IPSEC VPN Default Gateway
How do I configure 10.7 to either disable adding a default gateway for my VPN connecton or adjust the route metric so that my local gateway is preferred? I'd like to only use the VPN for traffic to specific networks.
I agree to Andrew's explanation. You can't change the vpn client gw to ASA ip not just because you want to change it as you said above.
Logically, what you are saying is not even making sense. The traffic is initiated from your VPN adapter which is a non-routable address on the internet. Moreover, to go encrypted, it has to be encapsulated to your client's public ip address which will then reach the local ISP gw, then to ISP and then taking other hops it would reach your ASA. By asking for your ASA's IP address as the gw for vpn client, you are somewhat asking to have some IP address on the internet to be your local VPN machine's IP address. Hence, this makes no sense.
bdw, by your statement,"already assigned to another device" are you saying that the 192.168.0.1 is already assigned to some other vpn device? if that's so that it does not matter, because the gw address that you see on vpn client machine is specific to that machine only.
Hope the other side of the explanation makes sense to you and clarifies your doubt.
Similar Messages
-
Default Gateway when connected to VPN
Thanks for reading!
This is probably a dump question so bear with me...
I have set up a VPN connection with a Cisco ASA 5505 fronting internet, with the customers environment behind it (on the same subnet), When connected ot the VPN I can reach the inside Router fronting me and one switch behind the Router (every switch is connected to the router), but nothing else.
My beet is that the Router is messing with my connection, but,, nevermind that!, the setup ain't complete anyway... my question is more related to the Gateway I'm missing when I'm, from the outside, is connected to the VPN on the ASA, could this mess it up? Shouldn't I have a Standard-Gateway in the ipconfig settings in windows?
This is who it looks like now:
Anslutningsspecifika DNS-suffix . : VPNOFFICE
IP-adress . . . . . . . . . . . . : 10.10.10.1
Nätmask . . . . . . . . . . . . . : 255.255.255.0
Standard-gateway . . . . . . . . :
The internal network is :
172.16.12.0 255.255.255.0
Below is my config for the ASA, thanks a lot!!!!!!!
!FlASH PÅ ROUTERN FRÅN BÖRJAN
!asa841-k8.bin
hostname DRAKENSBERG
domain-name default.domain.invalid
enable password XXXXXXX
names
interface Vlan1
nameif inside
security-level 100
ip address 172.16.12.4 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 97.XX.XX.20 255.255.255.248
interface Ethernet0/0
switchport access vlan 10
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nonat extended permit ip 172.16.12.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list MSS_EXCEEDED_ACL extended permit tcp any any
access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL
access-list VPN-SPLIT-TUNNEL standard permit 172.16.12.0 255.255.255.0
tcp-map MSS-MAP
exceed-mss allow
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging console notifications
logging buffered notifications
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.10.10.1-10.10.10.40 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.12.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 97.XX.XX.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.16.12.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy VPNOFFICE internal
group-policy VPNOFFICE attributes
dns-server value 215.122.145.18
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT-TUNNEL
default-domain value VPNOFFICE
split-dns value 215.122.145.18
msie-proxy method no-proxy
username admin password XXXXXX privilege 15
username Daniel password XXXXX privilege 0
username Daniel attributes
vpn-group-policy VPNOFFICE
tunnel-group VPNOFFICE type remote-access
tunnel-group VPNOFFICE general-attributes
address-pool VPN
default-group-policy VPNOFFICE
tunnel-group VPNOFFICE ipsec-attributes
pre-shared-key XXXXXXXXXX
class-map MSS_EXCEEDED_MAP
match access-list MSS_EXCEEDED_ACL
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp error
inspect pptp
inspect ipsec-pass-thru
inspect icmp
class MSS_EXCEEDED_MAP
set connection advanced-options MSS-MAP
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:aaa1f198bf3fbf223719e7920273dc2e
: endI didn't realise I had that crypto settings on, thanks my bad!!!
But... the 172.16.12.0 network is directly connected, the Router (that to be honest is a firewall) / switches is all on the same subnet (172.16.12.X/24), so sorry I didn't explain thoroughly, was more wondering about the GW and didn't want to overcomplicate things..
The Firewall/Router dosen't do any routing, so it should work right (I you count out the firewalling in the firewall and so forth, there shouldn't be any problems accomplishing this with the ASA)? The Firewall is more a DHCP for the clients/Firwall for the clients.. this will change in the future.. it will be removed,
the vpn network is staticly routed back to my ASA in that firewall...
I don't like this solution.. but this is who it looks.. for now..
(VPN network is 10.10.10.X/24)
But... shouldn't I see a default gateway under ipconfig when I'm connected to the VPN from internet, on the vpn client that's vpned in, is this correct?
THANKS for all the help! -
Hello!
I want to create bat script to create several VPN connection.
There is powershell command to create vpn connection:
add-vpnconnection -name "Test VPN" -serveraddress "vpn.example.com" -splittunneling -tunneltype "pptp"
And I need to create VPN connection without the option "Use default gateway on remote network" option on VPN connection"
Or modify this option on existent VPN connection with command.
