Hosts on corporate network unable to connect to VPN client

I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.
This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.
Can anyone explain what's wrong or where I should look?

Thanks for the feedback.
The client is a Mac running OS-X. Firewalling is turned off; there's no trouble connecting to the client when it is plugged directly into the corporate network.
The "no-nat" rules on the 5505 look like this:
access-list inside_nat0_outbound extended permit ip any 10.170.30.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Here 10.170.30.0/24 is the IP pool dedicated to the VPN. There are no other NAT-related lines in the 5505's configuration.

Similar Messages

Unable to connect to vpn

Hi, I'm unable to connect to VPN. The error I'm getting is - "The VPN server did not respond. Verify the server address and try reconnecting." I'm sure I am using the correct server address because I tried it on my non-mac laptop and worked fine. By the way, I'm using cisco as vpn client. Hope someone can help me. Thank you.

Where are you getting this error?
When are you getting this error?
Does the network block requests from your area?
You're connecting FROM India, but where are you connecting to?
Do you manage the network? If not, do you have support available?
Do you collect syslog events that you can look at?
Is it an authentication failure or another failure?
Is there Posture Assessments being done? If so, what are they?
Do the logs from monitoring / collection nodes (MNT, CAM/CAS, ETC) show a reason for failure?
Typically this would be something that starts at a Tier I support level and works its way up the chain from there. There are just so many possibilities from the data that you gave us, and so much being left out it's impossible to begin to ascertain what could be amiss.

Airport Card on MacBook Pro unable to connect to VPN networks

For the last year or so (apart from two glorious months at the start of this year) when using an Airport connection, I'm unable to access any VPN networks. I always get an error saying that the VPN server is not responding.
However, if I use an ethernet connection, a USB Wifi modem or an iPhone tethering I can connect without any issues.
The VPN connections started working in January to my utter surprise. I think it may have been connected to the 10.6.6 update, but stopped working again when I did my last update on March 13th. I installed Java 10.6 update 4, iTunes 10.2.1 and Safari 5.0.4.
I'm about to install Mac OS X 10.6.7 to see if it has any effects but I wanted to know if this is a known issue and whether or not there are any solutions to the problem?
Message was edited by: Tinna
Seems like the 10.6.7 update solved the problem.

Hello Oliver,
I would start with removing your Wi-Fi network from your Preferred Network list. To do that, navigate to the Symptom: After restarting or waking from sleep, my computer might not connect to the Internet section in the first article and it will walk you through that. Another thing you can try is creating a new Network Location to see if there is an issue with your current configuration and the steps for that are in the second article.
Wi-Fi: How to troubleshoot Wi-Fi connectivity
http://support.apple.com/en-us/HT202222
Using network locations (Mac OS X v10.6 and later)
http://support.apple.com/en-us/HT202480
Regards,
-Norm G.

Unable to connect to cellular 3g network, unable to connect to cellular 3g network

I am all the sudden unable to connect to 3G on my iphone 4, also my email is not responding. any thoughts?

Dear all greetings from Abu Dhabi,
I am also having this problem which is frustrating to say the least. At every upgrade, this happened, but I previously solved it thanks to the macrumors online forum:
http://forums.macrumors.com/showthread.php?p=19031505#post19031505
At thie latest upgrade (which I regret) I did all the steps again but it is not working. Apple could you please help?
Thanks!

