Linux 3.9 VPN Client

Similar Messages

• Is there really a Cisco VPN client for Linux? _Really?_

  Hello folks,           
          I've finally after almost experiencing a brain aneurysm by trying to think too hard got my Cisco 881-SEC-K9 router properly configured for a multipoint IPSec VPN tunnel to my Amazon Virtual Private Cloud, so that hurdle is finally passed and I actually feel it was a very important milestone in my life somehow. I never thought I'd see the day I actually got my hands on a legitimate Cisco non-stink... erm.. I mean, non-linksys router. Now I just can't seem to find a 'client' VPN program for Linux. I'm currently running a Xen Hypervisor environment on openSUSE Linux because it's the only Linux distribution that completes all of my strenous requirements in a Linux server environment. It's also the most mature, and secure Linux on this planet, making it the most appreciable Linux distribution for my research needs.  Using NetworkManager is not really an option for a basic Linux server environment, and OpenVPN is just too confusing to comprehend for my tiny little head.  I've heard mention of some mysterious "Easy VPN" but after hours of digging online can't find any information about it, even the Cisco download link leads to a Page Not Found error.  I do see a Linux VPN API for the AnyConnect program, but is that an actual VPN client, or just an API?  It seems to want my money to download it but I don't have any money nor do I really know what it is because it's all secretive-like, closed source, and I can't even find a simple README file on it explaining what it is exactly.  I'm just an out-of-work software developer trying to connect to my home router for personal use and I can't really afford to fork over a million and a half dollars for a single program that I'm only going to need to download once in my lifetime that should have been included with the router in the first place. I more than likely won't even be able to figure out how to use the program anyways because I don't know anything about VPN connections which is why I bought this router so I can try to figure it all out as part of the not-for-profit open source, volunteer research I'm presently trying to conduct.  Is there some kind of evaluation or trial period for personal use? That would be really nice so I could at least figure out if I'm going to be able to figure it out or not.  I hate throwing money away when it's in such short supply these days. There's really no alternative to a Cisco router.  It's an absolute necessity for the things I'm trying to accomplish, so trying to settle for something else and going on with my life is not really an option. No, this is something I just need to face head on and get it over with.
  <Rant>
         Maybe I have a little too much crazy in me for my own good, but I don't see why it should take so much money just to learn how to do something for personal reference, it's not really a skill I would ever use otherwise.  Wouldn't it be great if Cisco made their VPN client open source and free to the public to use and modify, to improve on, to learn and to grow and bring the whole world closer together as a community? Even the source code to the old discontinued Cisco VPN client could be used as a valuable learning tool for some poor starving college student or Open Source Software developer somewhere trying to get by on Ramen Noodles and Ramen Noodle Sauce on Toast (don't tell me you never thought about it).  Through the ripple effect, It would drastically improve sales over the course of time, because it would open the door to a whole new market where those who previously could not afford to participate now could. That's the true power of Open Source. It creates a more skilled work force for the future by openly contributing and sharing knowledge together. What if the next big internet technology and the solution to world tyranny - the solution to end all wars forever - were locked in the mind of an unemployed software developer who couldn't afford to upgrade their cisco router software or access the software they needed because it was closed source and required committing to an expensive service contract to download?  That would be just terrible, wouldn't it?  I guess there's no way to ever know for sure. I suppose I'd be just as happy if some kind soul out there could point me to an easy to use alternative to an always on VPN connection that runs in the background which doesn't require NetworkManager or having to spend days upon days digging through and trying to comprehend either some really poor or extremely complex documentation?  I apologize for all the run on sentences posed as questions, but I've just got some serious mental burnout from all of this, being unemployed is some hard work folks. I could really use a vacation.  Perhaps a camping trip to the coast is in order after I get this working, that sounds nice, doesn't it? Nothing like a good summer thunder storm on the ocean beach - far away from technology - to refresh the mind.
  </Rant>

