Easy VPN and remote access VPN

Hi all,
I have a pix running version 7.2, with two VPN connection:
1- normal remote access vpn with cisco vpn client.
2- easy vpn with another pix running version 6.3
both are working fine and i can access everything in HQ netweok.
questions is i need to enable communication between cisco vpn clinet to that remote side which has pix easy vpn . ??
please adivce what kind of configuration we need !!!!
regards,
hasan

Take a look at this link for easy VPN configuration.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

Similar Messages

Exchange Server 2013 and Remote Access VPN on a single server running Windows Server 2012?

Just by way of background, I have been installing and administering network servers, e-mail systems, VPN servers, and the like for many years. However, my involvement with Exchange and Windows Server has been mostly on the forensics and data recovery
level, or as a (sophisticated) user. I have never tried to deploy either from scratch before. My deployment experiences have been mostly with Linux in recent years, and with small private or personal "servers" running such cutting edge
software as Windows XP back when it was new. And even NetWare once.
When a client asked me if I could set up a server for his business, running Exchange Server (since they really want Outlook with all of its bells and whistles to work, particularly calendars) and providing VPN access for a shared file store, I figured it
could not be too difficult given that its a small business, with only a few users, and nothing sophisticated in the way of requirements. For reasons that don't bear explaining here, he was not willing to use a vendor hosting Exchange services or cloud
storage. There is no internal network behind the server; it is intended to be a stand-alone server, hanging off a static IP address on the Internet, providing the entirely mobile work-force of about 10 people with Exchange-hosted e-mail for their computers
and phones, a secure file store, and not much else. If Exchange didn't need it, I would not need to install Active Directory, for example. We have no direct need for its services.
So I did the research and it appears, more by implication than outright assertion, that I should be able to run Windows Server 2012 with Exchange Server 2013 on a server that also hosts Remote Access (VPN only) and does nothing else. And it appears
I ought to be able to do it without virtualizing any of it. However, I have spent the last three or four days fighting one mysterious issue after another. I had Remote Access VPN working and fairly stable very quickly (although it takes a very
long time to become available after the server boots), and it has mostly remained reliable throughout although at times while installing Exchange it seems to have dropped out on me. But I've always been able to get it back after scrounging through the
logs to find out what is bothering it. I have occasionally, for a few minutes at a time, had Exchange Server willing to do everything it should do (although not always everything at the same time). At one point I even received a number of e-mails
on my BlackBerry that had been sent to my test account on the Exchange Server, and was able to send an e-mail from my BlackBerry to an outside account.
But then Exchange Server just stopped. There are messages stuck in the queues, among other issues, but the Exchange Administration Center refuses now to display anything (after I enter my Administrator password, I just get a blank screen, whether on
the server or remotely).
So, I am trying to avoid bothering all of you any more than I have to, but let me just begin with the basic question posed in the title: Can I run Exchange Server (and therefore Active Directory and all of its components) and Remote Access (VPN only) on
a single Windows Server 2012 server? And if so, do I have to run virtual machines (which will require adding more memory to the server, since I did not plan for it when I purchased it)? If it can be done, can anyone provide any pointers on what
the pitfalls are that may be causing my problems? I am happy to provide whatever additional information anyone might like to help figure it out.
Thanks!

An old thread but I ran into this issue and thought I share my solution since I ran into the same issue. Configuring VPN removes the HTTPS 443 binding on the Default Site in IIS for some strange reason; just go and editing the bindings, add HTTPS and things
should be back to normal.

Site to Site and Remote Access VPN

Hi All,
Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
Regards
Abhishek
This topic first appeared in the Spiceworks Community

A document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Routing and Remote Access VPN DHCP error

I have a strange problem.
I have a client that is using Server 2012 Standard.
On this server they have Routing and Remote Access configured for VPN client access. Their users that are working outside the office connect to the VPN to access the internal network.
The VPN works fine for the most part. Recently however, it has started having issues.
Periodically (about once every 8 days) I will hear from them that they cannot connect and that they get error 720. I will check the server and the server will have the following errors in the event log:
Warning: No IP address is available to hand out to the dial-in client.
If you check DHCP the server is running fine and will hand out local addresses but it will not hand out addresses to VPN clients. Also the addresses that it HAS previously handed out to VPN clients will not show in the address leases.
The solution strangly enough is to disconnect and reconnect a the VPN client connection that the server has connecting it to a offsite server that it does a SQL sync with.
Any ideas as to what might be causing this? If need be I can post more detailed logs but I am not sure what logs even to post or what data to collect.
Any help is greatly appreciated.

I am experiencing the same issue on a Windows 2008R2 SP1 RAS server. The above statement About increasing the lease time on DHCP does not resolve the problem.
I am also Searching for a Solutions to this issue.
Up to now I have done the Following :
1. Increased the scope/ cleared IP's in DHCP.
2. Ensure that the DHCP server is accessable.
3. Created a Manual Scope on RRAS configurations settings (then clients can connect but cannot access resources on the network). Changing Back to DHCP, you recieve the same 720 Error.
4. Stop and started the DHCP services on the DHCP Server.
5. Stop and Started RRAS Services on RRAS server.
The Only Indication is, that DHCP for some reason does not lease out Addresses to the RRAS server..

