Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

Similar Messages

• One router on ASA 5505 Site to Site VPN can't ping other router

  I have two Cisco ASA routers and I have a site to site vpn set up between the two. The VPN link works but Site A can't ping anything on Site B. Site B can ping Site A. Site B can ping other pcs on it's own network. Site A has been in place for a while and has other site to site VPNs that work fine, so I think the problem is with Site B. Here is the config for Site B:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(4)1
  hostname SaskASA
  enable password POgOWyKyb0jgJ1Hm encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.16.1 255.255.254.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_192.168.16.0_23
  subnet 192.168.16.0 255.255.254.0
  object network NETWORK_OBJ_192.168.2.0_23
  subnet 192.168.2.0 255.255.254.0
  access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.254.0 192.168.2.0 255.255.254.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_23 NETWORK_OBJ_192.168.16.0_23 destination static NETWORK_OBJ_192.168.2.0_23 NETWORK_OBJ_192.168.2.0_23 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  nat (inside,outside) after-auto source dynamic any interface
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable 444
  http 192.168.16.0 255.255.254.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 207.228.xx.xx
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd auto_config outside
  dhcpd address 192.168.16.100-192.168.16.200 inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy GroupPolicy_207.228.xx.xxinternal
  group-policy GroupPolicy_207.228.xx.xx attributes
  vpn-tunnel-protocol ikev1 ikev2
  username User password shbn5zbLkuHP/mJX encrypted privilege 15
  tunnel-group 207.228.xx.xxtype ipsec-l2l
  tunnel-group 207.228.xx.xxgeneral-attributes
  default-group-policy GroupPolicy_207.228.xx.xx
  tunnel-group 207.228.xx.xxipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f06bd1d6d063318339d98417b171175e
  : end
  Any ideas? Thanks.

  I looked over the config for Site A, but couldn't find anything unusual. Perhaps I'm overlooking something. Here is the config for site A:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(1)
  hostname SiteA
  domain-name domain
  enable password POgOWyKyb0jgJ1Hm encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.254.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 192.168.2.6
  domain-name domain
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.14.0 255.255.254.0
  network-object 192.168.4.0 255.255.254.0
  network-object 192.168.6.0 255.255.254.0
  network-object 192.168.8.0 255.255.254.0
  object-group network DM_INLINE_NETWORK_2
  network-object 192.168.12.0 255.255.254.0
  network-object 192.168.14.0 255.255.254.0
  network-object 192.168.4.0 255.255.254.0
  network-object 192.168.6.0 255.255.254.0
  network-object 192.168.8.0 255.255.254.0
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_1
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2
  access-list inside_nat0_outbound extended permit ip any 192.168.15.192 255.255.255.192
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
  access-list VPNGeo_splitTunnelAcl standard permit any
  access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
  access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.4.0 255.255.254.0
  access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.8.0 255.255.254.0
  access-list outside_5_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool GeoVPNPool 192.168.15.200-192.168.15.254 mask 255.255.254.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable 444
  http 192.168.2.0 255.255.254.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http authentication-certificate inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 207.228.xx.xx
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 208.119.xx.xx
  crypto map outside_map 2 set transform-set ESP-3DES-SHA
  crypto map outside_map 3 match address outside_3_cryptomap
  crypto map outside_map 3 set pfs group1
  crypto map outside_map 3 set peer 208.119.xx.xx
  crypto map outside_map 3 set transform-set ESP-3DES-SHA
  crypto map outside_map 4 match address outside_4_cryptomap
  crypto map outside_map 4 set pfs
  crypto map outside_map 4 set peer 208.119.xx.xx
  crypto map outside_map 4 set transform-set ESP-3DES-SHA
  crypto map outside_map 5 match address outside_5_cryptomap
  crypto map outside_map 5 set pfs group1
  crypto map outside_map 5 set peer 70.64.xx.xx
  crypto map outside_map 5 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcp-client client-id interface outside
  dhcpd auto_config outside
  dhcpd address 192.168.2.100-192.168.2.254 inside
  dhcpd auto_config outside interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy VPNGeo internal
  group-policy VPNGeo attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPNGeo_splitTunnelAcl
  username user password shbn5zbLkuHP/mJX encrypted privilege 15
  username namepassword vP98Lj8Vm5SLs9PW encrypted
  username nameattributes
  vpn-group-policy VPNGeo
  tunnel-group 207.228.xx.xxtype ipsec-l2l
  tunnel-group 207.228.xx.xxipsec-attributes
  pre-shared-key *
  tunnel-group VPNGeo type remote-access
  tunnel-group VPNGeo general-attributes
  address-pool GeoVPNPool
  default-group-policy VPNGeo
  tunnel-group VPNGeo ipsec-attributes
  pre-shared-key *
  tunnel-group 208.119.xx.xxtype ipsec-l2l
  tunnel-group 208.119.xx.xxipsec-attributes
  pre-shared-key *
  tunnel-group 208.119.xx.xx type ipsec-l2l
  tunnel-group 208.119.xx.xx ipsec-attributes
  pre-shared-key *
  tunnel-group 208.119.xx.xxtype ipsec-l2l
  tunnel-group 208.119.xx.xxipsec-attributes
  pre-shared-key *
  tunnel-group 70.64.xx.xxtype ipsec-l2l
  tunnel-group 70.64.xx.xxipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:e3adf4e597198f58cd21e508aabdbab9
  : end

• ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's

  Hello All,
  I'm an ASA Newb. 
  I feel like I have tried everything posted and still no success.
  PROBLEM:  When connected to the SSL VPN I cannot ping any internal host's.  I cannot ping anything on this inside?
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(5)
  hostname MCASA01
  domain-name mydomain.org
  enable password xxbtzv6P4Hqevn4N encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.2.0 VLAN
  name 192.168.5.0 VPNPOOL
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ddns update hostname MC_DNS
  dhcp client update dns server both
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  no forward interface Vlan1
  nameif outside
  security-level 0
  ip address 11.11.11.202 255.255.255.252
  interface Vlan3
  no nameif
  security-level 50
  ip address 192.168.2.1 255.255.255.0
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name mydomain.org
  access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http authentication-certificate inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
  keypair digicert.key
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 00b63edadf5efa057ea49da56b179132e8
      3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
      300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
      30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
      03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
      41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
      20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
      35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
      616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
      03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
      864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
      eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
      4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
      aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
      4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
      c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
      dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
      4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
      536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
      cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
      e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
      b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
      02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
      0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
      04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
      01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
      30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
      703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
      4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
      07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
      656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
      7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
      302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
      6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
      2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
      0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
      b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
      45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
      f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
      191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
      5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
      a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
    quit
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcpd address 192.168.1.100-192.168.1.200 inside
  dhcpd dns 66.180.96.12 64.238.96.12 interface inside
  dhcpd lease 86400 interface inside
  dhcpd ping_timeout 4000 interface inside
  dhcpd domain mydomain.org interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 64.147.116.229 source outside
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy VPNGP internal
  group-policy VPNGP attributes
  vpn-tunnel-protocol svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPLIT-TUNNEL
  username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
  username GaryC attributes
  vpn-group-policy VPNGP
  tunnel-group MCVPN type remote-access
  tunnel-group MCVPN general-attributes
  address-pool VPNPOOL
  default-group-policy VPNGP
  tunnel-group MCVPN webvpn-attributes
  group-alias MCVPN enable
  group-url https://11.11.11.202/MCVPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
  : end
  My goal is to allow Remote Users to RDP(3389) through VPN.
  Thank you,
  Gary
  Message was edited by: Gary Culwell

  Hello Jon,
    Thank you so much for your response. Clients will not be connect to a specific RDP server.  I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access.  So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
  Would you say this would work:
  route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
  Do you have examples?
  Thank you,
  Gary

