Linksys WRV200 pinging internal LAN

Similar Messages

• Intermittent Internet Connection and VPN clients can't ping internal LAN but connected after installating cisco ASA5512x

  Hi!
  I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
  ISP ->  Firewall -> Core switch -> Internal LAN
  after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
  here's my configuration from my firewall.
  ASA Version 8.6(1)2
  hostname ciscofirewall
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 203.x.x.x 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.152.11.15 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 4.2.2.2 -------> public DNS
  name-server 8.8.8.8 -------> public
  name-server 203.x.x.x   ----> Clients DNS
  name-server 203.x.x.x  -----> Clients DNS
  same-security-traffic permit intra-interface
  object network net_access
  subnet 10.0.0.0 255.0.0.0
  object network citrix_server
  host 10.152.11.21
  object network NETWORK_OBJ_10.10.10.0_28
  subnet 10.10.10.0 255.255.255.240
  object network NETWORK_OBJ_10.0.0.0_8
  subnet 10.0.0.0 255.0.0.0
  object network InterconHotel
  subnet 10.152.11.0 255.255.255.0
  access-list net_surf extended permit ip any any
  access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
  access-list outside_access extended permit tcp any object citrix_server eq www
  access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
  access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
  access-list LAN_Users remark LAN_clients
  access-list LAN_Users standard permit any
  access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu outside 1500
  mtu inside 1500
  ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
  object network net_access
  nat (inside,outside) dynamic interface
  object network citrix_server
  nat (inside,outside) static 203.177.18.234 service tcp www www
  object network NETWORK_OBJ_10.10.10.0_28
  nat (any,outside) dynamic interface
  object network InterconHotel
  nat (inside,outside) dynamic interface dns
  access-group outside_access in interface outside
  access-group net_surf out interface outside
  route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
  route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 10.0.0.100 255.255.255.255 inside
  http 10.10.10.0 255.255.255.240 outside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 10.152.11.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  enable outside
  anyconnect-essentials
  group-policy outsidevpn internal
  group-policy outsidevpn attributes
  dns-server value 203.x.x.x 203.x.x.x
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
  split-tunnel-policy tunnelall
  split-tunnel-network-list value outsidevpn_splitTunnelAcl
  default-domain value interconti.com
  address-pools value vpnpool
  username test1 password i1lji/GiOWB67bAs encrypted privilege 5
  username test1 attributes
  vpn-group-policy outsidevpn
  username mnlha password WlzjmENGEEZmT9LA encrypted
  username mnlha attributes
  vpn-group-policy outsidevpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group outsidevpn type remote-access
  tunnel-group outsidevpn general-attributes
  address-pool (inside) vpnpool
  address-pool vpnpool
  authentication-server-group (outside) LOCAL
  default-group-policy outsidevpn
  tunnel-group outsidevpn ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect http
    inspect ipsec-pass-thru
  class class-default
    user-statistics accounting
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
  : end
  thanks. please help.

  I think you should change your nat-exemption rule to smth more general, like
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
  'cause your inside networks are not the same as your vpn-pool subnet.
  Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA.

• ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

  Hi community,
  I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
  object-group network RemoteVPN_LocalNet
   network-object 172.29.168.0 255.255.255.0
   network-object 172.29.169.0 255.255.255.0
   network-object 172.29.173.0 255.255.255.128
   network-object 172.29.172.0 255.255.255.0
  access-list Split_Tunnel remark The Corporation network behind ASA
  access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
  ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
  nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set myset
  crypto map mymap 65000 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  tunnel-group remotevpngroup type remote-access
  tunnel-group remotevpngroup general-attributes
   address-pool remotevpnpool
   authentication-server-group MS_LDAP LOCAL
   default-group-policy Split_Tunnel_Policy
  I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
  Thanks in advanced.

  Hi tranminhc,
  Step 1: Create an object.
  object network vpn_clients
   subnet 10.88.61.0 mask 255.255.255.0
  Step 2: Create a standard ACL.
  access-list my-split standard permit ip object RemoteVPN_LocalNet
  Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
  no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  Step 4: Create new nat exemption.
  nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
  Step 5: Apply ACL on the tunnel.
  group-policy Split_Tunnel_Policy attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value my-split
  Step 6:
  I assume you have a default route on your inside L3 switch point back to ASA's inside address.  If you don't have one.
  Please add a default or add static route as shown below.
  route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx 
  xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Remote access VPN with Cisco Router - Can not get the Internal Lan .