Please help me to find command option or other command to disable "Use default gateway on remote network" option on VPN connection" feature.http://technet.microsoft.com/nl-nl/library/ee431701%28v=ws.10%29.aspx RouteIPv4TrafficOverRAS True – Add a default gateway on the VPN connection False – Do not add default gateway on the VPN connection
-
VPN Clients getting different default gateways
Hello,
We have a new Cisco ASA 5520 and are trying to setup the VPN with split tunneling. We mostly have clients running XP and the problem is that some of the clients connect (using Cisco Anyconnect 2.5) and the split tunneling works as expected --these clients keep their default gateway-- and then some clients connect and get a default gateway of 192.168.119.1 (our VPN addresses subnet) and of course these users cannot connect to the internet while connected to the VPN.
Here is our config:
ASA Version 9.1(1)
hostname xxxxxx
names
name 178.239.80.0 Deny178.239.80.0 description 178.239.80.0
name 74.82.64.0 Deny74.82.64.0 description 74.82.64.0
name 173.247.32.0 Deny173.247.32.0 description 173.247.32.0
name 193.109.81.0 Deny193.109.81.0 description 193.109.81.0
name 204.187.87.0 Deny204.187.87.0 description 204.187.87.0
name 206.51.26.0 Deny206.51.26.0 description 206.51.26.0
name 206.53.144.0 Deny206.53.144.0 description 206.53.144.0
name 67.223.64.0 Deny67.223.64.0 description 67.223.64.0
name 93.186.16.0 Deny93.186.16.0 description 93.186.16.0
name 216.9.240.0 Deny216.9.240.0 description 216.9.240.0
name 68.171.224.0 Deny68.171.224.0 description 68.171.224.0
ip local pool PAIUSERS 192.168.119.10-192.168.119.100 mask 255.255.255.0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 63.86.112.194 255.255.255.192
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.129.5 255.255.255.192
interface GigabitEthernet0/2
nameif dmz
security-level 10
ip address 192.168.20.10 255.255.255.0
interface GigabitEthernet0/3
nameif vpn_dmz
security-level 25
ip address 192.168.30.10 255.255.255.0
interface Management0/0
management-only
shutdown
nameif management
security-level 100
ip address 192.168.102.4 255.255.255.0
object network obj-192.168.119.0
subnet 192.168.119.0 255.255.255.0
access-list outside_access_in extended permit ip host 192.168.119.11 host 192.168.35.23
access-list outside_access_in extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_3 object-group UDP_TCP_Domain inactive
access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 eq isakmp
access-list outside_access_in extended permit ip any4 object obj-192.168.30.11
access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 object-group UDP10000
access-list outside_access_in extended permit udp any4 object-group DM_INLINE_NETWORK_7 eq domain inactive
access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_8 eq domain inactive
access-list outside_access_in extended permit tcp host 216.81.43.190 host 192.168.35.30 eq ssh inactive
access-list outside_access_in extended permit tcp host 216.81.43.190 object obj-192.168.35.30 object-group DM_INLINE_TCP_6 inactive
access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_9 eq www inactive
access-list outside_access_in extended permit tcp any4 object obj-192.168.30.11 eq www
access-list outside_access_in extended permit esp any4 object obj-192.168.30.11
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq www
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq https
access-list outside_access_in extended permit tcp any4 host 192.168.35.34 eq https
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.30 object-group Ports_UDpTCP
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 object-group DM_INLINE_TCP_7
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 eq ftp
access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.248
access-list outside_access_in extended permit udp any4 host 162.95.80.115 eq isakmp
access-list outside_access_in extended permit tcp any4 host 162.95.80.115 object-group Ports_115
access-list outside_access_in extended permit udp any4 host 162.95.80.115 object-group Ports_2746_259
access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.245 object-group Service_Group_245 inactive
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.40 object-group UDP_TCP_Domain
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.40 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.129.11 object-group UDP_TCP_Domain
access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group Network_Service_2703_6277
access-list outside_access_in extended permit udp any4 object obj-192.168.129.11 object-group UDP_443
access-list outside_access_in extended permit ip any4 host 192.168.101.75 inactive
access-list outside_access_in extended permit tcp any4 host 64.78.239.50 eq www
access-list outside_access_in extended permit tcp any4 host 64.78.239.54 object-group TCP_4445
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit udp any4 object obj-192.168.35.40 object-group UDP_443
access-list outside_access_in extended permit tcp any4 host 63.86.112.204 object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any4 host 63.86.112.204
access-list outside_access_in extended permit udp any4 host 63.86.112.204
access-list outside_access_in extended permit object-group TCPUDP any4 host 192.168.102.12 object-group Network_Server_1194
access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq www
access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq https
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.41 object-group Network_Server_1194
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 eq www
access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any4 host 63.86.112.193 object-group Network_Service_TCP_1194
access-list outside_access_in extended deny tcp object Deny206.51.26.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny193.109.81.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny204.187.87.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny206.53.144.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny216.9.240.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny67.223.64.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny93.186.16.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny68.171.224.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny74.82.64.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny178.239.80.0 object obj-192.168.35.40 eq https