ACS 5.0 and remote access VPN

I have problem for authenticar a remote access VPN with ACS 5.0, not work.
When I try with ACS 4.1, the authentication work fine.
I hope someone can help me.
Regards.

I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.
Here are some logs from ASA:
the end of debug crypto isakmp:
Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844
debug radius:
Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8) , : TM_DONE, EV_ERROR-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Regards

Vpn site to site and remote access , access lists

Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

Can i use same address pool for different remote access VPN tunnel groups and policy

Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
Shnail

Thanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx

Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface. The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ. Without the client connected, they access the web servers via the external public IP. Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address.
Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.
I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface.
Share the configuration if you want help with the NAT exemption part.

Remote access VPN to server from outside and server reach internet on the same time

Dear,
I have problem in my ASA 5515-X , when i make Remote access VPN to servers in inside zone the internet connection disconnected in the servers, or when i have internet in servers, the remote access cant reach servers.
the configuration for server as static NAT for each server, and the connection of VPN is to another public IP but in the same subnet of NAT ip.
server1 : 10.10.10.2 nat to 5.6.7.8
server2: 10.10.10.3 nat to 5.6.7.9
server3: 10.10.10.4 nat to 5.6.7.10
VPN connection to 5.6.7.12
is there any solution for this senario, remote vpn to servers and the same time the servers have internet readability for download updates .. etc

Hi,
So it seems that the problem is with lacking a NAT0 configuration
You could modify the below configuration to match your networks/IP addresses used. In the below configuration I presume that you have interfaces "inside" and "outside".
object network SERVER-NETWORK
subnet <server network address> <network mask>
object network VPN-POOL
subnet <vpn pool network address> <network mask>
nat (inside,outside) 1 source static SERVER-NETWORK SERVER-NETWORK destination static VPN-POOL VPN-POOL
Just insert the correct address related information and change the "object" and interface names if required.
This configuration will tell the ASA that no NAT will be performed for traffic between the VPN-POOL and SERVER-NETWORK. The NAT configuration is bidirectional. With this configuration the Static NAT configurations will continue to work for the servers Internet traffic and this NAT0 configuration will be applied only to the VPN Client traffic.
Hope this helps :)
- Jouni

Remote Access VPN and NAT inside interface

Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
Mahesh

Hi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.50.1    255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar

Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1   172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C        10.2.2.2/32 is directly connected, Loopback0
C        10.10.7.0/24 is directly connected, FastEthernet0/1
L        10.10.7.1/32 is directly connected, FastEthernet0/1
C        10.10.8.0/22 is directly connected, FastEthernet0/1
L        10.10.10.1/32 is directly connected, FastEthernet0/1
      117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/22 is directly connected, FastEthernet0/1
L        172.16.0.1/32 is directly connected, FastEthernet0/1
      172.18.0.0/32 is subnetted, 1 subnets
S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, FastEthernet0/1
L        192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: giet-vpn, local addr 117.239.xx.xx
   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
   current_peer 49.206.59.86 port 50083
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x550E70F9(1427009785)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5668C75(90606709)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550169/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x550E70F9(1427009785)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550170/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance....

Server 2003 routing and remote access not passing VPN traffic

I've inherited a network that has two IP scopes that are routed through a Windows 2003 server with Routing and Remote Access. I can ping both sides (we'll call them HQ and Plant) internally. My firewall has an IP from the HQ IP scope and when
I connect via VPN, I can see all the devices on the HQ network including the network card that is in the routing server for that "side". However, if I'm connected via VPN, I cannot get to any of the IPs on the Plant side, not even the card
in the routing server. The buck stops on the server.
I should mention, that the firewall assigns IP addresses that are on the HQ scope, so all VPN connections will have an address from that side.
I'm lost on how to get this set up so my VPN traffic coming in from the HQ side can be routed to the Plant devices.

Hi,
To be honest, your statement confused me a bit.
VPN is used for external client get access to internal resource. When we setup VPN server, we usually have two NICs. We need choose a NIC that will be used when client initiate
a connection request. I prefer to call it external NIC card. The internal one will work as DHCP relay agent. So this is a single way connection. You cannot dial from internal to external.
If I misunderstood you, please elaborate what you are trying to do.
Hope this helps.

Remote Access VPN authentication through RADIUS

Hi,
I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.
Server configuration:
1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).
2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.ï On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.
4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.
On the Dial-in tab, select the option for Allow access
ASA configuration:
aaa-server vpn protocol radius
aaa-server vpn host 10.155.20.25 (RADIUS server IP )
key cisco321
tunnel-group vpnacc type ipsec-ra
tunnel-group vpnacc general-attributes
authentication-server-group vpn
but it is not working. Please guide to resolve this issue.
Regards,
som

Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"
Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.

Remote Access VPN (ipsec) can ping LAN interface of firewall but not clients on the company network.

