IPSEC VPN clients can't reach internal nor external resources

Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
   translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
    translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
    translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
    translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
    translate_hits = 5402387, untranslate_hits = 1519419
##  Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
object network vpn_nat
nat (outside,outside) dynamic interface
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****

Hi,
I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
asa# show capture capo
12 packets captured
   1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
   8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
   9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
  10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
  11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
  12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
asa# show capture capi
8 packets captured
   1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
   3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
   5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
   7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
   8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
Packet-capture.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.32.1     255.255.255.255 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7     
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Additional Information:
Static translate 10.0.0.72/0 to 10.0.0.72/0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN    
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5725528, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Similar Messages

  • Intermittent Internet Connection and VPN clients can't ping internal LAN but connected after installating cisco ASA5512x

    Hi!
    I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
    ISP ->  Firewall -> Core switch -> Internal LAN
    after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
    here's my configuration from my firewall.
    ASA Version 8.6(1)2
    hostname ciscofirewall
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 203.x.x.x 255.255.255.0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 10.152.11.15 255.255.255.0
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 4.2.2.2 -------> public DNS
    name-server 8.8.8.8 -------> public
    name-server 203.x.x.x   ----> Clients DNS
    name-server 203.x.x.x  -----> Clients DNS
    same-security-traffic permit intra-interface
    object network net_access
    subnet 10.0.0.0 255.0.0.0
    object network citrix_server
    host 10.152.11.21
    object network NETWORK_OBJ_10.10.10.0_28
    subnet 10.10.10.0 255.255.255.240
    object network NETWORK_OBJ_10.0.0.0_8
    subnet 10.0.0.0 255.0.0.0
    object network InterconHotel
    subnet 10.152.11.0 255.255.255.0
    access-list net_surf extended permit ip any any
    access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
    access-list outside_access extended permit tcp any object citrix_server eq www
    access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
    access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
    access-list LAN_Users remark LAN_clients
    access-list LAN_Users standard permit any
    access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu management 1500
    mtu outside 1500
    mtu inside 1500
    ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
    object network net_access
    nat (inside,outside) dynamic interface
    object network citrix_server
    nat (inside,outside) static 203.177.18.234 service tcp www www
    object network NETWORK_OBJ_10.10.10.0_28
    nat (any,outside) dynamic interface
    object network InterconHotel
    nat (inside,outside) dynamic interface dns
    access-group outside_access in interface outside
    access-group net_surf out interface outside
    route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
    route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 10.0.0.100 255.255.255.255 inside
    http 10.10.10.0 255.255.255.240 outside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto ikev1 enable outside
    crypto ikev1 enable inside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet 10.152.11.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    enable outside
    anyconnect-essentials
    group-policy outsidevpn internal
    group-policy outsidevpn attributes
    dns-server value 203.x.x.x 203.x.x.x
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
    split-tunnel-policy tunnelall
    split-tunnel-network-list value outsidevpn_splitTunnelAcl
    default-domain value interconti.com
    address-pools value vpnpool
    username test1 password i1lji/GiOWB67bAs encrypted privilege 5
    username test1 attributes
    vpn-group-policy outsidevpn
    username mnlha password WlzjmENGEEZmT9LA encrypted
    username mnlha attributes
    vpn-group-policy outsidevpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    tunnel-group outsidevpn type remote-access
    tunnel-group outsidevpn general-attributes
    address-pool (inside) vpnpool
    address-pool vpnpool
    authentication-server-group (outside) LOCAL
    default-group-policy outsidevpn
    tunnel-group outsidevpn ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect http
      inspect ipsec-pass-thru
    class class-default
      user-statistics accounting
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    hpm topN enable
    Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
    : end
    thanks. please help.

    I think you should change your nat-exemption rule to smth more general, like
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
    'cause your inside networks are not the same as your vpn-pool subnet.
    Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA.

  • VPN Clients can't access internal LAN

    Hello - I have seen a few other threads on this issue, but can't seem to fix mine. I have a PIX 506e. My VPN clients can connect, they get a DHCP address from our internal server no problem. But the clients can not ping me or anything else on the LAN. The clients are connecting ipsec. I know I must be missing something simple here. Here is my config. Any help would be great

    Change the VPN Pool address to something else for example 192.168.10.0/24 etc. Then try and let me know. There could be ip overlap here.