access-list outside_access_in extended deny tcp object Deny173.247.32.0 object obj-192.168.35.40 eq https
access-list vpn_dmz_access_in extended permit ip host 192.168.35.23 192.168.119.0 255.255.255.0
access-list vpn_dmz_access_in extended permit gre host 192.168.30.11 any4
access-list vpn_dmz_access_in extended permit tcp any4 host 23.0.214.60 eq https
access-list vpn_dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_28 any4
access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105 object-group DM_INLINE_TCP_4
access-list vpn_dmz_access_in extended permit esp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.105
access-list vpn_dmz_access_in extended permit tcp any4 host 192.168.129.11
access-list vpn_dmz_access_in remark RDP
access-list vpn_dmz_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389
access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.23
access-list inside_nat0_outbound extended permit ip any4 192.168.119.0 255.255.255.0
access-list ftp-timeout extended permit tcp host 216.81.43.190 host 63.86.112.248
access-list ftp-timeout extended permit tcp host 63.86.112.248 host 216.81.43.190
access-list ftp-timeout extended permit tcp host 192.168.35.30 host 216.81.43.190
access-list ftp-timeout extended permit tcp host 216.81.43.190 host 192.168.35.30
access-list Split_Tunnel_List remark northwoods
access-list Split_Tunnel_List standard permit host 192.168.35.23
access-list Split_Tunnel_List remark paits2
access-list Split_Tunnel_List standard permit host 192.168.35.198
access-list Split_Tunnel_List standard deny 192.168.102.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list IS_Split_Tunnel standard permit 192.168.102.0 255.255.255.0
access-list IS_Split_Tunnel standard permit 192.168.82.0 255.255.255.0
access-list IS_Split_Tunnel standard permit 192.168.35.0 255.255.255.0
nat (inside,outside) source static object-192.168.35.0 object-192.168.35.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.82.0 obj-192.168.82.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.102.0 obj-192.168.102.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
webvpn
enable outside
enable inside
enable dmz
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles pairemoteuser disk0:/pairemoteuser.xml
anyconnect enable
tunnel-group-list enable
group-policy PAIGroup internal
group-policy PAIGroup attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value PAI
group-policy PAIUSERS internal
group-policy PAIUSERS attributes
wins-server value 192.168.35.57
dns-server value 192.168.35.57
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain none
webvpn
anyconnect firewall-rule client-interface private value vpn_dmz_access_in
anyconnect profiles value pairemoteuser type user
group-policy PAIIS internal
group-policy PAIIS attributes
wins-server value 192.168.35.57
dns-server value 192.168.35.57
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IS_Split_Tunnel
default-domain none
webvpn
anyconnect firewall-rule client-interface private value vpn_dmz_access_in
anyconnect profiles value pairemoteuser type user
group-policy DfltGrpPolicy attributes
banner value Welcome to PAI
wins-server value 192.168.35.57
dns-server value 192.168.35.57
address-pools value PAIUSERS
webvpn
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private value vpn_dmz_access_in
anyconnect ask enable default anyconnect timeout 5
group-policy Anyconnect internal
: endCheck is the users fall into DfltGrpPolicy because it has no split tunneling active.
Michael
Please rate all helpful posts -
Default Gateway address for multiple VPN users/clients
Hello,
We need some help with a VPN setup for a school project.
What we want to do:
We would like to have aprox. 10 different VPN uses that can connect to our Windows Server 2012 R2 which is setup as a VPN server, by the Role called Remote access. And the VPN server is working and we are able to connect to it from another location/computer.
Our current setup:
We have a Cisco router, that are configured with 10 Vlans, from Vlan 10 to Vlan 20, and a managament Vlan called Vlan 100.
The Cisco router is also acting as DHCP server, so inside each Vlan the DHCP gives IP addresses to that specific Vlan, Ex: Vlan 10 has a 192.168.10.0/24 network. Vlan 11 has a 192.168.11.0/24 network, and so on. Vlan 100 has 192.168.100.0/24 This Vlan 100
has connection to all the Vlans.
We have internet connection on the Router on port 0 and each Vlan are connected to the internet.
We have setup the VPN server with a static IP configuration so it is inside Vlan 100 with a Default gateway, like 192.168.100.1 So the VPN server is connected to the internet.
In AD we have created a User and assigned a static IP address in the user properties, under the Dial-In tab. Here we give this user this IP 192.168.10.225
Now when we connect to the VPN server useing this user, we have no connection to any of the Vlans (ping) and no internet. When we in cmd write ipconfig we can see that our VPN connection has this IP 192.168.10.225 but a Subnet called 255.255.255.255 and
a Default gateway called 0.0.0.0
We would like the user to recieve the correct IP settings like: If we connect with our user, it should recieve the IP as it does, but also a subnet called 255.255.255.0 and a default gateway called 192.168.10.1
How is this achieved?
The reason we want this is: We want to create a VPN user for each Vlan. So a user with permission to access Vlan 10 but are not able to see the other Vlans, and then a new user to access Vlan 11 but not able to see the other vlans, and so on.
Hope someone is able to help us to understand how this is done.
Thank you in advance.Hi,
In brief, we can't achieve this. Normally, we would not do this.
Usually, we use firewall or ACL to restrict the remote users.
