I can connect my cisco mobile vpn but can't ping & access internal IP
Hi somebody,
i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
Your advise will be appreciate.
here is my configuration with cisco 7200 in GNS 3,
OfficeVPN_Router#sh run
Building configuration...
Current configuration : 2186 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip any any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end
OfficeVPN_Router#sh ver
Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 18:50 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
OfficeVPN_Router uptime is 30 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
3 FastEthernet interfaces
125K bytes of NVRAM.
65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
OfficeVPN_Router#
Dear Javier ,
Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
OfficeVPN_Router(config)#ip access-list resequence 111 10 10
OfficeVPN_Router(config)#do sh run
Building configuration...
Current configuration : 2201 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end
Similar Messages
-
VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN
Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162 -
VPN client connect to CISCO 887 VPN Server bat they stop at router!!
Hi
my scenario is as follows
SERVER1 on lan (192.168.5.2/24)
|
|
CISCO-887 (192.168.5.4) with VPN server
|
|
INTERNET
|
|
VPN Cisco client on xp machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
They can ping only router!!!
They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Peraps ACL problem?
Building configuration...
Current configuration : 5019 bytes
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gate
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
quit
ip name-server 212.216.112.222
ip cef
no ipv6 cef
password encryption aes
license udi pid CISCO887VA-K9 sn ********
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
line con 0
line aux 0
line vty 0 4
transport input all
endHello,
Your pool of VPN addresses is overlapping with the interface vlan1.
Since proxy-arp is disabled on that interface, it will never work
2 solutions
1- Pool uses a different network than 192.168.5
2- Enable ip proxy-arp on interface vlan1
Cheers,
Olivier -
i just finished upgrading ios 7.0.2 at my iphone 4s. and then when i connect it to itunes, a command box appers says :
FYI, while this command box appear. i still able to browse my itunes store and download some apps and music
thx. -
Cisco asa- vpn established but cant ping
I am using 2 cisco asa 5505 routers, i have established vpn between them but i cant ping client internal or outside interface, client can ping my outside interface. Only configuration on client is basic easy vpn settings and interfaces, here is server part configuration on my side:
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 10.1.2.0 255.255.255.0
object network outside
subnet 10.1.3.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list 101 extended permit object-group DM_INLINE_PROTOCOL_1 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit object-group DM_INLINE_PROTOCOL_2 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.1.3.0 255.255.255.0 echo-reply inside
icmp permit any inside
icmp permit any outside
icmp permit 10.1.3.0 255.255.255.0 echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static outside outside destination static inside inside no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group global_access global
route inside 0.0.0.0 0.0.0.0 10.1.3.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname *********
vpdn group iskon ppp authentication pap
vpdn username ***** password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.132 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN internal
group-policy VPN attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
vpn-session-timeout none
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f2923b78a04ee8cfe9324e3e2733d78SOLVED!!! i just needed to configure nat here is configuration for any1 with same problem
: Saved
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ladimirevci
subnet 10.1.2.0 255.255.255.0
object network lekenik
subnet 10.1.3.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 101 extended permit ip object lekenik object ladimirevci
access-list 101 extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object lekenik object ladimirevci
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip object ladimirevci object lekenik
access-list inside_access_in extended permit ip object lekenik object ladimirevci
access-list inside_access_in extended permit ip any any
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip object lekenik object ladimirevci
access-list global_access extended permit ip object ladimirevci object lekenik
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static ladimirevci ladimirevci destination static lekenik lekenik
object network obj_any
nat (inside,outside) dynamic interface dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set pfs
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto dynamic-map DYN-MAP 5 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname vivaindo@iskon-dsl
vpdn group iskon ppp authentication pap
vpdn username vivaindo@iskon-dsl password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-clientless
group-policy VPN internal
group-policy VPN attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-lock value VPN-TUNNEL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ddac35422ebbf57095be7a1d33b0b67d
: end
asdm image disk0:/asdm-712.bin
no asdm history enable -
ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp
Hello all,
I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
ASA Version 8.2(1)
hostname MafSecASA
domain-name mafsec.com
names
interface Vlan1
nameif inside
security-level 100
ip address 10.4.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 7.3.3.2 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.20.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mafsec.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.4.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 6 ip 8.8.8.8 8.8.4.4
dhcpd address 10.4.0.15-10.4.0.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd option 3 ip 10.4.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_split_tunnel
vlan none
address-pools value SSLVPNPool2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username user1 password
username user1 attributes
service-type remote-access
username user2 password
tunnel-group SSLVPNGROUP type remote-access
tunnel-group SSLVPNGROUP general-attributes
address-pool SSLVPNPool2
default-group-policy SSLVPN
tunnel-group SSLVPNGROUP webvpn-attributes
group-alias SSLVPN enable
prompt hostname context
Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
: end
Thank in advance for any help!Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.