  • VPN Client can't reach router or hosts, but can reach other connected sites.

    We have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
    Few notes:
    I have added some lines excluding NAT in a few different ways, but does not resolve.
    I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
    Any help would be greatly appreciated. Here is the config:
    boot-start-marker
    boot system flash
    boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
    no ip domain lookup
    ip inspect log drop-pkt
    ip inspect name FIREWALL tcp
    ip inspect name FIREWALL udp
    ip inspect name FIREWALL ftp
    ip inspect name FIREWALL fragment maximum 256 timeout 1
    ip inspect name FIREWALL ntp
    ip inspect name FIREWALL pptp
    ip inspect name FIREWALL dns
    ip inspect name FIREWALL l2tp
    ip inspect name FIREWALL pop3
    ip inspect name FIREWALL icmp router-traffic
    no ipv6 cef
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 95
    authentication pre-share
    group 2
    crypto isakmp policy 99
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 110
    hash md5
    authentication pre-share
    crypto isakmp client configuration group VPN-RAS
    key *********
    dns 10.96.17.2 10.1.200.50
    wins 10.96.17.2 10.1.200.50
    domain mine.com
    pool RAPOOL
    acl SPLIT
    save-password
    split-dns mind.com
    netmask 255.255.255.0
    crypto isakmp profile USERS
       match identity group VPN-RAS
       client authentication list DOMAIN
       isakmp authorization list VPN-RAS
       client configuration address respond
       keepalive 300 retry 5
    crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set DES esp-des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    mode tunnel
    crypto dynamic-map dynmap 1
    set transform-set AES128
    set isakmp-profile USERS
    crypto map COMPANY_VPN 10 ipsec-isakmp
    set peer *******
    set transform-set 3DES-MD5
    match address PA-VPN
    qos pre-classify
    crypto map COMPANY_VPN 50 ipsec-isakmp
    set peer ******
    set transform-set AES128
    match address VPN
    qos pre-classify
    crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    ip address 37.222.111.224 255.255.255.248
    ip access-group INBOUND in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip verify unicast reverse-path
    ip flow ingress
    ip flow egress
    ip nat outside
    ip inspect FIREWALL out
    ip virtual-reassembly in
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    crypto map COMPANY_VPN
    interface GigabitEthernet0/1
    no ip address
    ip flow ingress
    duplex auto
    speed auto
    interface GigabitEthernet0/1.17
    description LAN
    encapsulation dot1Q 17
    ip address 10.96.17.253 255.255.255.0
    ip access-group OUTBOUND in
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    standby 0 ip 10.96.17.254
    standby 0 priority 110
    standby 0 preempt
    standby 0 track 1 decrement 20
    interface GigabitEthernet0/1.27
    description VOICE
    encapsulation dot1Q 27
    ip address 192.168.17.254 255.255.255.0
    ip access-group OUTBOUND in
    ip helper-address 10.96.17.2
    ip flow ingress
    ip nat inside
    ip virtual-reassembly in
    h323-gateway voip bind srcaddr 192.168.17.254
    ip local pool RAPOOL 10.96.20.50 10.96.20.150
    ip forward-protocol nd
    ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 37.222.111.223
    ip route 10.96.16.0 255.255.255.0 10.96.17.250
    ip route 172.22.1.0 255.255.255.0 10.96.17.250
    ip route 172.22.2.0 255.255.255.0 10.96.17.250
    ip route 172.22.3.0 255.255.255.0 10.96.17.250
    ip route 192.168.16.0 255.255.255.0 10.96.17.250
    ip access-list extended DMZ
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended GUEST
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended INBOUND
    deny   ip 80.25.124.0 0.0.0.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    permit udp host 173.239.147.114 any eq isakmp
    permit esp host 173.239.147.114 any
    deny   ip 192.168.0.0 0.0.255.255 any
    permit udp any host 37.222.111.224 eq isakmp
    permit udp any host 37.222.111.224 eq non500-isakmp
    permit esp any host 37.222.111.224
    ip access-list extended NAT
    deny   ip 10.96.20.0 0.0.0.255 any
    deny   ip any 10.96.20.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 any
    permit ip 10.0.0.0 0.255.255.255 any
    ip access-list extended NONAT
    permit ip any 192.168.0.0 0.0.255.255
    permit ip any 10.0.0.0 0.255.255.255
    ip access-list extended OUTBOUND
    deny   udp any host 22.55.77.106 eq isakmp
    deny   udp any host 22.55.77.106 eq non500-isakmp
    deny   esp any host 22.55.77.106
    permit ip any any
    ip access-list extended PA-VPN
    permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
    permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
    ip access-list extended SPLIT
    permit ip 10.0.0.0 0.255.255.255 any
    permit ip 192.168.0.0 0.0.255.255 any
    ip access-list extended VPN
    permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    route-map NAT-POOL deny 5
    match ip address NONAT
    route-map NAT-POOL permit 10
    match ip address NAT