  I do tend to talk too much and I don't mince any words either.  What I am however, is really appreciative for the help. I know you hear that all the time, but you have no idea how much time and headache you just saved me.  I think vpnc might be just what I've been looking for, unless someone can think of a client for Linux that I might be able to throw a little further.  I'm very security minded now, after the backlash of Blackhat 2013, there's no telling which direction the internet might head next. Oh, you didn't hear? Well wether they realize it or not, DARPA basically declared war with other government agencies by releasing their own version of a spy program for civilians to use against the whoever -- possibly even the governmnet itself. They even went so far as to suggest it's private usage to blanket entire cities in information gathering. Civilians are a powerful foe, as they are not bound by the oath of office, any evidence they obtain is admissible in court, wether they know that or not. There's a very important reason for that. It's to prevent another civil war from ever happening, we shed enough blood the first time around less people forgot.  It's something that can and will be avoided because our civilization has advanced beyond the need for bloodshed. The courts have to obey the majority rule, no matter what. For the first time in history, cyberwarfare can reach into the physical world to cause serious damage to physical structures like the nuclear facility incident in Iran.  There's scarry bills trying to sneak through congress that are changing the landscape of technology forever for the entire world. We're at a pivotal point now where things can happen. It will be interesting to see how it all plays out over the next decade or so. No matter which way you look at it, just be preparerd to sell a whole lot of routers.

• I'm trying to install the bm39 linux vpn client on sled 10sp1. I

  I'm trying to install the bm39 linux vpn client on sled 10sp1. I
  installed nici and nmas first, but the vpn client won't install because
  nmas or nici aren't installed. I try to reinstall them but it says
  they're already installed. I try to remove them but it tells me they
  aren't installed. Any ideas? What am I missing? Is there some way
  to clean this up and start over?
  mark-x:/home/mark/nwclient/x86_64 # rpm -e nici64-2.7.3-12.x86_64.rpm
  error: package nici64-2.7.3-12.x86_64.rpm is not installed
  mark-x:/home/mark/nwclient/x86_64 # rpm -i nici64-2.7.3-12.x86_64.rpm
  package nici64-2.7.3-12 is already installed
  mark-x:/home/mark/nwclient/x86_64 # rpm -e novell-nmasclient-3.4.0-17.x86_64.rpm
  error: package novell-nmasclient-3.4.0-17.x86_64.rpm is not installed
  mark-x:/home/mark/nwclient/x86_64 # rpm -i novell-nmasclient-3.4.0-17.x86_64.rpm
  package novell-nmasclient-3.4.0-17 is already installed
  mark-x:/home/mark/nwclient/x86_64 #
  TIA for any help or suggestions.

  Thanks, I should have caught that.
  I should be able to install 32 bit sled in a vm and run the client from there, right?
  >>> On 4/17/2008 at 6:18 AM, in message <2eHNj.4636$[email protected]>, mysterious<[email protected]> wrote:
  Mark wrote:
  > I'm trying to install the bm39 linux vpn client on sled 10sp1. I
  >
  > installed nici and nmas first, but the vpn client won't install because
  >
  > nmas or nici aren't installed. I try to reinstall them but it says
  >
  > they're already installed. I try to remove them but it tells me they
  >
  > aren't installed. Any ideas? What am I missing? Is there some way
  >
  > to clean this up and start over?
  >
  > mark-x:/home/mark/nwclient/x86_64 # rpm -e nici64-2.7.3-12.x86_64.rpm
  >
  > error: package nici64-2.7.3-12.x86_64.rpm is not installed
  >
  > mark-x:/home/mark/nwclient/x86_64 # rpm -i nici64-2.7.3-12.x86_64.rpm
  >
  > package nici64-2.7.3-12 is already installed
  >
  > mark-x:/home/mark/nwclient/x86_64 # rpm -e
  > novell-nmasclient-3.4.0-17.x86_64.rpm
  >
  > error: package novell-nmasclient-3.4.0-17.x86_64.rpm is not installed
  >
  > mark-x:/home/mark/nwclient/x86_64 # rpm -i
  > novell-nmasclient-3.4.0-17.x86_64.rpm
  >
  > package novell-nmasclient-3.4.0-17 is already installed
  >
  > mark-x:/home/mark/nwclient/x86_64 #
  >
  >
  >
  > TIA for any help or suggestions.
  >
  >
  >
  vpn linux client is only supported on the 32 bit OS
  Gonzalo

• VPN client on linux

  Hello,
  i am currently having problems to install the VPN client (4.8.01.640) on a linux box (fedora 8- Kernel 2.6.25). On a linux forum found some guy saying that the VPN client won't install correctly on any kernel above 2.4.xx. Does anyone experienced a similar issue? Is there a workaround?
  Thanks in advance

  1. For users running the kernels from fedora, they *must* install the corresponding kernel-sources rpm.( SMP installation)
  2. For people running their own kernel, they must use the build tree from their running kernel to build the client. Unpacking the source code for the version of the kernel they are running is insufficient.
  http://tuxx-home.at/archives/2007/05/29/T16_34_26/

• Is there an Oracle VPN client for Linux (64-bit) ?