  Dear Sir ,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
  I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Below is the IP address of the device.
  Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
  IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
  IP address:10.10.10.1
  Mask:255.255.255.0 F0/0
  IP Address :20.20.20.1
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.3
  Mask:255.255.255.0
  F0/0
  IP address :20.20.20.2
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.1
  Mask:255.255.255.0
  I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
  Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
  Need your help to fix the problem.
  Router R2 Configuration :!
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  ip tcp synwait-time 5
  interface FastEthernet0/0
  ip address 20.20.20.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 10.10.10.1 255.255.255.0
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  login
  end
  Router R1 Configuration :
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login USERAUTH local
  aaa authorization network NETAUTHORIZE local
  aaa session-id common
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  username vpnuser password 0 strongpassword
  ip tcp synwait-time 5
  crypto keyring vpnclientskey
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group remotevpn
  key cisco123
  dns 192.168.1.2
  wins 192.168.1.2
  domain mycompany.com
  pool vpnpool
  acl VPN-ACL
  crypto isakmp profile remoteclients
  description remote access vpn clients
  keyring vpnclientskey
  match identity group remotevpn
  client authentication list USERAUTH
  isakmp authorization list NETAUTHORIZE
  client configuration address respond
  crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
  crypto dynamic-map DYNMAP 10
  set transform-set TRSET
  set isakmp-profile remoteclients
  crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
  interface FastEthernet0/0
  ip address 20.20.20.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPNMAP
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpnpool 192.168.50.1 192.168.50.10
  ip forward-protocol nd
  ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
  no ip http server
  no ip http secure-server
  ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
  ip access-list extended NAT-ACL
  deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any
  ip access-list extended VPN-ACL
  permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  end

  Dear All,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
  Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Waiting for your responce .
  --Milon

• Help, How to configure cisco ASA5505 to permit access to internal LAN

  Hi everyone,
  Once more I am stuck into another dilemma , I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool.
  From outside (on VPN connection) I can ping the interface e0/0 (outside)  and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN.
  I hope my explaination does make sense, I am available at any time if further information is needed. Please find attached my ASA config.
  Best regards,
  BEN

  Many thanks Marvin,
  I have configured the router ospf the way you instructed me, I have changed the VPN Pool to a complete different class of 10.0.1.0/24, I have also configured : access-list OUTSIDE_IN_ACL permit icmp any any echo-relpy and access-group OUTSIDE_IN_ACL in interface outside. but I can only from my VPN connection ping both interfaces of the ASA and nothing else.
  Please find attached my ASA and the layer 3 switch configs. And also ASA and L3 Switch ip route output.
  Note this: When connected to my VPN, cmd>ip config /all it showing as follows: ip address 10.0.1.100
                                                                                                                                 Subnet Mask 255.0.0.0 
                                                                                                                                  Def Gateway 10.0.0.1 
                                                                                                                                  dns server 192.168.30.3
  Best regards,
  BEN.
  Message was edited by: Bienvenu Ngala

• From Azure unable to connect internal LAN network with windows RRAS site to site VPN

  Hi All,
  Below is my scenario.
  Our side.
  We have installed RRAS on Windows 2012 R2 on VMware and created a site to site VPN with azure.
  on RRAS server we have two interfaces
  eth0- 10.1.1.1
  eth1- 10.1.1.2
  We have natted(static nat) internal ip (eth0) 10.1.1.1 with public ip 1.1.1.1 (eg.).
  On Azure,
  We created a gateway, and two VMs.
  VM1 = 11.11.11.1
  VM2 = 11.11.11.2
  Both VMs can ping each other.
  VPN gateway on Azure and demand dial on RRAS server shows connected and, in and out data shows as well.
  We can ping, tracert and rdp the RRAS server using both the interfaces IP [eth0- 10.1.1.1   ,    eth1- 10.1.1.2]
  But we are unable to ping, tracert or rdp our other internal Lan machines on 10.1.x.x
  So we can reach Azure VM from our RRAS and
  we can reach RRAS server from Azure VM.
  But we cannot reach our other internal Lan machines from Azure VM and from other internal Lan machine to Azure VM.
  Please help?