Unable to connect to SMC Client system from SMC Server System

hi,
i have installed SMC 3.6.1. on Solaris 10 OS . The SMC agents are installed are all system but SMC Server is unable to communicate with Client systems. SMC Server System can Ping and Telnet all the SMC Client systems , but unable to connect from SMC .
Please guide how can resolve this problem
best regards,
Adeel Mehmood

Hi Adeel,
i have installed SMC 3.6.1. on Solaris 10 OS . The
SMC agents are installed are all system but SMC
Server is unable to communicate with Client systems.
SMC Server System can Ping and Telnet all the SMC
Client systems , but unable to connect from SMC .
Please guide how can resolve this problemSo, you can login to SunMC, but you're unable to make an icon for any of your Agents? Or you have icons you made bofre but when you click on them now you get errors?
If these are new Agents, do they have more than one netowrk interface? If so, they may have security information for the "other" network (the one the SunMC Server's not on). You can try manully specifying the correct network for one Agent and see if it helps:
http://forums.halcyoninc.com/showthread.php?t=2
Regards,
[email protected]
http://www.HalcyonInc.com
!! New !! : http://forums.HalcyonInc.com

Unable to connect the crm client with the IPC server

Hi,
I am unable to connect with one CRM client with the IPC server.
my Dispatcher and all the IPC servers are working all.
Plz helpme out.
With thanks and Regards,
Yusuf.

Hi Muhammed,
Check in the file dispatcher.properties if the RFC names are correctly maintained.
Regards,
Patricia
PS Your post was in the wrong forum. I moved it to the correct one where the chance of an answer is much higher.
Hope you understand and good luck.
Regards,
Patricia
SDN Moderator

Unable to connect to Steam Client using FIOS

Since upgrading to FIOS internet a year ago, I have been unable to connect to the Steam Client. I have been in contact with Steam support and after months of trying all thier suggestions, I am still unable to connect. I keep getting the message that "Steam is having trouble connecting to the Stream servers". I am currently using the Actiontec router, but I have also tried the Westell and it also failed.
I have used a program called PFConfig to set the correct port forwarding in the router (I verifed that it is correct). At Steams request, I disabled all non Microsoft services and uninstalled Norton Internet Security and was still unable to connect. I have tried using 3 different PC's. One with the Vista OS and two with Win 7. I am in the southern California area.
I am at wits end. If I cannot correct this issue, I will not be able to install any game which uses Steam as the DRM.
Anyone have a suggestion?
Art

Delete the port forwarding. Pick a PC, determine the IP address it presently has been assigned and place that address in the DMZ on the router and try it. If that works, then you have the port forwarding wrong ... if it doesn't, then there's something goofy with your PC firewall configuration most likely.

Unable to connect to VPN intermittenly with error 412

Lately one of my user is having trouble logging on to VPN. It is always getting '412 :The remote peer is no longer responding' error when it cannot connects . I attached the Cisco VPN client log. Anyone got any experience in troubleshooting this kind of problem, pls advice. Thanks for your help appreciate it.

We are experiencing the same thing across some clients. The strange thing is it only occurs from some internet accesses. Others it works just fine with no tweaking. But it is consistently not working at the same locations. I hate to start saying its the broadband router b/c that gets messy with users and it varies too much.
Any input would be appreciated from someone who has either an explanation or solution.
52 06:08:07.135 01/24/07 Sev=Warning/3 IKE/0xA300005E
Unexpected message (Exchange type 6) while negotiating IKE. Message discarded. SA=I_Cookie=7EAD9866581E8CD9 R_Cookie=CB31BEC2C7B9871F

Unable to connect to ARD client

I'm running the Admin from an Xserve running 10.5.6, and the client is on a MacBook Pro 17", also running 10.5.6. I used to be able to connect to the client without any issues, but the last time I did so, I initiated a reboot of the client while screen sharing via ARD from the server. When the client came back online, I was no longer able to use screen sharing from the server, whether by ARD or the screen sharing that's built in to Leopard. The client and the server are in separate VLANs, and I'm still able to use screen sharing via ARD from the server to a Mac Pro within the same VLAN as the MBP, and can even use screen sharing from the Mac Pro to the MBP. I've tried trashing the prefs on the client, to no avail. Anyone have an idea how to resolve this short of rebuilding the MBP? Both server and clients are running ARD 3.2.2.