  Does anyone know if there is an Oracle VPN client for Linux (64-bit) ?
  Where to get it ?
  How to install it ?
  thanks!
  Greg

  Perhaps OpenVPN will work for you. Unfortunately you did not provide any OS information and VPN requirements.
  You can find help to install and setup OpenVPN in Google. You might want to check the Fedora EPEL repository http://fedoraproject.org/wiki/EPEL to install the software using standard yum in Enterprise Linux.

• Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.

• Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.

• Apple built-in vpn client and dhcp hostnames

  We have a number of Mac clients in our office which uses MS for dhcp and dns.
  I've noticed that the mac clients when wired directly into the office network successfully get a dhcp lease and report their hostnames accurately to the dhcp server. However when these same clients connect to the office network via VPN (using the built-in vpn utility with Cisco IPSEC) they get a dhcp lease as expected, but do not register a hostname with the lease on the dhcp server. The lease is assigned to a blank hostname.
  I assume this is a pretty common issue. Has anyone found a way to configure the vpn client to send the hostname along with the connection, either via the client config or through some other method?
  Thanks.

  The VPN server is a Cisco 3030, however only the Mac clients have this issue. Windows and linux clients report their hostnames to dhcp properly even when VPN connected.

• PPTP VPN - Clients inside Cisco877w - server at workplace

  I am trying to connect to my workplace PPTP server from my home that has a Cisco 877w ADSL/Wireless router.  I configured the majority of the setup via CLI and just started playing with CCP.  I've used version 2.5 and 2.7 on a virtual Windows station that resides on my primary Linux box.
  Background in  trying things out.  PPTP works fine without CCP firewall wizard having been run - with just a vanilla interfaces configured kind of setting. 
  I ran the CCP Advanced Firewall task, specified that I had PPTP clients on the LAN and went with it.  The proposed changes included GRE and PPTP stuff, but being green in the IOS Firewall, I have no idea what  I was looking at. 
  My configuration as it gave me is as follows:
  version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname HomeRouter!boot-start-markerboot-end-marker!logging message-counter syslogno logging bufferedenable secret 5 MyPass!no aaa new-modelclock timezone Chicago -6clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00!crypto pki trustpoint TP-self-signed-904815991 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-904815991 revocation-check none rsakeypair TP-self-signed-904815991!!crypto pki certificate chain TP-self-signed-904815991 certificate self-signed 01  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030   30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274   69666963 6174652D 39303438 31353939 31301E17 0D313430 32313632 33323035   315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F   532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3930 34383135   39393130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100   B192CA33 08917B1D 8237C7BB 00E38CA6 4BE8B394 4A3C9A40 F7087B15 F5C9D7CB   50F15F43 1084859D CB14F438 5352A1BC BF38C005 15FD518D 362D5769 EFB2528D   1DCF2239 1F2F66CD 5B67B1FF 40108483 740EEB0F D9098DCA 82616014 884E4630   96391ED4 A6B5575B E46BA5FB 2F4FFC32 A7855C59 86B2EBFA FAE485D3 56AF5D5B   02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D   11040E30 0C820A48 6F6D6552 6F757465 72301F06 03551D23 04183016 8014F385   49957AD6 804D76D9 AD5DADF7 C1BAF9E6 12C6301D 0603551D 0E041604 14F38549   957AD680 4D76D9AD 5DADF7C1 BAF9E612 C6300D06 092A8648 86F70D01 01040500   03818100 387142CF 1B60955E D7D63134 E07E381F BF5491CD 571D718D A8B73E2E   327C81C8 35E33754 67662C59 0FDD3F8E 9B0F8B69 4BF95AD8 E8484EC6 C00A7BE2   5D168C98 818812AF B9490F55 C19257B4 8FE70B49 1D5F0772 5F0550E1 DE7C17DB   02DBA7DB 233AFF65 B381970E 3DEAFF79 482D2914 788665BF 0ED9117F 8ADB6844 2A1854E0            quitdot11 syslog!dot11 ssid Wireless1 vlan 1 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 097F46080E0B57310A1E1D6A0F3D24323B623006130F1858!dot11 ssid Wireless2 vlan 2 authentication open mbssid guest-mode!ip source-route!!ip dhcp excluded-address 10.0.0.1 10.0.0.99ip dhcp excluded-address 10.0.1.1 10.0.1.99!ip dhcp pool Local-Network   network 10.0.0.0 255.255.255.0   default-router 10.0.0.1    dns-server 8.8.8.8 8.8.4.4 !ip dhcp pool Guest-Network   network 10.0.1.0 255.255.255.0   dns-server 8.8.8.8 8.8.4.4    default-router 10.0.1.1 !!ip cefip name-server 8.8.8.8ip name-server 8.8.4.4ip name-server 4.2.2.2ip name-server 4.2.2.1ip ddns update method NO-IP HTTP  add http://MyUser:[email protected]/nic/[email protected]/nic/update?hostname=<h>&myip=<a> interval maximum 1 0 0 0 interval minimum 0 0 5 0!no ipv6 cef!multilink bundle-name authenticated!vpdn enable!vpdn-group pppoe request-dialin  protocol pppoe!!!username MyLocalUser privilege 15 password 7 