  I will give you some pointers to check.
  The reason for this could be one of the two
  - local site in azure virtual network is not configured correctly
  - route for the azure subnet is not setup correctly on rras server
  Can you please validate the above?
  Open the Routing and Remote access UI and verify that there is a static route for azure subnet and the interface is the public ip of the azure gateway.
  Also verify that you have a local site created with the on-premises subnet and added in the azure virtual network.
  What is the gateway specified in the on-premises VM. Provide it as the IP of eth1, the IP that is not natted
  Is NAT allowing all traffic in or is it restricted to certain points.
  This posting is provided "AS IS" with no warranties, and confers no rights

• Can not ping internal network from ASA

  I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
  ASA Version 8.2(1)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  dns-guard
  interface GigabitEthernet0/0
  nameif ouside3
  security-level 0
  ip address 10.254.17.25 255.255.255.248
  interface GigabitEthernet0/1
  nameif outside
  security-level 0
  ip address 10.254.17.9 255.255.255.248
  interface GigabitEthernet0/2
  nameif Lan
  security-level 100
  ip address 192.168.185.14 255.255.255.0
  interface GigabitEthernet0/3
  nameif comp
  security-level 50
  ip address 192.168.187.14 255.255.255.0
  interface Management0/0
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa821-k8.bin
  ftp mode passive
  access-list 110 extended permit ip any any
  access-list nat extended permit ip any any
  access-list allow_ping extended permit icmp any any echo-reply
  access-list allow_ping extended permit icmp any any source-quench
  access-list allow_ping extended permit icmp any any unreachable
  access-list allow_ping extended permit icmp any any time-exceeded
  access-list allow_ping extended permit udp any any eq isakmp
  access-list allow_ping extended permit esp any any
  access-list allow_ping extended permit ah any any
  access-list allow_ping extended permit gre any any
  access-list nonat extended permit ip any any
  access-list nat2 extended permit ip any any
  access-list nonat2 extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu ouside3 1500
  mtu outside 1500
  mtu Lan 1500
  mtu comp 1500
  mtu management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (Lan) 0 access-list nonat
  nat (Lan) 1 access-list nat
  nat (comp) 0 access-list nonat
  nat (comp) 1 access-list nat
  access-group allow_ping in interface outside
  router eigrp 2008
  neighbor 10.254.17.10 interface outside
  network 10.254.17.8 255.255.255.248
  network 192.168.185.0 255.255.255.0
  network 192.168.187.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mymap 10 match address 110
  crypto map mymap 10 set peer 10.254.17.10
  crypto map mymap 10 set transform-set myset
  crypto map mymap interface outside
  crypto map mymap2 20 match address 110
  crypto map mymap2 20 set peer 10.254.17.18
  crypto map mymap2 20 set transform-set myset
  crypto map mymap2 interface comp
  crypto map mymap3 30 match address 110
  crypto map mymap3 30 set peer 10.254.17.26
  crypto map mymap3 30 set transform-set myset
  crypto map mymap3 interface ouside3
  crypto isakmp identity address
  crypto isakmp enable ouside3
  crypto isakmp enable outside
  crypto isakmp enable comp
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  priority-queue outside
  threat-detection basic-threat

  This is what I get, looks like ASA does not reply. Why?
  ciscoasa# sh capture cpi
  5 packets captured
  1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
  2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
  3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
  4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
  5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request