For example, 192.168.10.100 is assigned to user1 and 192.168.10.101 is assigned to user2. We can use firewall to restrict 192.168.10.100 to access 192.168.10.0/24 and 192.168.10.101 to access 192.168.11.0/24.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Physical interface Default Gateway connecting VPN with AnyConnect
When I connect vpn with AnyConnect, I can't see default gateway on Physical Interface.
before connect vpn
==========================================
C:\WINDOWS\system32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.10
after connect vpn with anyconnect
==========================================
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :'Can't see default gateway'
Is this the specification of Anyconnect?Nyanko,
This will happen when you are using tunnel all as the split tunneling policy, the computer will encrypt all the traffic so the default gateway will be removed from the physical connection and placed into the virtual adapter. If you take a look at the routing table you will see that what really happens is that the original default route's metric will be changed so that it is higher than the one injected by the virtual adapter, once you disconnect it should go back to normal.
Further information on split tunneling:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
HTH
Jonnathan -
Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?
Hi,
First timer here so please bear with me!
Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)
When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.
I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.
Am I missing something on the options for the GP preference to set this automtically?
I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.
Any help would be greatly appreciated!
Thanks a lot!
DavidShane,
There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections.
(All VPN connections are stored in the same .pbk file.)
Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN],
and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".
So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1
Peter, www.skov.com, Denmark
Peter :-)
This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in
"Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know
where these are stored?
Cheers. -
Can't find the option to disable "Default Gateway" of a VPN.
Whenever I try to go to the "Networking" tab of a VPN connection. I get the following error.: "Unable to allow the editing of networking components at this time because they are currently being modified elsewhere" This prevents me from
disabling the default gateway of a VPN. Any help is greatly appreciated!Whenever I try to go to the "Networking" tab of a VPN connection. I get the following error.: "Unable to allow the editing of networking components at this time because they are currently being modified elsewhere" This prevents
me from disabling the default gateway of a VPN. Any help is greatly appreciated!
I have got the same issue using Windows 10 Insider Preview build 10074, please could somebody show us an alternative method to disable the use of the remote default gateway through a VPN ? Thanks.
Edit - From that post : https://social.technet.microsoft.com/Forums/en-US/709f9e02-d903-41a8-b5f8-d0f46d4685bf/how-to-disable-default-gateway-remote-in-vpm-with-windows-10-tp-10049?forum=WinPreview2014General
it seems to be possible to use a PowerShell command to modify this option, by setting "RouteIPv4TrafficOverRAS" to "False" instead of "True" (which is WIndows Default), but I do not know how to do that. Could somebody explain -
Hi,
I have ASA 5505 with ASA v 8.0.3 and ASDM v 6.0.3.
The VPN connection works, the client receive the IP from the define pool but the default gateway is not correct. Is it possible to define the gateway in the pool ?
thank youDimitri
I am not clear what default gateway you expected, what default gateway you got, or what was no correct about the gateway. Perhaps you can clarify?
In my experience many people are surprised that the gateway address is the clients own address and not some other address in the subnet as we normally expect with a LAN client. But this is normal behavior on what is essentially a point to point connection from the client to the concentrator. Is this perhaps what you were thinking was an error?
HTH
Rick -
ASA 5505 IPSEC VPN connected but can't access to LAN
ASA : 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
VPN Pool: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
Below is my configure, do I mis-configure anything?
ASA Version 8.2(5)
hostname asatest
domain-name XXX.com
enable password 8Fw1QFqthX2n4uD3 encrypted
passwd g9NiG6oUPjkYrHNt encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.253 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name vff.com
access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside 10.1.1.230
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (inside) host 10.1.1.108
nt-auth-domain-controller 10.1.1.108
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.0.0 255.255.252.0 inside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpntest internal
group-policy vpntest attributes
wins-server value 10.1.1.108
dns-server value 10.1.1.108
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntest_splitTunnelAcl
default-domain value XXX.com
split-tunnel-all-dns disable
backup-servers keep-client-config
address-pools value vpnpool
username admin password WeiepwREwT66BhE9 encrypted privilege 15
username user5 password yIWniWfceAUz1sUb encrypted privilege 5
username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
tunnel-group vpntest type remote-access
tunnel-group vpntest general-attributes
address-pool vpnpool
authentication-server-group AD
authentication-server-group (inside) AD
default-group-policy vpntest
strip-realm
tunnel-group vpntest ipsec-attributes
pre-shared-key BEKey123456
peer-id-validate nocheck
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: endI change a Machine's gateway to this ASA and capture again, now we can see some reply.
All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
add two gateways to all PCs and swtichwes?
1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request -
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
before ver 8.3 and after version 8.3 ...8.4.. 9 versions..Hi,
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
- Jouni -
Solaris 11 responds to IPSEC VPN traffic ONLY one direction
I have established a IPSEC VPN tunnel between my remote solaris 11 and office Sonicwall router using Site to Site. Everything works fine if the traffic initiates from the Solaris side. However when I try to ping or any network services like nfs,ssh, samb, etc. on the remote solaris box from our office. The server does NOT respond to the incoming packets but packets are going through the tunnel and appears on the remote end when I do snoop –d tun0 and snoop –I vnic0. What I do notice is that snoop –d vnic0 shows no packets and it doesn’t seem to get any traffic at all (see netstat –rn). Could it be my routing table? Ip zones? Any ideas? I followed the Oracle Documents very carefully and with extra help from other extern Solaris 11 admin sites. I know people would suggest using OpenSwan or OpenVPN but this setup should work.
