Linksys WRV200 pinging internal LAN
I'm having this weird problem with my WRV200 router (ip 172.18.12.16) that has happen now for the third time. The router broadcasts ICMP packets to my internal LAN. The source is the router itself. The only fix at this time is to reboot the router but it does come back at no specific time. Has anyone seen this problem? The router does have the latest firmware available, and has the default settings(more or less).
No. Time Source Destination Protocol Info
1 0.000000 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 1 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
2 0.399973 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 2 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
3 0.809906 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 3 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
4 0.969284 Cisco-Li_06:d3:64 Spanning-tree-(for-bridges)_00 STP Conf. Root = 32768/00:18:39:06:d3:64 Cost = 0 Port = 0x8001
Frame 4 (60 bytes on wire, 60 bytes captured)
IEEE 802.3 Ethernet
Logical-Link Control
Spanning Tree Protocol
No. Time Source Destination Protocol Info
5 0.999938 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 5 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
6 1.399928 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 6 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
7 1.810387 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 7 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
8 1.999827 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 8 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
9 2.399864 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 9 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10 2.809766 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 10 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
11 2.969142 Cisco-Li_06:d3:64 Spanning-tree-(for-bridges)_00 STP Conf. Root = 32768/00:18:39:06:d3:64 Cost = 0 Port = 0x8001
Frame 11 (60 bytes on wire, 60 bytes captured)
IEEE 802.3 Ethernet
Logical-Link Control
Spanning Tree Protocol
No. Time Source Destination Protocol Info
12 2.999805 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 12 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
I'm noticing the same behavior with my WRV200. If I ping the router from a wired or wireless connection, I get an 85% loss rate. The 15% that do reply average close to 2,000ms!!! I install Microsoft Network Monitor 3.1 and captured over 40,000 ICMP broadcasts coming from the linksys router in a very short period of time ~10 to 15 minutes. If I power cycle the router, everything returns to normal...for a day or two that is. Linksys support only seem to want "reset" your router or change the MTU to a different value. Class A support! I'm still researching and will update if I don't end up buying another brand.
Similar Messages
-
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients
Hi community,
I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
object-group network RemoteVPN_LocalNet
network-object 172.29.168.0 255.255.255.0
network-object 172.29.169.0 255.255.255.0
network-object 172.29.173.0 255.255.255.128
network-object 172.29.172.0 255.255.255.0
access-list Split_Tunnel remark The Corporation network behind ASA
access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set myset
crypto map mymap 65000 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
tunnel-group remotevpngroup type remote-access
tunnel-group remotevpngroup general-attributes
address-pool remotevpnpool
authentication-server-group MS_LDAP LOCAL
default-group-policy Split_Tunnel_Policy
I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
Thanks in advanced.Hi tranminhc,
Step 1: Create an object.
object network vpn_clients
subnet 10.88.61.0 mask 255.255.255.0
Step 2: Create a standard ACL.
access-list my-split standard permit ip object RemoteVPN_LocalNet
Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
Step 4: Create new nat exemption.
nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
Step 5: Apply ACL on the tunnel.
group-policy Split_Tunnel_Policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value my-split
Step 6:
I assume you have a default route on your inside L3 switch point back to ASA's inside address. If you don't have one.
Please add a default or add static route as shown below.
route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
Hope this helps.
Thanks
Rizwan Rafeek -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
Help, How to configure cisco ASA5505 to permit access to internal LAN
Hi everyone,
Once more I am stuck into another dilemma , I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool.
From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN.
I hope my explaination does make sense, I am available at any time if further information is needed. Please find attached my ASA config.
Best regards,
BENMany thanks Marvin,
I have configured the router ospf the way you instructed me, I have changed the VPN Pool to a complete different class of 10.0.1.0/24, I have also configured : access-list OUTSIDE_IN_ACL permit icmp any any echo-relpy and access-group OUTSIDE_IN_ACL in interface outside. but I can only from my VPN connection ping both interfaces of the ASA and nothing else.
Please find attached my ASA and the layer 3 switch configs. And also ASA and L3 Switch ip route output.
Note this: When connected to my VPN, cmd>ip config /all it showing as follows: ip address 10.0.1.100
Subnet Mask 255.0.0.0
Def Gateway 10.0.0.1
dns server 192.168.30.3
Best regards,
BEN.
Message was edited by: Bienvenu Ngala -
From Azure unable to connect internal LAN network with windows RRAS site to site VPN
Hi All,
Below is my scenario.
Our side.