• Cannot access internal LAN after VPN connect

  I know this is either an ACL or NAT issue that I cannot figure out.  The nat-t config in defaulted in the IOS config for the ASA.  I actually forgot the command to show the hidden default config lines.  Either way, can someone take a look at my config, and let me know what I am doing wrong, again.
  Thanks ahead of time.
  ASA Version 8.2(2)
  hostname ciscousa
  enable password
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 1.1.1.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 14.14.11.5 255.255.255.0
  interface Vlan3
  shutdown
  no forward interface Vlan2
  nameif dmz
  security-level 50
  ip address dhcp
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  speed 100
  duplex full
  ftp mode passive
  same-security-traffic permit intra-interface
  access-list outside_in extended permit icmp any any
  access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0
  access-list inside_nat0 extended permit ip any 10.12.27.0 255.255.255.0
  access-list split_tunnel standard permit 1.1.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool vpnpool 10.12.27.100-10.12.27.120 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_in in interface outside
  route outside 0.0.0.0 0.0.0.0 14.14.11.6 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 1.1.1.0 255.255.255.0 inside
  http 1.1.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map inet-1_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map inet-1_map 65535 ipsec-isakmp dynamic inet-1_dyn_map
  crypto map inet-1_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy vpnipsec internal
  group-policy vpnipsec attributes
  wins-server value 1.1.1.16
  dns-server value 1.1.1.16
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tunnel
  default-domain value company.com
  tunnel-group vpnipsec type remote-access
  tunnel-group vpnipsec general-attributes
  address-pool vpnpool
  default-group-policy vpnipsec
  tunnel-group vpnipsec ipsec-attributes
  pre-shared-key *****
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512

  Hello,
  I have been trying to get this to work within the last week but to no avail.  I changed my config altogether and started from scratch.  I have Split Tunnel working well, and I can access the VPN client from the internal LAN.  But I still cannot access the internal LAN from the VPN client host.    Can anyone take a look at my config and tell me what ACL\Access Group I am missing.  I know I am close but I cannot get over the hump.
  Thanks!
  ASA Version 8.2(2)
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.0
  interface Vlan3
  shutdown
  no forward interface Vlan2
  nameif dmz
  security-level 50
  ip address dhcp
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  speed 100
  duplex full
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list outside_in extended permit icmp any any
  access-list outside_in_vpn extended permit ip 192.168.3.0 255.255.255.0 any
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
  access-list split_tunnel standard permit 192.168.0.0 255.255.0.0
  access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool ipvpn 192.168.3.100-192.168.3.200 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_in in interface outside control-plane
  access-group outside_in_vpn in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map internet-1_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHAESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map internet-1_map 65535 ipsec-isakmp dynamic internet-1_dyn_map
  crypto map internet-1_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp identity address
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  group-policy vpnipsec internal
  group-policy vpnipsec attributes
  wins-server value 192.168.1.5
  dns-server value 192.168.1.5
  split-tunnel-policy tunnelall
  split-tunnel-network-list value split_tunnel
  default-domain value company.com
  tunnel-group vpnipsec type remote-access
  tunnel-group vpnipsec general-attributes
  address-pool ipvpn
  default-group-policy vpnipsec
  tunnel-group vpnipsec ipsec-attributes
  pre-shared-key *
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  Cryptochecksum:7e41045c9d7c66ac2c03c3b12ae63908

• Problems getting static NAT to work between two internal lans

  Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
  Manual NAT Policies (Section 1)
  1 (office) to (inside) source static inside-office inside-office   destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
      translate_hits = 0, untranslate_hits = 3
  2 (inside) to (office) source static inside-ld5 inside-ld5   destination static inside-office inside-office no-proxy-arp route-lookup
      translate_hits = 0, untranslate_hits = 0
  interface GigabitEthernet0/0
  nameif inside-ld5
  security-level 100
  ip address 10.20.15.2 255.255.255.0
  interface GigabitEthernet0/6
  nameif office
  security-level 100
  ip address 10.20.11.9 255.255.255.0
  object network inside-ld5
  subnet 10.20.15.0 255.255.255.0
  object network inside-office
  subnet 10.20.11.0 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
  nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup

  Hi Kevin,
  because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
  Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
  Best Regards,
  Jan

• I have a Linksys WRV200 wireless router and the wireless signal is not working properly so I cannot connect to the internet wirelessly. the wireless light has a fast green blinking light. how can I fix the router?