--Jason -
Can't Connect to Pix 501 VPN on Network
Hi All,
I have a software VPN client that connects just fine to the PIX 501 VPN, but I cannot ping or telnet to any services on the LAN. Below is my config and results of show cry ipsec sa. I would appreciate any suggestions to fix this.
It's been a while since I have done this. When I check the DHCP address received from the VPN, the default gateway is missing. IIRC, that is normal. What is strange is that when I ping, Windows does not show any sent packets.
Thanks,
--Drichards38
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bgVy005CZTsaMOwR encrypted
passwd bgVy005CZTsaMOwR encrypted
hostname cisco
domain-name xxxxxx.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1024-2048
fixup protocol ftp 49152-65534
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-out permit tcp any interface outside eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq telnet
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 60990
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq echo
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any interface inside eq www
access-list acl_out permit tcp any interface inside eq ftp
access-list acl_out permit tcp any interface inside eq 3389
access-list acl_out permit tcp any interface inside eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 902
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.0.0.0
access-list split_tunnel_acl permit ip 10.0.0.0 255.0.0.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside aa.bb.cc.dd 255.255.255.240
ip address inside 192.168.93.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool low_vpn_pool 10.0.1.205-10.0.1.210
pdm location 172.16.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.93.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.67 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.68 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.69 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.70 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.71 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.72 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.73 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.74 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.75 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.76 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.77 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.78 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 aa.bb.cc.dd 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MY_VPN address-pool low_vpn_pool
vpngroup MY_VPN dns-server 4.2.2.1
vpngroup MY_VPN default-domain xxxxx.biz
vpngroup MY_VPN split-tunnel split_tunnel_acl
vpngroup MY_VPN idle-time 1800
vpngroup MY_VPN password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.93.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.93.230-192.168.93.240 inside
dhcpd dns ff.gg.hh.ii ff.gg.hh.ii
dhcpd lease 65536
dhcpd ping_timeout 750
dhcpd domain xxxxxx.biz
dhcpd auto_config outside
dhcpd enable inside
username xxxx password xxxxxxx encrypted privilege 15
cisco(config)# show cry ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. aa.bb.cc.dd
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.205/255.255.255.255/0/0)
current_peer: jj.kk.ll.mm:1265
dynamic allocated peer ip: 10.0.1.205
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 38, #pkts decrypt: 38, #pkts verify 38
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: aa.bb.cc.dd, remote crypto endpt.: 97.93.95.133
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 3a898e67
inbound esp sas:
spi: 0xeeb64931(4004923697)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 1, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607993/28610)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3a898e67(982093415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28574)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:I just set the logging to high on all areas of the Cisco VPN client. Below is the resulting log. Everything looks ok from here:
Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
29 09:57:02.887 09/03/12 Sev=Info/4 CM/0x63100002
Begin connection process
30 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100004
Establish secure connection
31 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "a.b.c.d"
32 09:57:02.907 09/03/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with a.b.c.d.
33 09:57:02.917 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to a.b.c.d
34 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
35 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
36 09:57:03.228 09/03/12 Sev=Info/6 IPSEC/0x6370002C
Sent 47 packets, 0 were fragmented.