Thanks Dave. Yes, I completely removed all the elements listed there before reinstalling. The only thing I didn't do was reboot the machine in-between. I checked logs and found no crash log for ARD. Presuming I looked in the right place: /private/var/log/crashreporter.log and /Library/Logs/CrashReporter
There was one entry from December 8th in the crashreporter.log but no subsequent file in the second location where it was supposedly written.
I can hook up a monitor and access directly, it is just that I have to make an appointment with our IT guy to let me in the data center where it resides. I was hoping to avoid that. I'm reluctant to reinstall via ssh after removal. If something did happen that crashed the machine, I would rather be at the data center so I can fix it directly. I suppose that will be my next step: to go there and do a removal/reinstall directly.
Thanks for you help. Let me know if you think of anything else.
I suppose that is the next thing to try:

Intermittent Internet Connection and VPN clients can't ping internal LAN but connected after installating cisco ASA5512x

Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.

I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA.

Cannot connect using VPN client

Hi, I have a problem configuring my CISCO ASA 5515-x for VPN client. I succesfully configure AnyConnect and SSL VPN but when client using VPN Client software, they cannot establish the VPN connection. This is my configuration and attached is the error occured when connecting to the firewall. Can anyone help me solve this problem?
: Saved
ASA Version 9.1(1)
hostname ciscoasa
domain-name g
ip local pool vpn_client 192.168.2.200-192.168.2.254 mask 255.255.255.0
ip local pool vpn_250 192.168.3.1-192.168.3.254 mask 255.255.255.0
interface GigabitEthernet0/0
nameif DIGI
security-level 0
ip address 210.48.*.* 255.255.255.0
interface GigabitEthernet0/1
nameif LAN
security-level 0
ip address 192.168.2.5 255.255.255.0
interface GigabitEthernet0/2
nameif Pone
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone MYT 8
dns domain-lookup DIGI
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name g
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_113.20.*.*_24
subnet 113.20.*.* 255.255.255.0
object network NETWORK_OBJ_210.48.*.*_24
subnet 210.48.*.* 255.255.255.0
object network CsHiew
host 192.168.2.9
object network ERPServer
host 192.168.2.2
object network Giap
host 192.168.2.126
object network Jennifer
host 192.168.2.31
object network KCTan
host 192.168.2.130
object network KCTan-NB
host 192.168.2.77
object network MailServer
host 192.168.2.6
object network YHKhoo
host 192.168.2.172
object network Aslina
host 192.168.2.59
object network Law
host 192.168.2.38
object network Nurul
host 192.168.2.127
object network Laylee
host 192.168.2.17
object network Ms_Pan
host 192.168.2.188
object network Peck_Ling
host 192.168.2.248
object network Pok_Leng
host 192.168.2.36
object network UBS
host 192.168.2.21
object network Ainie
host 192.168.2.11
object network Angie
host 192.168.2.116
object network Carol
host 192.168.2.106
object network ChunKit
host 192.168.2.72
object network KKPoong
host 192.168.2.121
object network Ben
host 192.168.2.147
object network Eva
host 192.168.2.37
object network Jacklyn
host 192.168.2.135
object network Siew_Peng
host 192.168.2.149
object network Suki
host 192.168.2.61
object network Yeow
host 192.168.2.50
object network Danny
host 192.168.2.40
object network Frankie
host 192.168.2.101
object network Jamal
host 192.168.2.114
object network OcLim
host 192.168.2.177
object network Charles
host 192.168.2.210
object network Ho
host 192.168.2.81
object network YLChow
host 192.168.2.68
object network Low
host 192.168.2.58
object network Sfgan
host 192.168.2.15
object network Joey
host 192.168.2.75
object network Rizal
host 192.168.2.79
object network 190
host 192.168.2.190
object network 191
host 192.168.2.191
object network 192
host 192.168.2.192
object network 193
host 192.168.2.193
object network 194
host 192.168.2.194
object network 199
host 192.168.2.199
object network 201
host 192.168.2.201
object network 203
host 192.168.2.203
object network 204
host 192.168.2.204
object network 205
host 192.168.2.205
object network CNC214
host 192.168.2.214
object network Liyana
host 192.168.2.16
object network Aipin
host 192.168.2.22
