specified device can’t access? Would you simply describe the deployment of the VPN, such TCP/IP settings, VPN type.
Best Regards,
Eve Wang

WAN Address Unidentifiable

My Mac [Mac Mini] is connected to a Windows network. The network cable that goes from my computer goes down to a Linksys router. My DSL modem is also directly connectly to the router. The problem is that everytime I use a WAN [Wide Area Network] identifier (MyIP, Network Stat, etc.), it gives me the WAN address for the router, not the computer. If my computer is connected to the router, and so is the dsl modem, shouldn't I be able to get my own internet IP address, if I can, how can I find out what it is? If I can't get my own with this setup, how can do a setup where I can accquire my independent WAN address? Please help me, I'm trying to use this article so I can access my files when I am away from home.
Any help is greatly appreciated!!!!!!!!!!!! :-D
- Craig

Here's how registering a domain name to a dynamic IP address works: You go to a URL like dyndns.org and sign up for a free domain name. It will be something like {insertYourDomainNameHere}.dyndns.org or {insertYourDomainNameHere}.home.net. See http://www.dyndns.com/services/dns/dyndns for more info. You also need to install a piece of software on your computer that, when it senses that your ISP has changed your dynamically assigned WAN IP, it tells dyndns.org to what it has been changed, and they update their DNS database with the new IP address as belonging to your domain name. Such a piece of software can be found at http://www.dyndns.com/support/clients. There are other outfits that do a similar thing, I think noip.com is one of them. But I am not familiar with them. I use dyndns so I know a little bit more about them.
Anyways, now, from work or on-the-road, you can access your home computer by
ssh {insertYourDomainNameHere}.dyndns.org
or
http://{insertYourDomainNameHere}.dyndns.org
(the latter assumes you have a website up and running on your Mac). Of course, you need to have port forwarding enabled on your DSL modem so that inbound traffic arriving on certain specified ports (e.g., 22 for ssh, 80 for http) is routed to the appropriate computer hosting these services. I would steer clear of dmz and use port forwarding instead, with NAT.
Now, what I do, is that I have a free dyndns.org domain, am running DynDNS Updater (that's the software client that tells dyndns when my WAN IP has been changed by my ISP) as a start-up item, and I have port 22 forwarded on my DSL modem to 192.68.0.2 (that's the IP address of my computer inside my residential home network). I had to set up my modem and computer to assign static 192.168.0.x addresses, in order for port forwarding to work. You may or may not have to, it depends on whether your modem ties port forwarding to MAC addresses or LAN 192.168.x.x IP addresses or not. Also, you need to have the right ports open in System Preferences -> Sharing -> Services. You need Remote Login checked for ssh and scp, and you need Personal File Sharing checked for afp, and you need Personal Web Sharing checked if you've got your own web server running.
At work or on the road, then if I need to copy a file from home, in Terminal.app, I type:
scp {mydomain}.dyndns.org:{path to file} {local computer path to file}.
To copy to home, I type:
scp {local computer path to file} {mydomain}.dyndns.org:{path to file}.
Or I can use afp services and mount my home computer on the desktop of my on-the-road computer. To do that, in Terminal.app, you type:
ssh -l {yourHomeComputerShortLoginName} -L 5548:localhost:548 {yourDomain}.dyndns.org
this sets up an encrypted tunnel for afp traffic so you can now mount your home computer on your desktop of your on-the-road computer, and all your traffic between them is encrypted. Any traffic on your on-the-road machine on port 5548 is delivered to port 548 at home, and vice-versa. Now that the tunnel is in place, click on the Finder, do an apple-k and tell it to connect to localhost:5548. Voila! Your home computer shows up as an icon on your desktop, and you can drag and drop files either direction, or open, edit, save, and close on your home computer directly (working on remotely located fles may be a little slow -- I think drag-and drop, work on it, and drag and drop back is a better practice to follow) using afp.
2001 Quicksilver G4 Mac OS X (10.4.6)

Internet disconnects when trying to connect a vpn on a different user account on the same computer

Im trying to have one user account with my real ip address and another user account on windows 8 with a vpn connection. Everytime i switch (i dont logout i just lock the user) then try to connect a vpn on the other user account the internet disconnects
on the other user account. It's like it wants to change my entire internet connection to use the vpn instead of having a seperate connection on each user account. is there a way around this or am i stuck having to use two laptops? I also unchecked
Use default gateway on remote network on the vpn.

Hi,
Try to temporary disable firewall to see if the same issue occurs.
Leo Huang
TechNet Community Support
This is definitely not the answer. Why is it marked as the answer?

Connected dynamic VPN wan address change

Similar Messages

Maybe you are looking for