We have installed RRAS on Windows 2012 R2 on VMware and created a site to site VPN with azure.
on RRAS server we have two interfaces
eth0- 10.1.1.1
eth1- 10.1.1.2
We have natted(static nat) internal ip (eth0) 10.1.1.1 with public ip 1.1.1.1 (eg.).
On Azure,
We created a gateway, and two VMs.
VM1 = 11.11.11.1
VM2 = 11.11.11.2
Both VMs can ping each other.
VPN gateway on Azure and demand dial on RRAS server shows connected and, in and out data shows as well.
We can ping, tracert and rdp the RRAS server using both the interfaces IP [eth0- 10.1.1.1 , eth1- 10.1.1.2]
But we are unable to ping, tracert or rdp our other internal Lan machines on 10.1.x.x
So we can reach Azure VM from our RRAS and
we can reach RRAS server from Azure VM.
But we cannot reach our other internal Lan machines from Azure VM and from other internal Lan machine to Azure VM.
Please help?I will give you some pointers to check.
The reason for this could be one of the two
- local site in azure virtual network is not configured correctly
- route for the azure subnet is not setup correctly on rras server
Can you please validate the above?
Open the Routing and Remote access UI and verify that there is a static route for azure subnet and the interface is the public ip of the azure gateway.
Also verify that you have a local site created with the on-premises subnet and added in the azure virtual network.
What is the gateway specified in the on-premises VM. Provide it as the IP of eth1, the IP that is not natted
Is NAT allowing all traffic in or is it restricted to certain points.
This posting is provided "AS IS" with no warranties, and confers no rights -
Can not ping internal network from ASA
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
nameif ouside3
security-level 0
ip address 10.254.17.25 255.255.255.248
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
interface GigabitEthernet0/2
nameif Lan
security-level 100
ip address 192.168.185.14 255.255.255.0
interface GigabitEthernet0/3
nameif comp
security-level 50
ip address 192.168.187.14 255.255.255.0
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list nonat extended permit ip any any
access-list nat2 extended permit ip any any
access-list nonat2 extended permit ip any any
pager lines 24
logging asdm informational
mtu ouside3 1500
mtu outside 1500
mtu Lan 1500
mtu comp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Lan) 0 access-list nonat
nat (Lan) 1 access-list nat
nat (comp) 0 access-list nonat
nat (comp) 1 access-list nat
access-group allow_ping in interface outside
router eigrp 2008
neighbor 10.254.17.10 interface outside
network 10.254.17.8 255.255.255.248
network 192.168.185.0 255.255.255.0
network 192.168.187.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap2 20 match address 110
crypto map mymap2 20 set peer 10.254.17.18
crypto map mymap2 20 set transform-set myset
crypto map mymap2 interface comp
crypto map mymap3 30 match address 110
crypto map mymap3 30 set peer 10.254.17.26
crypto map mymap3 30 set transform-set myset
crypto map mymap3 interface ouside3
crypto isakmp identity address
crypto isakmp enable ouside3
crypto isakmp enable outside
crypto isakmp enable comp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threatThis is what I get, looks like ASA does not reply. Why?
ciscoasa# sh capture cpi
5 packets captured
1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request -
Cannot access internal LAN after VPN connect
I know this is either an ACL or NAT issue that I cannot figure out. The nat-t config in defaulted in the IOS config for the ASA. I actually forgot the command to show the hidden default config lines. Either way, can someone take a look at my config, and let me know what I am doing wrong, again.
Thanks ahead of time.
ASA Version 8.2(2)
hostname ciscousa
enable password
names
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 14.14.11.5 255.255.255.0
interface Vlan3
shutdown
no forward interface Vlan2
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 100
duplex full
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0
access-list inside_nat0 extended permit ip any 10.12.27.0 255.255.255.0
access-list split_tunnel standard permit 1.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.12.27.100-10.12.27.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 14.14.11.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 1.1.1.0 255.255.255.0 inside
http 1.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map inet-1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inet-1_map 65535 ipsec-isakmp dynamic inet-1_dyn_map
crypto map inet-1_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnipsec internal
group-policy vpnipsec attributes
wins-server value 1.1.1.16
dns-server value 1.1.1.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value company.com
tunnel-group vpnipsec type remote-access
tunnel-group vpnipsec general-attributes
address-pool vpnpool
default-group-policy vpnipsec
tunnel-group vpnipsec ipsec-attributes
pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512Hello,
I have been trying to get this to work within the last week but to no avail. I changed my config altogether and started from scratch. I have Split Tunnel working well, and I can access the VPN client from the internal LAN. But I still cannot access the internal LAN from the VPN client host. Can anyone take a look at my config and tell me what ACL\Access Group I am missing. I know I am close but I cannot get over the hump.