    We have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
    Few notes:
    I have added some lines excluding NAT in a few different ways, but does not resolve.
    I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
    Any help would be greatly appreciated. Here is the config:
    boot-start-marker
    boot system flash
    boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
    no ip domain lookup
    ip inspect log drop-pkt
    ip inspect name FIREWALL tcp
    ip inspect name FIREWALL udp
    ip inspect name FIREWALL ftp
    ip inspect name FIREWALL fragment maximum 256 timeout 1
    ip inspect name FIREWALL ntp
    ip inspect name FIREWALL pptp
    ip inspect name FIREWALL dns
    ip inspect name FIREWALL l2tp
    ip inspect name FIREWALL pop3
    ip inspect name FIREWALL icmp router-traffic
    no ipv6 cef
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 95
    authentication pre-share
    group 2
    crypto isakmp policy 99
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 110
    hash md5
    authentication pre-share
    crypto isakmp client configuration group VPN-RAS
    key *********
    dns 10.96.17.2 10.1.200.50
    wins 10.96.17.2 10.1.200.50
    domain mine.com
    pool RAPOOL
    acl SPLIT
    save-password
    split-dns mind.com
    netmask 255.255.255.0
    crypto isakmp profile USERS
       match identity group VPN-RAS
       client authentication list DOMAIN
       isakmp authorization list VPN-RAS
       client configuration address respond
       keepalive 300 retry 5
    crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set DES esp-des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    mode tunnel
    crypto dynamic-map dynmap 1
    set transform-set AES128
    set isakmp-profile USERS
    crypto map COMPANY_VPN 10 ipsec-isakmp
    set peer *******
    set transform-set 3DES-MD5
    match address PA-VPN
    qos pre-classify
    crypto map COMPANY_VPN 50 ipsec-isakmp
    set peer ******
    set transform-set AES128
    match address VPN
    qos pre-classify
    crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    ip address 37.222.111.224 255.255.255.248
    ip access-group INBOUND in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip verify unicast reverse-path
    ip flow ingress
    ip flow egress
    ip nat outside
    ip inspect FIREWALL out
    ip virtual-reassembly in
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    crypto map COMPANY_VPN
    interface GigabitEthernet0/1
    no ip address
    ip flow ingress
    duplex auto
    speed auto
    interface GigabitEthernet0/1.17
    description LAN
    encapsulation dot1Q 17
    ip address 10.96.17.253 255.255.255.0
    ip access-group OUTBOUND in
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    standby 0 ip 10.96.17.254
    standby 0 priority 110
    standby 0 preempt
    standby 0 track 1 decrement 20
    interface GigabitEthernet0/1.27
    description VOICE
    encapsulation dot1Q 27
    ip address 192.168.17.254 255.255.255.0
    ip access-group OUTBOUND in
    ip helper-address 10.96.17.2
    ip flow ingress
    ip nat inside
    ip virtual-reassembly in
    h323-gateway voip bind srcaddr 192.168.17.254
    ip local pool RAPOOL 10.96.20.50 10.96.20.150
    ip forward-protocol nd
    ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 37.222.111.223
    ip route 10.96.16.0 255.255.255.0 10.96.17.250
    ip route 172.22.1.0 255.255.255.0 10.96.17.250
    ip route 172.22.2.0 255.255.255.0 10.96.17.250
    ip route 172.22.3.0 255.255.255.0 10.96.17.250
    ip route 192.168.16.0 255.255.255.0 10.96.17.250
    ip access-list extended DMZ
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended GUEST
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended INBOUND
    deny   ip 80.25.124.0 0.0.0.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    permit udp host 173.239.147.114 any eq isakmp
    permit esp host 173.239.147.114 any
    deny   ip 192.168.0.0 0.0.255.255 any
    permit udp any host 37.222.111.224 eq isakmp
    permit udp any host 37.222.111.224 eq non500-isakmp
    permit esp any host 37.222.111.224
    ip access-list extended NAT
    deny   ip 10.96.20.0 0.0.0.255 any
    deny   ip any 10.96.20.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 any
    permit ip 10.0.0.0 0.255.255.255 any
    ip access-list extended NONAT
    permit ip any 192.168.0.0 0.0.255.255
    permit ip any 10.0.0.0 0.255.255.255
    ip access-list extended OUTBOUND
    deny   udp any host 22.55.77.106 eq isakmp
    deny   udp any host 22.55.77.106 eq non500-isakmp
    deny   esp any host 22.55.77.106
    permit ip any any
    ip access-list extended PA-VPN
    permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
    permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
    ip access-list extended SPLIT
    permit ip 10.0.0.0 0.255.255.255 any
    permit ip 192.168.0.0 0.0.255.255 any
    ip access-list extended VPN
    permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    route-map NAT-POOL deny 5
    match ip address NONAT
    route-map NAT-POOL permit 10
    match ip address NAT

  • Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

    Environment:
    2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
    Both ASAs are at version 8.4(5)6
    IPSec VPN Client version: 5.0.07.440 (64-bit)
    Jabber for Windows v9.7.0 build 18474
    Issue:
      If I am an IPSec VPN user…
       I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
       I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
    In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

    Portu,
    Thanks for your quick reply.
    Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
    I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
    As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
    Thanks again.

  • Vpn client can access internet but cannot access internal network

    I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....

    enable password ********** encrypted
    passwd ********** encrypted
    hostname Firewall
    domain-name aqswdefrgt.com.sg
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list nat permit tcp any host 65.165.123.142 eq smtp
    access-list nat permit tcp any host 65.165.123.142 eq pop3
    access-list nat permit tcp any host 65.165.123.143 eq smtp
    access-list nat permit tcp any host 65.165.123.143 eq pop3
    access-list nat permit tcp any host 65.165.123.143 eq www
    access-list nat permit tcp any host 65.165.123.152 eq smtp
    access-list nat permit tcp any host 65.165.123.152 eq pop3
    access-list nat permit tcp any host 65.165.123.152 eq www
    access-list nat permit tcp any host 65.165.123.143 eq https
    access-list nat permit icmp any any
    ip address outside 65.165.123.4 255.255.255.240
    ip address inside 192.168.1.2 255.255.255.0
    ip verify reverse-path interface outside
    ip local pool clientpool 192.168.50.1-192.168.50.50
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
    55.255 0 0
    static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
    55.255 0 0
    static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
    55.255 0 0
    static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
    55.255 0 0
    static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
    .255 0 0
    static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
    255.255 0 0
    static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
    5.255 0 0
    static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
    .255.255 0 0
    access-group nat in interface outside
    route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server plexus protocol radius
    aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set myset
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map client authentication plexus
    crypto map dyn-map interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash md5
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400
    vpngroup vpn3000 address-pool clientpool
    vpngroup vpn3000 dns-server 192.168.1.55
    vpngroup vpn3000 wins-server 192.168.1.55
    vpngroup vpn3000 default-domain aqswdefrgt.com.sg
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80

  • Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

    This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

    Hi Tony,
    to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
    CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
    You may want to try and ask in the AAA forum if there is anything you can do on ACS...
    hth
    Herbert

  • Support IPSec VPN Client in ASA Multiple Context Mode

    I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
    "IPsec sessions—5 sessions. (The maximum per context.) ".  Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out.  I'll appreciate anyone who can clarify it.
    Thank Jason.
    ( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)

    This is from the v9.3 config-guide:
    Unsupported Features
    Multiple context mode does not support the following features:
    Remote access VPN. (Site-to-site VPN is supported.)