object network Annie
host 192.168.2.140
object network Ikah
host 192.168.2.54
object network Sue
host 192.168.2.113
object network Zaidah
host 192.168.2.32
object network CKWong
host 192.168.2.33
object network KhooSC
host 192.168.2.47
object network Neexon-PC
host 192.168.2.179
object network Neexon_NB
host 192.168.2.102
object network kc
host 192.168.2.130
object network P1
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.192_26
subnet 192.168.2.192 255.255.255.192
object network NETWORK_OBJ_192.168.10.192_26
subnet 192.168.10.192 255.255.255.192
object network VPN
subnet 192.68.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object-group network HPTM_DIGI
network-object object CsHiew
network-object object ERPServer
network-object object Giap
network-object object Jennifer
network-object object KCTan
network-object object KCTan-NB
network-object object MailServer
network-object object YHKhoo
object-group network Inventory
network-object object Aslina
network-object object Law
network-object object Nurul
object-group network Account
network-object object Laylee
network-object object Ms_Pan
network-object object Peck_Ling
network-object object Pok_Leng
network-object object UBS
object-group network HR
network-object object Ainie
network-object object Angie
object-group network Heeroz
network-object object Carol
network-object object ChunKit
network-object object KKPoong
object-group network Sales
network-object object Ben
network-object object Eva
network-object object Jacklyn
network-object object Siew_Peng
network-object object Suki
network-object object Yeow
object-group network Production
network-object object Danny
network-object object Frankie
network-object object Jamal
network-object object OcLim
object-group network Engineering
network-object object Charles
network-object object Ho
network-object object YLChow
network-object object Joey
network-object object Rizal
object-group network Purchasing
network-object object Low
network-object object Sfgan
object-group network Wireless
network-object object 190
network-object object 191
network-object object 192
network-object object 193
network-object object 194
network-object object 199
network-object object 201
network-object object 203
network-object object 204
network-object object 205
object-group network IT
network-object object CNC214
network-object object Liyana
object-group network Skype
network-object object Aipin
network-object object Annie
network-object object Ikah
network-object object Sue
network-object object Zaidah
object-group network HPTM-P1
network-object object CKWong
network-object object KhooSC
network-object object Neexon-PC
network-object object Neexon_NB
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq https
access-list DIGI_access_in extended permit ip any any
access-list DIGI_access_in extended permit icmp any any echo
access-list LAN_access_in extended deny object-group DM_INLINE_SERVICE_2 object-group Skype any
access-list LAN_access_in extended deny object-group DM_INLINE_SERVICE_1 object 205 any
access-list LAN_access_in extended permit ip any any
access-list DIGI_cryptomap extended permit ip object VPN 113.20.*.* 255.255.255.0
access-list Pq_access_in extended permit ip any any
access-list splittun-vpngroup1 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging recipient-address aaa@***.com level errors
mtu DIGI 1500
mtu LAN 1500
mtu Pone 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711(1).bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DIGI,LAN) source static any interface
nat (Pone,LAN) source static any interface
nat (DIGI,DIGI) source static NETWORK_OBJ_210.48.*.*_24 NETWORK_OBJ_210.48.*.*_24 destination static NETWORK_OBJ_113.20.*.*_24 NETWORK_OBJ_113.20.*.*_24 no-proxy-arp route-lookup
nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.2.192_26 NETWORK_OBJ_192.168.2.192_26 no-proxy-arp route-lookup
nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.10.192_26 NETWORK_OBJ_192.168.10.192_26 no-proxy-arp route-lookup
nat (LAN,any) source static any any destination static VPN VPN
nat (LAN,DIGI) source static any any destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 no-proxy-arp route-lookup
nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 no-proxy-arp route-lookup
object network VPN
nat (any,DIGI) dynamic interface