37 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
38 09:57:03.979 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from a.b.c.d
39 09:57:04.039 09/03/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
40 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
41 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
42 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
43 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
44 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
45 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
46 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to a.b.c.d
47 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0421, Remote Port = 0x1194
49 09:57:03.999 09/03/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
50 09:57:03.999 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
51 09:57:04.029 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
52 09:57:04.029 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) from a.b.c.d
53 09:57:04.029 09/03/12 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
54 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
55 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
56 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
57 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
58 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
59 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
60 09:57:04.039 09/03/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
61 09:57:09.327 09/03/12 Sev=Info/4 CM/0x63100017
xAuth application returned
62 09:57:09.327 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
63 09:57:09.367 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
64 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
65 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
66 09:57:09.367 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
67 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
68 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
69 09:57:09.387 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
70 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
71 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
72 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.205
73 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.1
74 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxx.biz
75 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
76 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.0.0.0
mask = 255.0.0.0
protocol = 0
src port = 0
dest port=0
77 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
78 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
79 09:57:09.427 09/03/12 Sev=Info/4 CM/0x63100019
Mode Config data received
80 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.0.1.205, GW IP = a.b.c.d, Remote IP = 0.0.0.0
81 09:57:09.437 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to a.b.c.d
82 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
83 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
84 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
85 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
86 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to a.b.c.d
87 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D70550E6 OUTBOUND SPI = 0xB335C6DA INBOUND SPI = 0xE99E1A59)
88 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xB335C6DA
89 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE99E1A59
90 09:57:09.527 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 172.16.0.11 0.0.0.0 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
91 09:57:10.448 09/03/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.0.1.205/255.0.0.0
DNS=4.2.2.1,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=xxxx.biz
Split DNS Names=
92 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 25
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
93 09:57:10.458 09/03/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
94 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 1
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
a.b.c.d 255.255.255.255 172.16.0.1 172.16.0.11 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.1 255.255.255.255 172.16.0.11 172.16.0.11 1
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
95 09:57:10.458 09/03/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
96 09:57:10.508 09/03/12 Sev=Info/4 CM/0x6310001A
One secure connection established
97 09:57:10.618 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 172.16.0.11. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
98 09:57:10.638 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 10.0.1.205. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
99 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
100 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
101 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xdac635b3 into key list
102 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
103 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x591a9ee9 into key list
104 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.0.1.205
105 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 172.16.0.11. SG: a.b.c.d
106 09:57:10.638 09/03/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
107 09:57:19.741 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
108 09:57:19.741 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445672
109 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
110 09:57:19.772 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
111 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445672, seq# expected = 3951445672
112 09:57:30.257 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
113 09:57:30.257 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445673
114 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
115 09:57:30.297 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
116 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445673, seq# expected = 3951445673
117 09:57:40.772 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
118 09:57:40.772 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445674
119 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
120 09:57:40.802 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
121 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445674, seq# expected = 3951445674
122 09:57:54.291 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
123 09:58:04.306 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
124 09:58:14.320 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
125 09:58:24.334 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
126 09:58:34.349 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
127 09:58:41.359 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
128 09:58:41.359 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445675
129 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
130 09:58:41.389 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
131 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445675, seq# expected = 3951445675
132 09:58:54.378 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 09:59:04.392 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
134 09:59:14.406 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
135 09:59:24.421 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
136 09:59:34.435 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
137 09:59:41.946 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
138 09:59:41.946 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445676
139 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
140 09:59:41.976 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
141 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445676, seq# expected = 3951445676
142 09:59:54.464 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA -
Wifi turns off when connected to mobile card, but wont turn back on
I have a Sprint wireless internet card. When I connect to the mobile card, the Wifi radio turns off. I'm fine with it turning off while I'm connected to the mobile card, but the problem is that it wont turn back on when I disconnect the mobile card. If I try to use the button or other basic on/off switches in windows to turn it on, they wont respond. The only way I can get it back on is to run a troubleshoot, which shows that the radio is disabled and asks if I want to apply the fix that will turn it back on.
I'm on a Toshiba Satellite A665-S5170, Windows 7 (64), in the U.S.
Thank you.Hi
So does this also happen if you dont connect the notebook to external monitor? So you can determine what is causing this problem.