Here is the network info on my IPSEC VPN setup. Tunnel is configured in Transport Mode and IPSEC/IKE is working fine.
Solaris 11 vnic0/10.4.0.1/24, external Internet Nic is nge0/209.xxx.xxx.194/25
# dladm show-link
LINK CLASS MTU STATE OVER
nge0 phys 1500 up --
tun0 iptun 1402 up --
vnic0 vnic 1500 up nge0
# dladm show-iptun
LINK TYPE FLAGS LOCAL REMOTE
tun0 ipv4 s- 209.xxx.xxx.194 64.xxx.xxx.34
# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
nge0 ip ok yes --
vnic0 ip ok yes --
tun0 ip ok yes --
# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
nge0/v4 static ok 209.xxx.xxx.194/25
vnic0/inside static ok 10.4.0.1/24
tun0/v4 static ok 10.4.0.1->172.20.0.1
lo0/v6 static ok ::1/128
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 209.xxx.xxx.129 UG 6 16874898 nge0
10.4.0.0 10.4.0.1 U 2 0 vnic0
10.181.0.0 172.20.0.1 UGS 3 16862235 tun0
127.0.0.1 127.0.0.1 UH 2 1786 lo0
172.20.0.1 10.4.0.1 UH 3 16862235 tun0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
::1 ::1 UH 2 42 lo0
# routeadm
Configuration Current Current
Option Configuration System State
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/route:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
online svc:/network/routing/ndp:default
Solaris># ping 10.181.1.218
10.181.1.218 is alive
C:\>ping 10.4.0.1
Pinging 10.4.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
# snoop -d tun0 10.181.1.218
Using device tun0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 33) (1 encap)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 34) (1 encap)
# snoop -I vnic0 10.181.1.218
Using device ipnet/vnic0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 36)
10.181.1.218-> 10.4.0.1 -i ICMP Echo request (ID: 1 Sequence number: 37)
# ipadm show-prop
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 forwarding rw off off off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
ipv6 hostmodel rw weak -- weak strong,
src-priority,
weak
ipv4 hostmodel rw strong strong weak strong,
src-priority,
weak
icmp max_buf rw 262144 -- 262144 65536-1073741824
icmp recv_buf rw 8192 -- 8192 4096-262144
icmp send_buf rw 8192 -- 8192 4096-262144
tcp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
tcp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
tcp ecn rw passive -- passive never,passive,
active
tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
tcp largest_anon_port rw 65535 -- 65535 32768-65535
tcp max_buf rw 1048576 -- 1048576 128000-1073741824
tcp recv_buf rw 128000 -- 128000 2048-1048576
tcp sack rw active -- active never,passive,
active
tcp send_buf rw 49152 -- 49152 4096-1048576
tcp smallest_anon_port rw 32768 -- 32768 1024-65535
tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
udp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
udp largest_anon_port rw 65535 -- 65535 32768-65535
udp max_buf rw 2097152 -- 2097152 65536-1073741824
udp recv_buf rw 57344 -- 57344 128-2097152
udp send_buf rw 57344 -- 57344 1024-2097152
udp smallest_anon_port rw 32768 -- 32768 1024-65535
udp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
sctp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
sctp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
sctp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
sctp largest_anon_port rw 65535 -- 65535 32768-65535
sctp max_buf rw 1048576 -- 1048576 102400-1073741824
sctp recv_buf rw 102400 -- 102400 8192-1048576
sctp send_buf rw 102400 -- 102400 8192-1048576
sctp smallest_anon_port rw 32768 -- 32768 1024-65535
sctp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
# ipadm show-addrprop
ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
lo0/v4 broadcast r- -- -- -- --
lo0/v4 deprecated rw off -- off on,off
lo0/v4 prefixlen rw 8 8 8 1-30,32
lo0/v4 private rw off -- off on,off
lo0/v4 reqhost r- -- -- -- --
lo0/v4 transmit rw on -- on on,off
lo0/v4 zone rw global -- global --
nge0/v4 broadcast r- 209.xxx.xxx.255 -- 209.xxx.xxx.255 --
nge0/v4 deprecated rw off -- off on,off
nge0/v4 prefixlen rw 25 25 24 1-30,32
nge0/v4 private rw on on off on,off
nge0/v4 reqhost r- -- -- -- --
nge0/v4 transmit rw on -- on on,off
nge0/v4 zone rw global -- global --
vnic0/inside broadcast r- 10.4.0.255 -- 10.255.255.255 --
vnic0/inside deprecated rw off -- off on,off
vnic0/inside prefixlen rw 24 24 8 1-30,32
vnic0/inside private rw off -- off on,off
vnic0/inside reqhost r- -- -- -- --
vnic0/inside transmit rw on -- on on,off
vnic0/inside zone rw global -- global --
tun0/v4 broadcast r- -- -- -- --
tun0/v4 deprecated rw off -- off on,off
tun0/v4 prefixlen rw -- -- -- --