nat (LAN,Pone) after-auto source dynamic any interface dns
nat (LAN,DIGI) after-auto source dynamic any interface dns
access-group DIGI_access_in in interface DIGI
access-group LAN_access_in in interface LAN
access-group Pq_access_in in interface Pone
route Pone 0.0.0.0 0.0.0.0 10.1.*.* 2
route DIGI 0.0.0.0 0.0.0.0 210.48..*.* 3
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 LAN
http 0.0.0.0 0.0.0.0 DIGI
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map DIGI_access_in 20 set ikev1 transform-set ESP-3DES-SHA
crypto map DIGI_map 65535 ipsec-isakmp dynamic DIGI_access_in
crypto map DIGI_map interface DIGI
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.cisco.com
subject-name CN=sslvpn.cisco.com
keypair hpmtkeypair
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate ed15c051
    308201ef 30820158 a0030201 020204ed 15c05130 0d06092a 864886f7 0d010105
    0500303c 31193017 06035504 03131073 736c7670 6e2e6369 73636f2e 636f6d31
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e63 6973636f 2e636f6d
    301e170d 31333036 32313038 30343438 5a170d32 33303631 39303830 3434385a
    303c3119 30170603 55040313 1073736c 76706e2e 63697363 6f2e636f 6d311f30
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e636973 636f2e63 6f6d3081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a9 7715ca9e
    4d63204e 66e6517b 9a560be8 188603cc 90bb39a7 c61ef0d8 cd74bf19 8ec33146
    5176547f f43615a2 b8917a03 3a5a9dd6 e087a78a 74bf3a8e 6d7cfad2 0678253d
    b03a677a 52e9ebc0 8e044353 e9fe2055 3cafafa3 3ec74ef9 45eaf8d6 8e554879
    db9bf2fb ebcdb5c3 011bf61f 8c139ed1 a00d300a 8fe4784f 173c7702 03010001
    300d0609 2a864886 f70d0101 05050003 81810046 d32b20a6 a1efb0b5 29c7ed00
    11c0ce87 c58228c9 aae96197 eb275f9a f9da57a1 fc895faf 09a24c0c af43772b
    2818ec29 0a56eb33 c0e56696 dd1fa3bb 151ee0e4 18d27366 92177a31 b2f7842b
    4f5145b9 942fbc49 c785f925 3a909c17 2593efcc 2e410b5c d3026fe1 f48d93c1
    744333e2 c377e5d3 62eebb63 abca4109 d57bb0
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable DIGI client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable DIGI
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 DIGI
ssh timeout 5
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
vpn load-balancing
interface lbpublic DIGI
interface lbprivate DIGI
dhcp-client client-id interface Pone
dhcpd address 192.168.2.10-192.168.2.150 LAN
dhcpd dns 210.48.*.* 210.48.*.* interface LAN
dhcpd enable LAN
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 DIGI
webvpn
enable DIGI
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles anyhpmt_client_profile disk0:/anyhpmt_client_profile.xml
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
group-policy sslpolicy internal
group-policy sslpolicy attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list none
group-policy GroupPolicy_anyhpmt internal
group-policy GroupPolicy_anyhpmt attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value g
webvpn
anyconnect profiles value anyhpmt_client_profile type user
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun-vpngroup1
default-domain value g
address-pools value vpn_250
group-policy newvpn internal
group-policy newvpn attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value g
username cshiew password KK1oQOhoxfwWvya4 encrypted
username cshiew attributes
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
username newuser password GJrqM3H2KqQZv/MI encrypted privilege 1
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool vpn_250
default-group-policy vpngroup1
tunnel-group vpngroup1 webvpn-attributes
group-alias vpngroup1 enable
tunnel-group vpngroup1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group sslhpmt type remote-access
tunnel-group sslhpmt general-attributes
default-group-policy sslpolicy
tunnel-group sslhpmt webvpn-attributes
group-alias sslhpmt enable
tunnel-group anyhpmt type remote-access
tunnel-group anyhpmt general-attributes
address-pool vpn_client
default-group-policy GroupPolicy_anyhpmt
tunnel-group anyhpmt webvpn-attributes
group-alias anyhpmt enable
tunnel-group-map default-group vpngroup1
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class global-class
cxsc fail-open
class class-default
user-statistics accounting
policy-map global-policy
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:7a5ee8ff016e63420802423269da864b
: end