If the notebook doesnt shut down without external monitor you should try to update the BIOS and display driver. Both updates you can find on the Toshiba website:
http://eu.computers.toshiba-europe.com => Support & Downloads => Download Drivers
Do you close the lid if you have connected the external monitor?
What OS are you using?
Furthermore it would be interesting to know how you cleaned the notebook. Therefore I use compressed air spray that can blow out the dust from the cooling ventilators and you must not disassemble the notebook.
Bye -
Can I connect to F-Secure Freedome while being connected to my work VPN?
QuestionCan I connect to F-Secure Freedome while being connected to my work VPN?
AnswerIf you are working remotely and you are required to be connected to your company VPN to access your company’s internal services, it is recommended that you turn off the FreedomeVPN.
While it is still possible to switch on FreedomeVPN when connected to your work VPN, this may however hinder access to your company’s internal services.Install an application such as MacDrive onto Windows.
(35077) -
Cisco ASA 5505 VPN help for local lan access.
Hi all,
I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
Thanks all!
Wen QiHi,
Try adding the following configuration
policy-map global_policy
class inspection_default
inspect pptp
And then try again.
I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
- Jouni -
Cisco Systems VPN Client Version 5.0.03.0560 Errors
Hello I am getting the following errors on my
VPN Connection Attempts
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 19:59:14.375 09/26/10 Sev=Warning/3 CVPND/0xA340000D
The virtual adapter was not recognized by the operating system.
2 19:59:14.375 09/26/10 Sev=Warning/2 CM/0xE310000A
The virtual adapter failed to enable
3 19:59:14.531 09/26/10 Sev=Warning/2 IKE/0xE300009B
Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)
4 19:59:14.531 09/26/10 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2238)Please kindly check the following readme for VPN Client version 5.0.3.560:
http://www.cisco.com/web/software/282364316/22941/vpnclient-windows-5.0.03.0560.txt
Advisory:
The new client requires a kernel patch, KB952876, from Microsoft before installing first before installing the actual client.
REF: http://support.microsoft.com/kb/952876/en-us
Pls kindly check if you have kernel patch KB952876 -
Can't ping other server and more.
This is a weird one. I have a few problems going on. I have 2 netware 6.5 servers. My BM3.9 sp1 server is on Netware 6.5sp7 and my other server is Groupwise 7.03 on Netware 6.5sp6. My Groupwise server is strictly used for Groupwise. My BM3.9 server runs everything else for my enviornment; it is our main server for all of our data. I can vpn into and login to my BM server with no problems; however I can't ping or connect to the Groupwise server. Also I can't ping any internal workstations through the vpn. And what is even weirder is that I can't ping the private IP address of the BM3.9 server and yet I can log into it. I have the default address set up on the Groupwise to point to the private address of the BM server. I have the default address setup on the BM server to point to the ISP router that we have in our office. Also I can't browse the internet when I'm connected to the vpn and I do have as my last traffic rule to not encrypt (bypass). I have noticed that when I'm connected to the vpn that my dns settings on my laptop change to the office dns and yet I have not configured dns to be pushed through the vpn. One more thing, I have set up the hosts file on my laptop to point to internal computers. Any help is greatly appreciated.
Thanks in advance.Originally Posted by Mysterious
Sksgl wrote:
> This is a weird one. I have a few problems going on. I have 2 netware
> 6.5 servers. My BM3.9 sp1 server is on Netware 6.5sp7 and my other
> server is Groupwise 7.03 on Netware 6.5sp6. My Groupwise server is
> strictly used for Groupwise. My BM3.9 server runs everything else for
> my enviornment; it is our main server for all of our data. I can vpn
> into and login to my BM server with no problems; however I can't ping or
> connect to the Groupwise server. Also I can't ping any internal
> workstations through the vpn. And what is even weirder is that I can't
> ping the private IP address of the BM3.9 server and yet I can log into
> it. I have the default address set up on the Groupwise to point to the
> private address of the BM server. I have the default address setup on
> the BM server to point to the ISP router that we have in our office.