tun0/v4 private rw off -- off on,off
tun0/v4 reqhost r- -- -- -- --
tun0/v4 transmit rw on -- on on,off
tun0/v4 zone rw global -- global --
ipadm show-ifprop
IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
nge0 arp ipv4 rw on -- on on,off
nge0 forwarding ipv4 rw off off off on,off
nge0 metric ipv4 rw 0 -- 0 --
nge0 mtu ipv4 rw 1500 -- 1500 68-1500
nge0 exchange_routes ipv4 rw on -- on on,off
nge0 usesrc ipv4 rw none -- none --
nge0 forwarding ipv6 rw off -- off on,off
nge0 metric ipv6 rw 0 -- 0 --
nge0 mtu ipv6 rw 1500 -- 1500 1280-1500
nge0 nud ipv6 rw on -- on on,off
nge0 exchange_routes ipv6 rw on -- on on,off
nge0 usesrc ipv6 rw none -- none --
nge0 group ip rw -- -- -- --
nge0 standby ip rw off -- off on,off
vnic0 arp ipv4 rw on -- on on,off
vnic0 forwarding ipv4 rw on on off on,off
vnic0 metric ipv4 rw 0 -- 0 --
vnic0 mtu ipv4 rw 1500 -- 1500 68-1500
vnic0 exchange_routes ipv4 rw on -- on on,off
vnic0 usesrc ipv4 rw none -- none --
vnic0 group ip rw -- -- -- --
vnic0 standby ip rw off -- off on,off
tun0 arp ipv4 rw off -- on on,off
tun0 forwarding ipv4 rw on on off on,off
tun0 metric ipv4 rw 0 -- 0 --
tun0 mtu ipv4 rw 1402 -- 1402 68-65515
tun0 exchange_routes ipv4 rw on -- on on,off
tun0 usesrc ipv4 rw none -- none --
tun0 group ip rw -- -- -- --
tun0 standby ip rw off -- off on,off
Edited by: user1233039 on Jun 20, 2012 9:18 AMI have established a IPSEC VPN tunnel between my remote solaris 11 and office Sonicwall router using Site to Site. Everything works fine if the traffic initiates from the Solaris side. However when I try to ping or any network services like nfs,ssh, samb, etc. on the remote solaris box from our office. The server does NOT respond to the incoming packets but packets are going through the tunnel and appears on the remote end when I do snoop –d tun0 and snoop –I vnic0. What I do notice is that snoop –d vnic0 shows no packets and it doesn’t seem to get any traffic at all (see netstat –rn). Could it be my routing table? Ip zones? Any ideas? I followed the Oracle Documents very carefully and with extra help from other extern Solaris 11 admin sites. I know people would suggest using OpenSwan or OpenVPN but this setup should work.
Here is the network info on my IPSEC VPN setup. Tunnel is configured in Transport Mode and IPSEC/IKE is working fine.
Solaris 11 vnic0/10.4.0.1/24, external Internet Nic is nge0/209.xxx.xxx.194/25
# dladm show-link
LINK CLASS MTU STATE OVER
nge0 phys 1500 up --
tun0 iptun 1402 up --
vnic0 vnic 1500 up nge0
# dladm show-iptun
LINK TYPE FLAGS LOCAL REMOTE
tun0 ipv4 s- 209.xxx.xxx.194 64.xxx.xxx.34
# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
nge0 ip ok yes --
vnic0 ip ok yes --
tun0 ip ok yes --
# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
nge0/v4 static ok 209.xxx.xxx.194/25
vnic0/inside static ok 10.4.0.1/24
tun0/v4 static ok 10.4.0.1->172.20.0.1
lo0/v6 static ok ::1/128
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 209.xxx.xxx.129 UG 6 16874898 nge0
10.4.0.0 10.4.0.1 U 2 0 vnic0
10.181.0.0 172.20.0.1 UGS 3 16862235 tun0
127.0.0.1 127.0.0.1 UH 2 1786 lo0
172.20.0.1 10.4.0.1 UH 3 16862235 tun0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
::1 ::1 UH 2 42 lo0
# routeadm
Configuration Current Current
Option Configuration System State
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/route:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
online svc:/network/routing/ndp:default
Solaris># ping 10.181.1.218
10.181.1.218 is alive
C:\>ping 10.4.0.1
Pinging 10.4.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
# snoop -d tun0 10.181.1.218
Using device tun0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 33) (1 encap)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 34) (1 encap)
# snoop -I vnic0 10.181.1.218
Using device ipnet/vnic0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 36)
10.181.1.218-> 10.4.0.1 -i ICMP Echo request (ID: 1 Sequence number: 37)
# ipadm show-prop
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 forwarding rw off off off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
ipv6 hostmodel rw weak -- weak strong,
src-priority,
weak
ipv4 hostmodel rw strong strong weak strong,
src-priority,
weak
icmp max_buf rw 262144 -- 262144 65536-1073741824
icmp recv_buf rw 8192 -- 8192 4096-262144
icmp send_buf rw 8192 -- 8192 4096-262144
tcp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
tcp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
tcp ecn rw passive -- passive never,passive,
active
tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
tcp largest_anon_port rw 65535 -- 65535 32768-65535