Hi,
Safwan Hashan napisano:i dont know which output you referring but this is output from the VPN client.
We need more information.
I expect debug output from the ASA.
To enable debugging and syslog messages, perform the following CLI steps:
1.
ASA#configure terminal
ASA(config)# debug crypto ikev1 127
ASA(config)# debug crypto ipsec 127
Enable debuging messages for IKEv1 and IPSec.
2.
ASA(config)# logging monitor debug
Sets syslog messages to be sent to Telnet or SSH sessions.
Note: You can alternately use the logging buffer debug command to send log messages to a buffer, and then view them later using the show logging command.
3.
ASA(config)# terminal monitor
Sends the syslog messages to a Telnet or SSH session.
4.
ASA(config)# logging on
Enables syslog message generation.
NOTE: This you have enabled.
Cleanup CLI
ASA(config)# no debug crypto ikev1
ASA(config)# no debug crypto ipsec
ASA(config)# no logging monitor debug
ASA(config)# no terminal monitor
More information: Sensible Debugging and Logging
I have one suggestion. Change and try.
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
no vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
vpn-tunnel-protocol ikev1
Best regards,
MB
Please rate all helpful posts. Thx

Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again.

Access Site to Site Networks behind Cisco ASA thru VPN Client

I have configured remote access thru asa for vpn clients to our main network. I can ping the required networks from vpn client. Internally I can ping remote network thru our sonicwall site to site vpn. I however cannot ping the remote network from the vpn client. I've added the network in the configuration on the ASA that I am trying to connect to. Any ideas what I can do so I can connect to Site B thru my vpn client connecting to Site A?
Thanks,
Matt

Hello, matt0000111111.
Did you add a VPN clients network to the sit-to-site VPN settings and to the NAT list (if nat exist at the interfaces at site-to-site vpn)?

Unable to install Cisco VPN Client on Windows 7

Hello,
After a successfull uninstallation of Cisco VPN version 4. I try to install Cisco VPN Client version 5.0.07.0290.
But after launching vpnclient_setup.msi, the wizard is starting. When I click on Next button, I have the following message: "installation ended prematurely because of an error".
In attachment, I add the details of the error find in the windows logs (logError.txt) and the logs generated from MSI installer in verbose mode (log2.txt).
My computer is a lenovo W500 with Windows 7 64 bits and 4 GB of memory (compliant with the Cisco VPN Client requirements).
I have administrator privileges on this computer.
Please help me !
I need to use it to connect to my company network.
Thanks in advance.
BR
Jerome

You should be able to install the 64 bit version of the Cisco VPN software
Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
Using Shrew VPN is a workaround more than a solution / answer to this issue.
You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
MicrosoftFixit50842.msi

Connect thru VPN Client Need Help

Hi,
I have a ECC6.0 Ides in my computer.
I have another ECC6.0 as development and production in my office.
I can log to my office SAP Systems thru a IPSEC VPN.
Is it possible for my office can connect to my ECC6.0
let me know.
Regards,
Saravanan.

Hello, matt0000111111.
Did you add a VPN clients network to the sit-to-site VPN settings and to the NAT list (if nat exist at the interfaces at site-to-site vpn)?

Hosts on corporate network unable to connect to VPN client

Similar Messages

Maybe you are looking for