  • Server 2003 VPN clients can't verify username and password

    Hi,
    Hoping someone can help or point me in the right direction. I have a Windows Server 2003 R2 standard SP2 running RRAS. It has Dual NIC's and is configured for PPTP VPN. I am using a BT Business Hub 5 for internet access and using the BT Static IP service.
    The BT Hub assigns the static IP address chosen to the Server using DHCP. The firewall is configured to port forward PPTP traffic to the 2003 server. This all works correctly.
    The 2003 server is on a domain where the DC is a 2008 R2 server. The DC also acts as the DNS and DHCP for the network.
    The default gateway for the domain is pointed towards our WinGate proxy server which also acts as a DNS server.
    The 2003 server LAN NIC is configured manually, usually I would not configure a deafult gateway on the LAN NIC as the WAN NIC needs the default gateway for the BT Hub.
    The problem I am having is if a default gateway is configured on the LAN NIC, I can connect to the VPN and it will logon to the network. Once connected everything works ok. If the connection drops, when trying to reconnect the client can no longer verify
    the user name and password against the domain and the connection is refused.
    If I do not have a default gateway configured in the LAN NIC the VPN clients can not verify the username and password for the domain at all and I get RPC failure errors in the event viewer with the source dnsapi.
    Once this error occurs the only way I can get the clients to reconnect is to disable the WAN NIC, restart the RRAS service and enable the WAN NIC again.
    Any insight will be much appreciated.

    Hello,
    for Networking configuration questions better ask in
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home#forum=winserverNIS&filter=alltypes&sort=lastpostdesc&content=Search
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://blogs.msmvps.com/MWeber
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    Twitter:  

  • VPN clients can't see network resources unless Firewall is disabled.

    If the firewall is turned off, connected VPN clients can access other PCs over the VPN. But I would like to enable a rule that allows them to access computers even with the firewall turned on. I just don't know what the rule should be.

    Hi,
    Any update? If you could update us at your convenience that would be wonderful.
    Regards
    Yolanda Zhu
    TechNet Community Support

  • Configurate cisco ipsec vpn client at asa 5505 version 8.4

    Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
    please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
    thank you.

    are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
    what version of vpn client ?

  • ASA 5505 VPN clients can't ping router or other clients on network

    I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
    Result of the command: "show running-config"
    : Saved
    ASA Version 7.2(4)
    hostname ASA
    domain-name default.domain.invalid
    enable password kdnFT44SJ1UFX5Us encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.4 Server
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list vpn_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface www Server www netmask 255.255.255.255
    static (inside,outside) tcp interface https Server https netmask 255.255.255.255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable 480
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy vpn internal
    group-policy vpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_splitTunnelAcl
    username admin password wwYXKJulWcFrrhXN encrypted privilege 15
    username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
    username VPNuser attributes
    vpn-group-policy vpn
    tunnel-group vpn type ipsec-ra
    tunnel-group vpn general-attributes
    address-pool VPNpool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
    : end
    Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
    Thanks.

    I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
    here is the runnign config again:
    Result of the command: "show startup-config"
    : Saved
    : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
    ASA Version 7.2(4)
    hostname ASA
    domain-name default.domain.invalid
    enable password kdnFT44SJ1UFX5Us encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.4 Server
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list vpn_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    asdm location Server 255.255.255.255 inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface www Server www netmask 255.255.255.255
    static (inside,outside) tcp interface https Server https netmask 255.255.255.255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable 480
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy vpn internal
    group-policy vpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_splitTunnelAcl
    username admin password wwYXKJulWcFrrhXN encrypted privilege 15
    username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
    username VPNuser attributes
    vpn-group-policy vpn
    tunnel-group vpn type ipsec-ra
    tunnel-group vpn general-attributes
    address-pool VPNpool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:78864f4099f215f4ebdd710051bdb493

  • Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

    Hi:
    Need your great help for my new ASA 5505 (8.4)
    I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.29.8.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 177.164.222.140 255.255.255.248
    ftp mode passive
    clock timezone GMT 0
    dns server-group DefaultDNS
    domain-name ABCtech.com
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 172.29.8.0 255.255.255.0
    object service RDP
    service tcp source eq 3389
    object network orange
    host 172.29.8.151
    object network WAN_173_164_222_138
    host 177.164.222.138
    object service SMTP
    service tcp source eq smtp
    object service PPTP
    service tcp source eq pptp
    object service JT_WWW
    service tcp source eq www
    object service JT_HTTPS
    service tcp source eq https
    object network obj_lex
    subnet 172.29.88.0 255.255.255.0
    description Lexington office network
    object network obj_HQ
    subnet 172.29.8.0 255.255.255.0
    object network guava
    host 172.29.8.3
    object service L2TP
    service udp source eq 1701
    access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
    access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended deny tcp any any eq 135
    access-list inside_access_in extended deny tcp any eq 135 any
    access-list inside_access_in extended deny udp any eq 135 any
    access-list inside_access_in extended deny udp any any eq 135
    access-list inside_access_in extended deny tcp any any eq 1591
    access-list inside_access_in extended deny tcp any eq 1591 any
    access-list inside_access_in extended deny udp any eq 1591 any
    access-list inside_access_in extended deny udp any any eq 1591
    access-list inside_access_in extended deny tcp any any eq 1214
    access-list inside_access_in extended deny tcp any eq 1214 any
    access-list inside_access_in extended deny udp any any eq 1214
    access-list inside_access_in extended deny udp any eq 1214 any
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any any eq www
    access-list inside_access_in extended permit tcp any eq www any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
    89
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
    w
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
    tps
    access-list outside_access_in extended permit gre any host 177.164.222.138
    access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
    01
    access-list outside_access_in extended permit ip any any
    access-list inside_access_out extended permit icmp any any
    access-list inside_access_out extended permit ip any any
    access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
    .88.0 255.255.255.0
    access-list inside_in extended permit icmp any any
    access-list inside_in extended permit ip any any
    access-list inside_in extended permit udp any any eq isakmp
    access-list inside_in extended permit udp any eq isakmp any
    access-list inside_in extended permit udp any any
    access-list inside_in extended permit tcp any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static orange interface service RDP RDP
    nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
    lex route-lookup
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
    WW
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
    _HTTPS
    nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
    nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
    route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Guava protocol nt
    aaa-server Guava (inside) host 172.29.8.3
    timeout 15
    nt-auth-domain-controller guava
    user-identity default-domain LOCAL
    http server enable
    http 172.29.8.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 173.190.123.138
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
    ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
    P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 172.29.8.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside vpnclient-wins-override
    dhcprelay server 172.29.8.3 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    group-policy ABCtech_VPN internal
    group-policy ABCtech_VPN attributes
    dns-server value 172.29.8.3
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Tunnel_User
    default-domain value ABCtech.local
    group-policy GroupPolicy_10.8.8.1 internal
    group-policy GroupPolicy_10.8.8.1 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username who password eicyrfJBrqOaxQvS encrypted
    tunnel-group 10.8.8.1 type ipsec-l2l
    tunnel-group 10.8.8.1 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 10.8.8.1 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    tunnel-group ABCtech type remote-access
    tunnel-group ABCtech general-attributes
    address-pool ABC_HQVPN_DHCP
    authentication-server-group Guava
    default-group-policy ABCtech_VPN
    tunnel-group ABCtech ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 173.190.123.138 type ipsec-l2l
    tunnel-group 173.190.123.138 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 173.190.123.138 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect pptp
      inspect ftp
      inspect netbios
    smtp-server 172.29.8.3
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6a26676668b742900360f924b4bc80de
    : end

    Hello Wayne,
    Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
    I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
    Regards,
    Julio
    Security Trainer