tcp max_buf rw 1048576 -- 1048576 128000-1073741824
tcp recv_buf rw 128000 -- 128000 2048-1048576
tcp sack rw active -- active never,passive,
active
tcp send_buf rw 49152 -- 49152 4096-1048576
tcp smallest_anon_port rw 32768 -- 32768 1024-65535
tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
udp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
udp largest_anon_port rw 65535 -- 65535 32768-65535
udp max_buf rw 2097152 -- 2097152 65536-1073741824
udp recv_buf rw 57344 -- 57344 128-2097152
udp send_buf rw 57344 -- 57344 1024-2097152
udp smallest_anon_port rw 32768 -- 32768 1024-65535
udp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
sctp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
sctp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
sctp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
sctp largest_anon_port rw 65535 -- 65535 32768-65535
sctp max_buf rw 1048576 -- 1048576 102400-1073741824
sctp recv_buf rw 102400 -- 102400 8192-1048576
sctp send_buf rw 102400 -- 102400 8192-1048576
sctp smallest_anon_port rw 32768 -- 32768 1024-65535
sctp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
# ipadm show-addrprop
ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
lo0/v4 broadcast r- -- -- -- --
lo0/v4 deprecated rw off -- off on,off
lo0/v4 prefixlen rw 8 8 8 1-30,32
lo0/v4 private rw off -- off on,off
lo0/v4 reqhost r- -- -- -- --
lo0/v4 transmit rw on -- on on,off
lo0/v4 zone rw global -- global --
nge0/v4 broadcast r- 209.xxx.xxx.255 -- 209.xxx.xxx.255 --
nge0/v4 deprecated rw off -- off on,off
nge0/v4 prefixlen rw 25 25 24 1-30,32
nge0/v4 private rw on on off on,off
nge0/v4 reqhost r- -- -- -- --
nge0/v4 transmit rw on -- on on,off
nge0/v4 zone rw global -- global --
vnic0/inside broadcast r- 10.4.0.255 -- 10.255.255.255 --
vnic0/inside deprecated rw off -- off on,off
vnic0/inside prefixlen rw 24 24 8 1-30,32
vnic0/inside private rw off -- off on,off
vnic0/inside reqhost r- -- -- -- --
vnic0/inside transmit rw on -- on on,off
vnic0/inside zone rw global -- global --
tun0/v4 broadcast r- -- -- -- --
tun0/v4 deprecated rw off -- off on,off
tun0/v4 prefixlen rw -- -- -- --
tun0/v4 private rw off -- off on,off
tun0/v4 reqhost r- -- -- -- --
tun0/v4 transmit rw on -- on on,off
tun0/v4 zone rw global -- global --
ipadm show-ifprop
IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
nge0 arp ipv4 rw on -- on on,off
nge0 forwarding ipv4 rw off off off on,off
nge0 metric ipv4 rw 0 -- 0 --
nge0 mtu ipv4 rw 1500 -- 1500 68-1500
nge0 exchange_routes ipv4 rw on -- on on,off
nge0 usesrc ipv4 rw none -- none --
nge0 forwarding ipv6 rw off -- off on,off
nge0 metric ipv6 rw 0 -- 0 --
nge0 mtu ipv6 rw 1500 -- 1500 1280-1500
nge0 nud ipv6 rw on -- on on,off
nge0 exchange_routes ipv6 rw on -- on on,off
nge0 usesrc ipv6 rw none -- none --
nge0 group ip rw -- -- -- --
nge0 standby ip rw off -- off on,off
vnic0 arp ipv4 rw on -- on on,off
vnic0 forwarding ipv4 rw on on off on,off
vnic0 metric ipv4 rw 0 -- 0 --
vnic0 mtu ipv4 rw 1500 -- 1500 68-1500
vnic0 exchange_routes ipv4 rw on -- on on,off
vnic0 usesrc ipv4 rw none -- none --
vnic0 group ip rw -- -- -- --
vnic0 standby ip rw off -- off on,off
tun0 arp ipv4 rw off -- on on,off
tun0 forwarding ipv4 rw on on off on,off
tun0 metric ipv4 rw 0 -- 0 --
tun0 mtu ipv4 rw 1402 -- 1402 68-65515
tun0 exchange_routes ipv4 rw on -- on on,off
tun0 usesrc ipv4 rw none -- none --
tun0 group ip rw -- -- -- --
tun0 standby ip rw off -- off on,off
Edited by: user1233039 on Jun 20, 2012 9:18 AM -
Incorrect Default Gateway for Clients using a Concentrator
Hey all,
Hopfully an easy one - I'm trying to configure a VPN Concentrator for use with the old VPN Client for an IPSec CVPN.
The clients connect fine, but they are getting the incorrect default gateway during the address assignment.
My address pool is 192.168.0.128/25. The client correctly picks up the first address in the range, 192.168.0.129, but the default gateway for the VPN adapter is assigned as the next address in the range, 192.168.0.130.
I need the gateway address to be 192.168.0.254 (the SVI of the L3 switch connected to the Concentrator), but I can't for the life of me fine a configuration option anywhere in the pool assignment. I've set the tunnel default gateway to this 192.168.0.254, but this makes no difference.
Any ideas where I can find this config option?
Thanks!Andrew
In the chart that you posted about the routing setup it refers to a DMZ network and DMZ gateway. Can you clarify what these are since I do not see them in the drawing that is in that post?