Thanks!
ASA Version 8.2(2)
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
interface Vlan3
shutdown
no forward interface Vlan2
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 100
duplex full
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list outside_in_vpn extended permit ip 192.168.3.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list split_tunnel standard permit 192.168.0.0 255.255.0.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ipvpn 192.168.3.100-192.168.3.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_in in interface outside control-plane
access-group outside_in_vpn in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map internet-1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHAESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet-1_map 65535 ipsec-isakmp dynamic internet-1_dyn_map
crypto map internet-1_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy vpnipsec internal
group-policy vpnipsec attributes
wins-server value 192.168.1.5
dns-server value 192.168.1.5
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value company.com
tunnel-group vpnipsec type remote-access
tunnel-group vpnipsec general-attributes
address-pool ipvpn
default-group-policy vpnipsec
tunnel-group vpnipsec ipsec-attributes
pre-shared-key *
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
Cryptochecksum:7e41045c9d7c66ac2c03c3b12ae63908 -
Problems getting static NAT to work between two internal lans
Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
Manual NAT Policies (Section 1)
1 (office) to (inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3
2 (inside) to (office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
interface GigabitEthernet0/0
nameif inside-ld5
security-level 100
ip address 10.20.15.2 255.255.255.0
interface GigabitEthernet0/6
nameif office
security-level 100
ip address 10.20.11.9 255.255.255.0
object network inside-ld5
subnet 10.20.15.0 255.255.255.0
object network inside-office
subnet 10.20.11.0 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookupHi Kevin,
because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
Best Regards,
Jan -
I have a Linksys WRV200 wireless router and the wireless signal is not working properly so I am unable to connect to the internet wirelessly. The wireless light is blinking green very quickly and I connect and disconnect from the network constantly. How do I get the router to work properly
Hello James,
The flashing WLAN light means activity (data getting transferred). Try disconnecting all your devices and check whether the light is still flashing or disconnect the router from internet and do the check.
Do you have your SSID as linksys or the default one? If your neighbor has the same SSID, then traffic could result from your neighbor's one. Try changing your SSID and password. Make your security WPA/WPA2.
Hope this helps,
Thanks
Vijay -
Internal LAN adapter configuration commands
Could anyone describe me the meaning of hsma
command option:
7206MEDA(cfg-lan-Token 0)#adapter 1 4000.0047.4522
7206MEDA(cfg-adap-Token 0-1)#?
Internal Lan Adapter configuration commands:
hsma Hot Standby MAC Address parameters
Thanks in advance for any informationHi,
I have attached a document describing what hsma is all about in more detail, including sample configurations.
In very simple words. It is a mechanism, a little bit like hsrp, to allow to cip's to backup each other. You configure a virtual adapter which is always only active on one of the two cip's and they monitor each other. If one cip goes down, the other one takes over and activates the virtual adapter.
When the two cip routers were connected to a tokenring infrastructure than the redundancy whas achived by using the same mac address on the cip's reachable over to different source bridged path using different rif's.
If you connect the two cip routers via a ethernet than there is no rif field in your packets anymore, you can not do source bridging. Additional the cam table of a ethernet switch can not deal with two times the same mac address on different ports in the same vlan.
Hsma allows for a similar level of redundancy if your cip routers are connected via a ethernet backbone.
thanks...
Matthias -
How to Block an Internal LAN IP to send mail
I have Sun Java Messaging Server 6.1
It is Open relay on the server. The Public IP of my mail server is configured on Firewall, from there it is NAT to internal LAN IP of the mail server.
I want to get/recieve mail on this Internal IP and want to block this IP to send any mail out. (How can I do that. Guide me in securing my server from it ). I don't have much experience on it, so tell me how to Close the open relay.
Thanks.
(u can mail me at : [email protected])
MAK.Thanks for the reply. I put the complete local C class in internal-ip in mappings file. the mail comes from 192.168.0.39 from outside. How to define that all Class can send mail except of this .39 because of spamming.