  I have a Linksys WRV200 wireless router and the wireless signal is not working properly so I am unable to connect to the internet wirelessly.  The wireless light is blinking green very quickly and I connect and disconnect from the network constantly.  How do I get the router to work properly

  Hello James,
  The flashing WLAN light means activity (data getting transferred). Try disconnecting all your devices and check whether the light is still flashing or disconnect the router from internet and do the check.
  Do you have your SSID as linksys or the default one? If your neighbor has the same SSID, then traffic could result from your neighbor's one. Try changing your SSID and password. Make your security WPA/WPA2.
  Hope this helps,
  Thanks
  Vijay

• Internal LAN adapter configuration commands

  Could anyone describe me the meaning of hsma
  command option:
  7206MEDA(cfg-lan-Token 0)#adapter 1 4000.0047.4522
  7206MEDA(cfg-adap-Token 0-1)#?
  Internal Lan Adapter configuration commands:
  hsma Hot Standby MAC Address parameters
  Thanks in advance for any information

  Hi,
  I have attached a document describing what hsma is all about in more detail, including sample configurations.
  In very simple words. It is a mechanism, a little bit like hsrp, to allow to cip's to backup each other. You configure a virtual adapter which is always only active on one of the two cip's and they monitor each other. If one cip goes down, the other one takes over and activates the virtual adapter.
  When the two cip routers were connected to a tokenring infrastructure than the redundancy whas achived by using the same mac address on the cip's reachable over to different source bridged path using different rif's.
  If you connect the two cip routers via a ethernet than there is no rif field in your packets anymore, you can not do source bridging. Additional the cam table of a ethernet switch can not deal with two times the same mac address on different ports in the same vlan.
  Hsma allows for a similar level of redundancy if your cip routers are connected via a ethernet backbone.
  thanks...
  Matthias

• How to Block an Internal LAN IP to send mail

  I have Sun Java Messaging Server 6.1
  It is Open relay on the server. The Public IP of my mail server is configured on Firewall, from there it is NAT to internal LAN IP of the mail server.
  I want to get/recieve mail on this Internal IP and want to block this IP to send any mail out. (How can I do that. Guide me in securing my server from it ). I don't have much experience on it, so tell me how to Close the open relay.
  Thanks.
  (u can mail me at : [email protected])
  MAK.

  Thanks for the reply. I put the complete local C class in internal-ip in mappings file. the mail comes from 192.168.0.39 from outside. How to define that all Class can send mail except of this .39 because of spamming.
  Here r some enteries from log file:
  19-Oct-2004 11:07:48.01 tcp_local R 5 rfc822;[email protected] [email protected] Illegal host/domai
  n name found (TCP active open: Failed gethostbyname() on ms050.url.com.tw, resolver errno = 1)
  19-Oct-2004 11:07:48.95 tcp_local R 5 rfc822;[email protected] [email protected] Ille
  gal host/domain name found (TCP active open: Failed gethostbyname() on ms40.hinet.net, resolver errno = 1)
  19-Oct-2004 11:07:49.73 tcp_local D 5 rfc822;[email protected] [email protected] dns;ms75a.hinet.net (m
  s75.hinet.net ESMTP Sendmail 8.8.8/8.8.8; Tue, 19 Oct 2004 14:08:39 +0800 [CST]) smtp;250 <[email protected]>... Recipient
  ok
  19-Oct-2004 11:07:51.56 tcp_local D 5 rfc822;[email protected] [email protected] dns;
  ms16a.hinet.net (ms16.hinet.net ESMTP Sendmail 8.8.8/8.8.8; Tue, 19 Oct 2004 14:08:40 +0800 [CST]) smtp;250 <qwsuhgadfrryoj@ms
  16.hinet.net>... Recipient ok
  19-Oct-2004 11:31:21.68 tcp_local process E 2 rfc822;[email protected] [email protected]
  19-Oct-2004 11:31:21.68 tcp_local process E 2 rfc822;[email protected] [email protected]
  s;mx1.yam.com (mx1.yam.com ESMTP) smtp;250 Ok
  19-Oct-2004 11:53:01.08 tcp_local D 8 [email protected] rfc822;[email protected] [email protected] dns;mx1.yam.co
  m (mx1.yam.com ESMTP) smtp;250 Ok
  19-Oct-2004 11:53:03.44 tcp_local process E 1 rfc822;[email protected] [email protected]
  19-Oct-2004 11:53:03.89 tcp_local process E 11 rfc822;[email protected] [email protected]
  19-Oct-2004 11:44:34.04 tcp_local Q 2 [email protected] rfc822;[email protected] [email protected] Te
  mporary error returned by SMTP partner. smtp;421 VS1-IP Excessive unknown recipients - possible Open Relay http://help.yahoo.c
  om/help/us/mail/spam/spam-18.html (#4.1.8)
  Its a very huge log file. If u want to see I can e-mail to u... If required plz give me ur e-mail.
  I would be grateful if u solve my problem. I can see about 10GB of mail Queue, and make the server dead slow. and Network also chowked.
  Thanks.