> Also I can't browse the internet when I'm connected to the vpn and I do
> have as my last traffic rule to not encrypt (bypass). I have noticed
> that when I'm connected to the vpn that my dns settings on my laptop
> change to the office dns and yet I have not configured dns to be pushed
> through the vpn. One more thing, I have set up the hosts file on my
> laptop to point to internal computers. Any help is greatly
> appreciated.
>
> Thanks in advance.
>
>
Wrong traffic rules?
I have gone over and over the traffic rules that are listed in Craig's book and have followed them exactly. My first rule in an admin to all rule that applys to me and the destination is to the network.
Thanks. -
Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!
Hi,
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
Config
ciscoasa# sh run
: Saved
ASA Version 8.0(3)
hostname ciscoasa
enable password 5QB4svsHoIHxXpF/ encrypted
names
name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
name xxx.xxx.xxx.xxx Mail_Server
name xxx.xxx.xxx.xxx IncomingIP
name xxx.xxx.xxx.xxx SAP
name xxx.xxx.xxx.xxx WebServer
name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
name 192.168.2.2 isa_server_outside
interface Ethernet0/0
nameif outside
security-level 0
ip address IncomingIP 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.253 255.255.255.0
management-only
passwd 123
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group service TCP_8081 tcp
port-object eq 8081
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
port-object eq 50000
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
port-object eq 587
port-object eq 993
port-object eq 8000
port-object eq 8443
port-object eq telnet
port-object eq 3901
group-object TCP_8081
port-object eq 1433
port-object eq 3391
port-object eq 3399
port-object eq 8080
port-object eq 3128
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
port-object eq 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
port-object eq 8181
port-object eq 7778
port-object eq 8180
port-object eq 22222
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP tcp
port-object eq 3389
object-group service 3901 tcp
description 3901
port-object eq 3901
object-group service 50000 tcp
description 50000
port-object eq 50000
object-group service Enable_Transparent_Tunneling_UDP udp
port-object eq 4500
access-list inside_access_in remark connection to SAP
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in remark VPN Outgoing - PPTP
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in remark VPN Outgoing - GRE
access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
access-list inside_access_in remark VPN - GRE
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark VPN Outgoing - IKE Client
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in remark Outoing Ports
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre any host Mail_Server
access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit ah any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
access-list VPN standard permit 192.168.2.0 255.255.255.0
access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 Mail_Server netmask 255.0.0.0
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list corp_vpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
static (inside,outside) 192.168.2.0 access-list corp_vpn
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain domain.local interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
tftp-server management 192.168.1.123 /
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
username vpdn password 123
username vpdn attributes
vpn-group-policy mypolicy
service-type remote-access
tunnel-group mypolicy type remote-access
tunnel-group mypolicy general-attributes
address-pool POOL
default-group-policy mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.Here is the output:
ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 140
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
Connect to VPN but can't ping past inside interface
Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: endHello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end
Maybe you are looking for
-
Double aggregation in a single query block doesn't make any sence.
How can I argue with something that apparently has been cast in stone by ANSI SQL committee? Well the answer is famous: "Search any park in any city: you'll find no statue of committee". OK, why select count(1) from ( select deptno from emp group by
-
Excise in case of concessional duty
Dear All, We are using TAxinn tax procedure.I have maintain the the conditon as JExp for BED and the access seq used is Conunty/Plant/Control code. The condition record maintain for this combition. To some customers we sales goods are at concessional
-
Clearing old emails addresses on iPhone
Is there any method to clear old or incorrect email addresses to prevent them from popping up in auto fill?
-
Webi and Deski report engine ports
We're having problems connecting to the webi or deski report engines through a firewall with BO XI R2 Java SDK. We've followed this document extensively : https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/0047e5f4-3140-2b10-1bae-de1
-
Youtube videos doesn't play until fully loaded
Youtube videos doesn't play until they are fully loaded. It doesn't work for ANY streamed video, not just Youtube. It happens on both Firefox and IE. I tried to uninstall Flash and re-install it, but it didn't help. The only thing that solves it is r