Here r some enteries from log file:
19-Oct-2004 11:07:48.01 tcp_local R 5 rfc822;[email protected] [email protected] Illegal host/domai
n name found (TCP active open: Failed gethostbyname() on ms050.url.com.tw, resolver errno = 1)
19-Oct-2004 11:07:48.95 tcp_local R 5 rfc822;[email protected] [email protected] Ille
gal host/domain name found (TCP active open: Failed gethostbyname() on ms40.hinet.net, resolver errno = 1)
19-Oct-2004 11:07:49.73 tcp_local D 5 rfc822;[email protected] [email protected] dns;ms75a.hinet.net (m
s75.hinet.net ESMTP Sendmail 8.8.8/8.8.8; Tue, 19 Oct 2004 14:08:39 +0800 [CST]) smtp;250 <[email protected]>... Recipient
ok
19-Oct-2004 11:07:51.56 tcp_local D 5 rfc822;[email protected] [email protected] dns;
ms16a.hinet.net (ms16.hinet.net ESMTP Sendmail 8.8.8/8.8.8; Tue, 19 Oct 2004 14:08:40 +0800 [CST]) smtp;250 <qwsuhgadfrryoj@ms
16.hinet.net>... Recipient ok
19-Oct-2004 11:31:21.68 tcp_local process E 2 rfc822;[email protected] [email protected]
19-Oct-2004 11:31:21.68 tcp_local process E 2 rfc822;[email protected] [email protected]
s;mx1.yam.com (mx1.yam.com ESMTP) smtp;250 Ok
19-Oct-2004 11:53:01.08 tcp_local D 8 [email protected] rfc822;[email protected] [email protected] dns;mx1.yam.co
m (mx1.yam.com ESMTP) smtp;250 Ok
19-Oct-2004 11:53:03.44 tcp_local process E 1 rfc822;[email protected] [email protected]
19-Oct-2004 11:53:03.89 tcp_local process E 11 rfc822;[email protected] [email protected]
19-Oct-2004 11:44:34.04 tcp_local Q 2 [email protected] rfc822;[email protected] [email protected] Te
mporary error returned by SMTP partner. smtp;421 VS1-IP Excessive unknown recipients - possible Open Relay http://help.yahoo.c
om/help/us/mail/spam/spam-18.html (#4.1.8)
Its a very huge log file. If u want to see I can e-mail to u... If required plz give me ur e-mail.
I would be grateful if u solve my problem. I can see about 10GB of mail Queue, and make the server dead slow. and Network also chowked.
Thanks. -
RDS 2012 - Using a reverse proxy with the Gateway server on the internal LAN
Hi there,
I'm looking to introduce an RDS 2012 farm and would like to put the RDS Gateway server on the internal LAN (due to it's AD requirements etc).
What are the best practise options for using a reverse proxy to forward traffic to the gateway server and is it better to do this than just forward 443 traffic from the DMZ through to the Gateway directly?
Thanks,
Paul.Hi Paul,
It is generally considered more secure to have a reverse proxy in front of RDG. I don't know of a proxy that will handle the RDG UDP traffic, so you will need to consider using direct server return for that or not having the benefit of UDP. Whether
or not it is acceptable to simply forward TCP 443/UDP 3391 directly to your internal RDG is up to your security policies. Many companies are fine with it while many other companies think it is unacceptable and require a reverse proxy or other method
to provide an extra layer of protection.
-TP -
VPN Clients can't access internal LAN
Hello - I have seen a few other threads on this issue, but can't seem to fix mine. I have a PIX 506e. My VPN clients can connect, they get a DHCP address from our internal server no problem. But the clients can not ping me or anything else on the LAN. The clients are connecting ipsec. I know I must be missing something simple here. Here is my config. Any help would be great
Change the VPN Pool address to something else for example 192.168.10.0/24 etc. Then try and let me know. There could be ip overlap here.
-
VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN
Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162
Maybe you are looking for
-
Manually migrating iPhoto and iTunes from Snow Leopard to Lion..
Hi all, I received a shiny new iMac yesterday and in my haste to get it up and running, I began to run the migration assistant on wi-fi. Unfortunately, my 2006 macbook model is so old that my firewire cables don't actually fit the firewire port on t
-
My whole family shares the same MacBook and itunes library. For awhile my ipad has been syncing other peoples music to my ipad, and when I check on itunes these albums aren't even selected. Someone please help me!!!! How do I stop the unselected musi
-
Hi there, I had my macbook pro 15inch(2010 model) stolen a week ago. I was running on Snow Leopard, and I used Final Cut 5. I am a bit out of touch with how much the technology and upgrades have changed (don't chastise me for it!), and have discovere
-
Automatic number range assignment for creation of material issue
Hi Experts, I need to create material with automatic assignment of internal and external number range . Already existing logic for one exit which is working fine in one system and I am using that same logic in other system where it is not working and
-
Couldn't create Distiller Window, Error: 126
I'm getting an error that says "Could not create Distiller window, Error: 126-The specified module could not be found" This happens when I first start up the machine, and also when I try to print a Word document to a PDF. Acrobat will not open to do