01010101011010101! !!archive log config  hidekeys!!no ip ftp passive!class-map type inspect match-all SDM_GRE match access-group name SDM_GREclass-map type inspect match-any CCP_PPTP match class-map SDM_GRE match protocol pptpclass-map type inspect match-any ccp-skinny-inspect match protocol skinnyclass-map type inspect match-any ccp-cls-insp-traffic match protocol pptp match protocol cuseeme match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udpclass-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-trafficclass-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxgclass-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any ccp-h225ras-inspect match protocol h225rasclass-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexeclass-map type inspect match-any ccp-h323-inspect match protocol h323class-map type inspect match-all ccp-invalid-src match access-group 100class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-accessclass-map type inspect match-any ccp-sip-inspect match protocol sipclass-map type inspect match-all sdm-nat-ssh-1 match access-group 101 match protocol sshclass-map type inspect match-all ccp-protocol-http match protocol http!!policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access  inspect class class-default  passpolicy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-ssh-1  inspect class type inspect CCP_PPTP  pass class class-default  drop logpolicy-map type inspect ccp-inspect class type inspect ccp-invalid-src  drop log class type inspect ccp-protocol-http  inspect class type inspect ccp-insp-traffic  inspect class type inspect ccp-sip-inspect  inspect class type inspect ccp-h323-inspect  inspect class type inspect ccp-h323annexe-inspect  inspect class type inspect ccp-h225ras-inspect  inspect class type inspect ccp-h323nxg-inspect  inspect class type inspect ccp-skinny-inspect  inspect class class-default  droppolicy-map type inspect ccp-permit class class-default  droppolicy-map QoS_Out_BVI2 class class-default   police rate 500000 !zone security in-zonezone security out-zonezone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreplyzone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspectzone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permitzone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1!bridge irb!!interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress no atm ilmi-keepalive!interface ATM0.1 point-to-point no ip redirects no ip unreachables no ip proxy-arp ip flow ingress pvc 8/35   pppoe-client dial-pool-number 1 !!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3 switchport access vlan 2!interface Dot11Radio0 no ip address ! encryption vlan 1 mode ciphers aes-ccm ! ssid Wireless1 ! ssid Wireless2 ! mbssid speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root world-mode dot11d country US outdoor no cdp enable!interface Dot11Radio0.1 encapsulation dot1Q 1 ip virtual-reassembly no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Dot11Radio0.2 encapsulation dot1Q 2 native bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 spanning-disabled bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding!interface Vlan1 no ip address ip virtual-reassembly bridge-group 1!interface Vlan2 no ip address bridge-group 2!interface Dialer0 description $FW_OUTSIDE$ ip ddns update hostname me.domain.com ip ddns update NO-IP ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp no ip route-cache cef no ip route-cache ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username MyUsername password 7 MyPassword!interface BVI1 description $FW_INSIDE$ ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone!interface BVI2 description $FW_INSIDE$ ip address 10.0.1.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone service-policy output QoS_Out_BVI2!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer0ip http serverip http authentication localip http secure-server!!ip dns serverip nat inside source list 1 interface Dialer0 overloadip nat inside source static tcp 10.1.1.10 22 interface Dialer0 xxxxx!ip access-list extended SDM_GRE remark CCP_ACL Category=1 permit gre any any!no logging trapaccess-list 1 permit 10.0.0.0 0.0.0.255access-list 1 permit 10.0.1.0 0.0.0.255access-list 100 remark CCP_ACL Category=128access-list 100 permit ip host 255.255.255.255 anyaccess-list 100 permit ip 127.0.0.0 0.255.255.255 anyaccess-list 101 remark CCP_ACL Category=0access-list 101 permit ip any host 10.1.1.10!!!!!control-plane!bridge 1 protocol ieeebridge 1 route ipbridge 2 protocol ieeebridge 2 route ipbanner login ^CUnauthorized access is STRICTLY PROHIBITED!  ^C!line con 0 exec-timeout 15 0 password 7 01010101010101010101 no modem enableline aux 0line vty 0 4 exec-timeout 5 0 privilege level 15 login local transport preferred none transport input ssh!scheduler max-task-time 5000ntp server 199.102.46.73end
  Any clues as to what I would have to do to allow the PPTP connection to complete?  It appears as though GRE may not be getting through?  I haven't found much in the way of fixing this.  My Google-fu might be lacking.