• IPhone OS 3.0 - internet tethering and Cisco VPN Client

  Hello,
  The latest OS for the iPhone allows users to tether their iPhone to a Mac/PC so that the user can browse the internet through the carriers mobile 3G network.
  I can confirm that internet tethering works on my Macbook Pro, but the following error is displayed when i load the CiscoVPN Client (version 4.9.01 (0100))
  "Error 51: Unable to communicate with the VPN subsystem.
  Please make sure that you have at least one network interface that is cuurently active and has an ip address and start this application again."
  Does this mean that the Cisco VPN client cannot see the internet connection supplied by the iPhone even though i can browse the internet while this error is being displayed??
  Regards,
  Eddie S

  Same problem here and I'm wondering the same. I also noticed that the same error comes also when my ethernet connection and iPhone tethering are active at the same time. Then there really should be a connection.
  Despite that, I have the same problem and using bluetooth tethering doesn't solve this. Still the same error even though Internet connection works otherwise fine.
  Any suggestions? Have Cisco tested this?
  I'm using MacBook Pro 13" OS X 10.5.8, iPhone 3GS 3.0.1 with official finnish carrier Sonera, Cisco Systems VPN Client 4.9.01 (0100)

• VPN client cannot access inside hosts

  Hello,
      I have an ASA 5505 device with the attached configuration and my vpn clients can connect to it fine.  Although, once a vpn client is connected they cannot RDP, ping, or telnet any internal hosts.  The goal is to have a connected vpn client to have all access rights as anyone sitting on the internal network.  Any assistance is greatly appreciated.
  : Saved
  ASA Version 7.2(3)
  hostname Kappa-GW01
  domain-name Kappa.com
  enable password xxxxxxxxx encrypted
  names
  name 172.20.42.42 UMEFTP2 description UMAP FTP2
  name 172.20.40.246 UMEMAIL1 description Exchange Server
  name 172.20.41.3 UMERPS
  name x.x.81.81 Wilkes
  name x.x.84.41 KappaPittston
  dns-guard
  interface Ethernet0/0
  shutdown
  nameif outside
  security-level 0
  ip address x.x.148.194 255.255.255.248
  interface Ethernet0/1
  nameif Outside_Windstream
  security-level 0
  ip address x.x.205.210 255.255.255.240
  interface Ethernet0/2
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  passwd 7Tpgc2AiWGxbNjkj encrypted
  boot system disk0:/asa723-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name Kappa.com
  object-group network Blue_Bell_Internal_Networks
  description Blue Bell internal network Group
  network-object 192.168.100.0 255.255.255.0
  network-object 10.0.0.0 255.255.255.0
  network-object 10.0.1.0 255.255.255.0
  network-object 10.0.2.0 255.255.255.0
  object-group network VPN-Sites
  network-object host Wilkes
  network-object host KappaPittston
  object-group network Michigan_VPN_GRP
  network-object 172.20.40.0 255.255.252.0
  object-group network ASA_OutSide_Vendors
  description ASA OutSide Vendor Access
  access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl remark Blue Bell Office
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl remark Williamston Office
  access-list KappaVPN_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
  access-list KappaVPN_splitTunnelAcl remark Pittston Office
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.10.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.20.40.0 255.255.252.0 inactive
  access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.30.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.30.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
  access-list umeemp_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.30.0 255.255.255.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
  access-list outside_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list 102 extended permit tcp any any eq 2000
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq smtp
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq pop3 inactive
  access-list Outside_Winstream_access_in extended permit udp object-group VPN-Sites interface Outside_Windstream eq isakmp
  access-list Outside_Winstream_access_in extended permit tcp object-group ASA_OutSide_Vendors host x.x.205.217 eq 4080
  access-list Outside_Winstream_access_in remark SMTP Access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq smtp
  access-list Outside_Winstream_access_in remark POP access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq pop3
  access-list Outside_Winstream_access_in remark OWA Access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq https
  access-list Outside_Winstream_access_in extended permit tcp host x.x.87.65 host x.x.205.218 eq 3389
  access-list Outside_Winstream_access_in extended permit udp host x.x.56.111 eq ntp host x.x.205.216 eq ntp
  access-list Outside_Winstream_access_in remark OWA UMAP
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq https
  access-list Outside_Winstream_access_in remark JLAN
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.215 eq https