The VPN will connect.
I can ping and connect to the ASA 5510 on it's LAN interface.
My problem is that I cannot ping or access anything on the LAN past the firewall. What am I doing wrong?
Here is my config.
Result of the command: "show config"
: Saved
: Written by enable_15 at 22:55:02.299 UTC Tue Jan 10 2012
ASA Version 8.2(5)
hostname ********
enable password UbBnTPKwu27ohfYB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network BC
network-object 10.0.3.0 255.255.255.0
network-object 10.0.4.0 255.255.255.0
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq 50000
access-list outside_access_in extended permit tcp any any eq 3390
access-list outside_access_in extended permit tcp any any eq 8066
access-list outside_access_in extended permit tcp any any eq 22225
access-list outside_access_in extended permit tcp any any eq 1600
access-list outside_access_in extended permit tcp any any eq 37260
access-list outside_access_in extended permit tcp any any eq 37261
access-list outside_access_in extended permit tcp any any eq 37262
access-list outside_access_in extended permit tcp any any eq 37263
access-list outside_access_in extended permit tcp any any eq 37264
access-list outside_access_in extended permit tcp any any eq 1435
access-list outside_access_in extended permit tcp any any eq 250
access-list outside_access_in extended permit tcp any any eq citrix-ica
access-list outside_access_in extended permit tcp any any eq 8080
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq 85
access-list outside_access_in extended permit tcp any any eq 8069
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 23032
access-list outside_access_in extended permit tcp any any eq 32023
access-list outside_access_in extended permit tcp any any eq 3399
access-list outside_access_in extended permit udp any any eq 250
access-list outside_access_in extended permit udp any any eq 5008
access-list outside_access_in extended permit icmp any any
access-list splittunn-ppso extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list splittunn-ppso extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn-pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list nonat
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 50000 10.0.4.58 50000 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.0.4.7 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 3390 10.0.3.249 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 8066 10.0.3.249 8066 netmask 255.255.255.255
static (inside,outside) tcp interface 22225 10.0.4.58 22225 netmask 255.255.255.255
static (inside,outside) tcp interface 1600 10.0.4.58 1600 netmask 255.255.255.255
static (inside,outside) tcp interface 37260 10.0.4.58 37260 netmask 255.255.255.255
static (inside,outside) tcp interface 37261 10.0.4.58 37261 netmask 255.255.255.255
static (inside,outside) tcp interface 37262 10.0.4.58 37262 netmask 255.255.255.255
static (inside,outside) tcp interface 37263 10.0.4.58 37263 netmask 255.255.255.255
static (inside,outside) tcp interface 37264 10.0.4.58 37264 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 10.0.4.240 1433 netmask 255.255.255.255
static (inside,outside) udp interface 5008 10.0.4.240 5008 netmask 255.255.255.255
static (inside,outside) udp interface 249 10.0.4.240 249 netmask 255.255.255.255
static (inside,outside) tcp interface 250 10.0.4.240 250 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.4.15 www netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 10.0.4.15 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.0.4.15 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 85 10.0.4.15 85 netmask 255.255.255.255
static (inside,outside) tcp interface 8069 10.0.4.236 8069 netmask 255.255.255.255
static (inside,outside) tcp interface 3399 10.0.4.236 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 23032 10.0.4.244 23032 netmask 255.255.255.255
static (inside,outside) tcp interface 32023 10.0.4.244 32023 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.3.0 255.255.255.0 10.0.4.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http x.x.x.x x.x.x.x outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
    6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet x.x.x.x 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ppso internal
group-policy ppso attributes
dns-server value 10.0.4.241 10.0.4.14
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunn-ppso
default-domain value ppso.local
split-dns value ppso.local
address-pools value vpn-pool
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool vpn-pool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:88a9b69fc3d718c3badfa99db2c7ce4f

Yeah, I figured out where my problem was.
My IP Local Pool range was the problem.
I was using 10.10.10.0 which conflicted with a point-to-point connection where the serial interfaces were numbered and using 10.10.10.1 and 10.10.10.2.
Traffic would leave the firewall, hit the intended host, go back through my core router, then off to the other network.
I changed my ip local pool to a different range (192.168.100.0) and my problem was solved.

Remote Access VPN - Unable to Access LAN / Inside Network

Hi,
I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
I have attached running configuration for your reference. Please let me know I miss any configuartion.
FW : ASA5510
Version : 8.0
Note : Site to Site VPN is working without any issues
Thanks
Jamal

Hi,
Very nice network diagram
Are you saying that originally the VPN Client user is behind the Jeddah ASA?
If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
isakmp nat-traversal natkeepalive
no isakmp nat-traversal natkeepalive
Syntax Description
natkeepalive
Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
Defaults
By default, NAT traversal (isakmp nat-traversal) is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System
Global configuration
Command History
Release
Modification
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp nat-traversal command replaces it.
Usage Guidelines Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:
hostname(config)# isakmp enable
hostname(config)# isakmp nat-traversal 30
- Jouni

Easy VPN and remote access VPN

Similar Messages

Maybe you are looking for