  Remote VPN client is not showing any default gateway
  PPP adapter VPN Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : VPN Connection
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     DNS Servers . . . . . . . . . . . : 203.134.24.70
                                         203.134.26.70
     NetBIOS over Tcpip. . . . . . . . : Enabled

• Forcing Cisco VPN client to use NAT-T

  Is there a way to force the VPN client to use NAT-T when the device isn't NATed but ESP is otherwise blocked?
  My VPN client connects but tries to use ESP, even though IPSec over UDP is selected, after detecting that no NAT is taking place.

  Thanks. Using Linux's 'vpnc' as the VPN client provides a "force-natt" option which does the trick so a little disappointed I can't do it with the Cisco client.
  I also found references to a feature request #CSCdz58488 so I thought it may have been implemented in the current VPN client.

• Installing VPN client.. where is kernel source directory?

  I need to install Cisco VPN client. It asks me for kernel source directory... What is a kernel source directory?
  Thanks

  The Arch kernel package does not include the full source, but the kernel's headers are available in /usr/src/linux-<kernel_version>, and will be sufficient for your requirements.
  btw vpnc is in the core repo, and there are some cisco-related packages in the AUR also.

• Remote Access VPN Clients Cannot Access inside LAN

  I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
  : Saved
  ASA Version 8.2(1)
  hostname ASA5505
  domain-name default.domain.invalid
  enable password eelnBRz68aYSzHyz encrypted
  passwd eelnBRz68aYSzHyz encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group dataDSL
  ip address 76.244.75.57 255.255.255.255 pppoe
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.9.1 255.255.255.0
  interface Vlan10
  nameif outside_cable
  security-level 0
  ip address 50.84.96.178 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Netbios udp
  port-object eq 139
  port-object eq 445
  port-object eq netbios-ns
  object-group service Netbios_TCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.100.177
  network-object host 192.168.100.249
  object-group service Web_Services tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_10
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_11
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_3
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_4
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_5
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_6
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_7
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_8
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_9
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network VPN
  network-object 192.168.255.0 255.255.255.0
  access-list outside_access_in extended permit icmp any host 76.244.75.61
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
  access-list dmz_access_in remark Quickbooks
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
  access-list dmz_access_in remark Quickbooks range
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
  access-list dmz_access_in remark QB
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
  access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
  access-list dmz_access_in remark Printer
  access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
  access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
  access-list dmz_access_in remark QB probably does not need any udp
  access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark QB included in other rule range
  access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark May be required for Quickbooks
  access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
  access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500 
  mtu outside_cable 1500
  ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
  ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside_cable) 10 interface
  nat (inside) 0 access-list nonat-in
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
  static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  access-group outside_cable_access_in in interface outside_cable
  route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.100.0 255.255.255.0 inside
  http 204.107.173.0 255.255.255.0 outside
  http 204.107.173.0 255.255.255.0 outside_cable
  http 0.0.0.0 0.0.0.0 outside_cable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_cable_map interface outside_cable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp enable outside_cable
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.100.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh 204.107.173.0 255.255.255.0 outside
  ssh 204.107.173.0 255.255.255.0 outside_cable
  ssh 0.0.0.0 0.0.0.0 outside_cable
  ssh timeout 15
  console timeout 0
  vpdn group dataDSL request dialout pppoe
  vpdn group dataDSL localname [email protected]
  vpdn group dataDSL ppp authentication pap
  vpdn username [email protected] password *********
  dhcpd address 192.168.100.30-192.168.100.99 inside
  dhcpd dns 192.168.100.5 68.94.156.1 interface inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  group-policy cad_supplies_RAVPN internal
  group-policy cad_supplies_RAVPN attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
  split-tunnel-network-list value Local_LAN_Access
  client-firewall none
  client-access-rule none
  username swinc password BlhBNWfh7XoeHcQC encrypted
  username swinc attributes
  vpn-group-policy cad_supplies_RAVPN
  username meredithp password L3lRjzwb7TnwOyZ1 encrypted
  username meredithp attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone1 attributes
  vpn-group-policy VPNPHONE
  username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone2 attributes
  vpn-group-policy VPNPHONE
  username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone3 attributes
  vpn-group-policy VPNPHONE
  username oethera password WKJxJq7L6wmktFNt encrypted
  username oethera attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
  username markh attributes
  vpn-group-policy cad_supplies_RAVPN
  tunnel-group DefaultRAGroup general-attributes
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cad_supplies_RAVPN type remote-access
  tunnel-group cad_supplies_RAVPN general-attributes
  address-pool VPN_IP_range
  default-group-policy cad_supplies_RAVPN
  tunnel-group cad_supplies_RAVPN ipsec-attributes
  pre-shared-key *
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool VPN_Phone
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1500
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
  : end