• RDS 2012 - Using a reverse proxy with the Gateway server on the internal LAN

  Hi there,
  I'm looking to introduce an RDS 2012 farm and would like to put the RDS Gateway server on the internal LAN (due to it's AD requirements etc).
  What are the best practise options for using a reverse proxy to forward traffic to the gateway server and is it better to do this than just forward 443 traffic from the DMZ through to the Gateway directly?
  Thanks,
  Paul.

  Hi Paul,
  It is generally considered more secure to have a reverse proxy in front of RDG.  I don't know of a proxy that will handle the RDG UDP traffic, so you will need to consider using direct server return for that or not having the benefit of UDP.  Whether
  or not it is acceptable to simply forward TCP 443/UDP 3391 directly to your internal RDG is up to your security policies.  Many companies are fine with it while many other companies think it is unacceptable and require a reverse proxy or other method
  to provide an extra layer of protection.
  -TP

• VPN Clients can't access internal LAN

  Hello - I have seen a few other threads on this issue, but can't seem to fix mine. I have a PIX 506e. My VPN clients can connect, they get a DHCP address from our internal server no problem. But the clients can not ping me or anything else on the LAN. The clients are connecting ipsec. I know I must be missing something simple here. Here is my config. Any help would be great

  Change the VPN Pool address to something else for example 192.168.10.0/24 etc. Then try and let me know. There could be ip overlap here.

• VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.1.4)
  |
  |
  CISCO-887 (192.168.1.254)
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on windows 7 machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
  I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Perhaps ACL problem?
  Building configuration...
  Current configuration : 4921 bytes
  ! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname TestLab
  boot-start-marker
  boot-end-marker
  enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-3013130599
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3013130599
  revocation-check none
  rsakeypair TP-self-signed-3013130599
  crypto pki certificate chain TP-self-signed-3013130599
  certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
  33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
  9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
  8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
  C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
  AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
  03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
  2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
  AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
  B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
  B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
  CBB28E7A E91A090D 53DAD1A0 3F66A3
  quit
  no ip domain lookup
  ip cef
  no ipv6 cef
  license udi pid CISCO887VA-K9 sn ***********
  username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key NetasTest
  dns 8.8.4.4
  pool VPN-Pool
  acl 120
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group EXTERNALS
  client authentication list ciscocp_vpn_xauth_ml_2
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  hold-queue 224 in
  pvc 8/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip address 192.168.2.1 255.255.255.0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer0
  ip address negotiated
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ****
  ppp chap password 0 *********
  ppp pap sent-username ****** password 0 *******
  no cdp enable
  ip local pool VPN-Pool 192.168.2.210 192.168.2.215
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 100 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 100 remark
  access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 100 remark
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 120 remark
  access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  line con 0
  exec-timeout 5 30
  password ******
  no modem enable
  line aux 0
  line vty 0 4
  password ******
  transport input all
  end
  Best Regards,

  I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin  and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
  router#sh crypto session detail 
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Uptime: 00:40:37
  Session status: UP-ACTIVE     
  Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 192.168.1.100
        Desc: (none)
    IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active 
            Capabilities:(none) connid:2001 lifetime:07:19:22
    IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0 
          Active SAs: 4, origin: dynamic crypto map
          Inbound:  #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
          Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162