  • Subnet mask 255.255.255.255 assigned to VPN client - can't ping LAN

    Hi,
    I configured PIX 501 with PPTP VPN to connect to the small office (PIX FW, Win 2000 Server, several Win clients, LAN IP 10.0.0.X/24):
    ip local pool mypool 10.0.0.101-10.0.0.105
    vpdn group mygroup accept dialin pptp
    vpdn group mygroup ppp authentication mschap
    vpdn group mygroup ppp encryption mppe 128 required
    vpdn group mygroup client configuration address local mypool
    vpdn group mygroup client configuration dns 10.0.0.15
    vpdn group mygroup pptp echo 60
    vpdn group mygroup client authentication local
    vpdn username xxxx password *********
    vpdn enable outside
    I can connect to the office using Win VPN client, but I can't ping any hosts in the office network. I suspect that the reason for that is subnet mask assigned to the VPN client: 255.255.255.255. ipconfig of the VPN client:
    PPP adapter Office:
    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 10.0.0.101
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    Default GW is missing too, but I think this is not the main problem.
    Any way, what is wrong with my config? How to fix subnet mask assigned to clients? Or may be my assumption is wrong and this mask is ok? What is wrong then?
    Any input will be greatly appreciated!
    George

    Thanks for the prompt reply.
    Here it does:
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    hostname OSTBERG-PIX
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
    access-list inbound permit icmp any any
    access-list inbound permit tcp any any eq pptp
    access-list inbound permit gre any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.189.xxx.xxx 255.255.252.0
    ip address inside 10.0.0.23 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool mypool 10.0.0.101-10.0.0.105
    pdm location 10.0.0.0 255.255.255.0 inside
    pdm location 10.0.0.15 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 66.189.yyy.yyy 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    telnet 10.0.0.23 255.255.255.255 inside
    telnet 10.0.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group mygroup accept dialin pptp
    vpdn group mygroup ppp authentication mschap
    vpdn group mygroup ppp encryption mppe 128 required
    vpdn group mygroup client configuration address local mypool
    vpdn group mygroup client configuration dns 10.0.0.15
    vpdn group mygroup pptp echo 60
    vpdn group mygroup client authentication local
    vpdn username ********* password *********
    vpdn enable outside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:xxx
    : end
    There are remnants of old config, I just recently took over this network, some lines look odd to me, but I did not touch what works. VPN config is all mine.
    PIX internal 10.0.0.23 - is a gateway for the network. DNS server in LAN - 10.0.0.15.
    I've been reading about the problem and came across several posts that this subnet mask is normal, but it puzzles me - how can this host communicate with anyone else if there is no room for other hosts in this network (according to the mask)?!
    Thanks again!
    George

Maybe you are looking for

  • IPod Touch 3rd Generation not Recognized by iTunes but recognized by Windows as "Apple iPod"

    Exactly what the title says. My iTunes will not recognize my iPod touch, but my Windows Vista will recognize it with autoplay. I updated iTunes about 10 minutes ago, tried two different apple wires, and 3 different USB ports that work. Can anyone hel

  • Web service with parammeter

    I am using BI Publisher as a web service so I need to get information about parameters of reports those information helping me to create forms like name data type, default values I can get only the parameters names by using getReportDefinision I need

  • XML Error on 7960

    Hi, I have an 7960 and an 7970. I have installed the sample applications on IIS 6. The 7970 parses the output fine. The 7960 doesn't. It gives: <CiscoIPPhoneImage> <Depth>2</Depth> <Width>132</Width> <Height>64</Height> <LocationX>-1</LocationX> <Loc

  • Double movies created in IDVD???

    Hi, I just tried the one step IDVD and created a number of DVDs via camcorder. Each completed DVD has two copies of the movie on it. I don't know why or how this happened. Any ideas? TIA Jerry (a MAC newbie)

  • Backgrounds don't show in pages from template

    I made a template with backgrounds being controled by an external CSS file; but when I make a page from the template, the bgs don't show; anyone have an idea why? the panel on the right sidebar is supposed to have a drop shadow gif repeating on the y