  Hi,
  You have your "group-policy" set so that you have excluding some networks from being tunneled.
  In this access-list named Local_LAN_Access you specify "0.0.0.0"
  Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
  This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
  - Jouni

• ASA 5505 VPN client LAN access problem

  Hello,
  I'm not expert in ASA and routing so I ask some support the following case.
  There is a Cisco VPN client (running on Windows 7) and an ASA5505.
  The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
  The Skype works well but I cannot access devices in the interface inside via VPN connection.
  Can you please check my following config and give me advice to correct NAT or VPN settings?
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password wDnglsHo3Tm87.tM encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
  access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 1 10.0.0.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (outside) 1 10.0.0.0 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.33 inside
  dhcpd dns xx.xx.xx.xx interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server value 84.2.44.1
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem enable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy XXXXXX internal
  group-policy XXXXXX attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
  username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
  username XXXXXX attributes
  vpn-group-policy XXXXXX
  username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
  tunnel-group XXXXXX type ipsec-ra
  tunnel-group XXXXXX general-attributes
  address-pool VPNPOOL
  default-group-policy XXXXXX
  tunnel-group XXXXXX ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
  : end
  ciscoasa#
  Thanks in advance!
  fbela

  config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
  Need to add - config#same-security-traffic permit intra-interface
                                   #access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
                                   #nat (inside) 0 access-list nonat
  Please add and test it.
  Thanks
  Ajay

• VPN client and radius or CAR

  Hello:
  I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
  the vpn client user needs to be authenticated by group id and password, and user id and password.
  How should I setup CAR, could someone provides me an example?
  I saw this sample, but there is no relationship between user and group.
  Any suggestions?
  thx
  [ //localhost/RADIUS/UserLists/Default/joe-coke ]
  Name = joe-coke
  Description =
  Password = <encrypted>
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ =
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  [ //localhost/RADIUS/UserLists/Default/group1 ]
  Name = group1
  Description =
  Password = <encrypted> (would be "cisco")
  AllowNullPassword = FALSE
  Enabled = TRUE
  Group~ =
  BaseProfile~ = group1profile
  AuthenticationScript~ =
  AuthorizationScript~ =
  UserDefined1 =
  Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
  AV-pairs:
  [ //localhost/RADIUS/Profiles/group1profile/Attributes ]
  cisco-avpair = ipsec:key-exchange=ike
  cisco-avpair = ipsec:tunnel-password=cisco123
  cisco-avpair = ipsec:addr-pool=pool1
  Service-Type = Outbound

  you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
  The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

• ASA 5505 VPN clients can't ping router or other clients on network

  I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
  : end
  Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
  Thanks.

  I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
  here is the runnign config again:
  Result of the command: "show startup-config"
  : Saved
  : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  asdm location Server 255.255.255.255 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:78864f4099f215f4ebdd710051bdb493