I agree with Herbert that it is cleaner to have the address pool on the concentrator use addresses that do not overlap with the concentrator subnet connecting to the layer 3 switch. And as long as the layer 3 switch has a route to that address pool, and the next hop in the route is the address of the concentrator interface then the separate pool addressing should work just fine.
I have re-read this thread and want to make sure that after some changes that you have made that the problem symptoms are still the same. You told us earlier that: "Now the client can ping the interfaces on its local LAN (concentrator interface 192.168.0.253, and the L3 switch, 192.168.0.253), but it cannot reach the rest of our internal LAN behind the layer 3 switch." Is this still an accurate statement of the problem?
As Herbert said earlier this could either be caused by the concentrator not have a correct route for the inside or it could be because the inside does not have a correct route to the client. In re-reading your description of the routing set up it looks like the concentrator has a default route configured but not the tunnel default route. May I suggest that you try configuring a tunnel default route (in addition to the normal default route) and see whether that makes any difference?
If that does not help the problem then I would suggest that you verify that the devices on the inside do have their default gateway set correctly and that the layer 3 switch does have a route for the VPN address pool with the concentrator interface address as the next hop.
HTH
Rick
[edit] I just focused on the question that you asked about the concentrator possibly needing a route for the address pool. The concentrator does not need any route statements for the address pool - it knows its own address pool, pretty much like having a connected interface subnet. The layer 3 switch is what needs a route for the address pool. -
IPSEC VPN Address Overlap Without Translation?
I am wondering if it's possible to have an ipsec vpn between 2 subnets that are the same WITHOUT translating them.
eg: in configurations and normal circumstances, if site 1 = 192.168.1.0 and site 2 = 192.168.1.0, a translation occurs in between both vpn devices that says "hey private 192.168.1.0 = 1.1.1.1 once it leaves out the private interface" and the other says "hey private 192.168.1.0 = 2.2.2.2 once it leaves out the private interface" then those 2 new spaces can talk (1.1.1.1 & 2.2.2.2)
the problem is I currently run a T1 which allows 1 address space on both sides, which is how it's setup. You plug anything on site 2 it pulls dhcp & internet from the main router on site a . The special equipment in question is setup as if both sides of the T1 is the same local network, and a device on each side talks to each other as a 192.168.1.240 and 192.168.1.245 across the T1 line. If I change site 2 (which is last case scenario) to another address space, then I would have to change all the equipment to a new address space on site 2 while changing site 1 to look at the new addresses. I am trying avoid this. Is it possible?
I know it sounds weird but maybe I was thinking there's a way to do static. Say on Site 1 you say "192.168.1.2 is on the other side of the vpn. when you see 192.168.1.2 know to go over vpn" although site 1 itself is 192.168.1.0 .
is that possible? thanksGenerally speaking no it won't work because at each site all 192.168.1.x clients think every other 192.168.1.x client is local and so never send traffic to their default gateway ie. the VPN device.
If the two devices that needed to communicate were using different IPs (even though it's the same IP subnet) you could potentially add host routes to the clients route table pointing to the VPN device and then each VPN device has a host specific route for that IP pointing to the outside IP but that would mean two things -
1) the client in a site could not talk to another client in the same site with that IP because you are routing it to the VPN device
and
2) the VPN device couldn't talk to that client either because you have told it to route traffic for that IP via the VPN tunnel.
But to be totally honest I am not convinced this would work.
Basically you either need to readdress or do NAT, it would be a lot less hassle and would actually work.
Jon -
IPSEC VPN clients can't reach internal nor external resources
Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
translate_hits = 5402387, untranslate_hits = 1519419
## Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
object network vpn_nat
nat (outside,outside) dynamic interface
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****Hi,
I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
asa# show capture capo
12 packets captured
1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
asa# show capture capi
8 packets captured
1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
Packet-capture.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.32.1 255.255.255.255 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Additional Information:
Static translate 10.0.0.72/0 to 10.0.0.72/0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5725528, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Maybe you are looking for
-
Why does installer prompts for missing libXp.so.6 when it is ready installe
Hi, I'm trying to install 10gr2 on centos 6.3 x86_64 bit system. when I running the runinstaller, I encountered the following problem: bash-4.1$ ./runInstaller Starting Oracle Universal Installer... Checking installer requirements... Checking operati
-
Background image in 7912 with CME
Some one could give a hand telling me how to upload the .bmp image converted to .logo with bmp2logo.exe application in a CME for a 7912 IP Phone?? I mean, how to display it in the IP Phone. Thanks in advise for your help.
-
Unable occur lock on a object- ...
Hi, First let myself explain the scenario, One Oracle user access an table object in a schema by running a batch process. after 20 min, due to more time the batch process is taking, he terminated the session. at this time i check in back end, the ses
-
Can I make skype calls to landlines or mobile numb...
I recently subscribed to a free 30 day trial and I do not see the Bahamas listed as one of the places that can be called. Is the Bahamas a location that is included in this trial?
-
All mounted network drives disconnect after sleep
10.4, airport, powerbook. All network (SMB) drives connect fine manually. They also reconnect after after login (modified login items). However, they will not persist after sleep. After this powerbook sleeps, ALL network drives are dropped and have t