  access-list Outside_Winstream_access_in remark UMERPS
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq https
  access-list Outside_Winstream_access_in remark UMERPS
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq ssh
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq https
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq 5494
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.214 eq www
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq 8081
  access-list Outside_Winstream_access_in extended permit icmp any any echo
  access-list outside_6_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list outside_6_cryptomap extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_11 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_10 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_5 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_12 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
  access-list nonat extended permit ip any any inactive
  pager lines 24
  logging enable
  logging asdm debugging
  logging flash-bufferwrap
  mtu outside 1500
  mtu Outside_Windstream 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn-pool 192.168.100.100-192.168.100.200
  no failover
  monitor-interface outside
  monitor-interface Outside_Windstream
  monitor-interface inside
  monitor-interface management
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (Outside_Windstream) 1 x.x.205.216 netmask 255.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 172.20.40.0 255.255.252.0
  nat (inside) 1 10.0.0.0 255.255.0.0
  static (inside,Outside_Windstream) x.x.205.217 10.0.0.20 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.220 10.0.0.21 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.218 10.0.0.15 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.215 172.20.40.145 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.211 UMEMAIL1 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.212 UMERPS netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.213 172.20.40.243 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.214 172.20.40.146 netmask 255.255.255.255
  access-group acl_inbound in interface outside
  access-group Outside_Winstream_access_in in interface Outside_Windstream
  route Outside_Windstream 0.0.0.0 0.0.0.0 x.x.205.209 1
  route inside 172.20.40.0 255.255.252.0 10.0.0.3 1
  route inside 10.0.30.0 255.255.255.0 10.0.0.254 1
  route inside 10.0.1.0 255.255.255.0 10.0.0.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server BBPA-SRV-DC01 protocol radius
  aaa-server BBPA-SRV-DC01 host 10.0.0.15
  timeout 5
  key G6G7#02bj!
  aaa-server UMAP protocol radius
  aaa-server UMAP host 172.20.40.245
  timeout 5
  key gfrt1a
  aaa-server UMAP host 172.20.40.244
  timeout 5
  key gfrt1a
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.0.0.0 255.255.255.0 inside
  http 10.0.0.15 255.255.255.255 inside
  http 192.168.1.0 255.255.255.0 management
  http 192.168.100.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map Outside_Windstream_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map Outside_Windstream_dyn_map 40 set pfs
  crypto dynamic-map Outside_Windstream_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto map outside_map 5 match address outside_5_cryptomap
  crypto map outside_map 5 set peer Wilkes
  crypto map outside_map 5 set transform-set ESP-3DES-SHA
  crypto map outside_map 10 match address outside_6_cryptomap
  crypto map outside_map 10 set peer KappaPittston
  crypto map outside_map 10 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto map Outside_Windstream_map 5 match address Outside_Windstream_cryptomap_5
  crypto map Outside_Windstream_map 5 set peer Wilkes
  crypto map Outside_Windstream_map 5 set transform-set ESP-3DES-SHA
  crypto map Outside_Windstream_map 10 match address Outside_Windstream_cryptomap_10
  crypto map Outside_Windstream_map 10 set peer KappaPittston
  crypto map Outside_Windstream_map 10 set transform-set ESP-3DES-SHA
  crypto map Outside_Windstream_map 65535 ipsec-isakmp dynamic Outside_Windstream_dyn_map
  crypto map Outside_Windstream_map interface Outside_Windstream
  crypto isakmp enable Outside_Windstream
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 3600
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 10.0.0.0 255.255.0.0 inside
  telnet timeout 5
  ssh 10.0.0.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ftp
    inspect skinny
    inspect pptp
  service-policy global_policy global
  webvpn
  enable Outside_Windstream
  svc image disk0:/sslclient-win-1.1.4.177.pkg 1
  svc enable
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc required
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy umeemp internal
  group-policy umeemp attributes
  dns-server value 172.20.40.245
  vpn-filter none
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value KappaVPN_splitTunnelAcl
  default-domain value umapinc.com
  group-policy KappaVPN internal
  group-policy KappaVPN attributes
  wins-server value 10.0.0.15
  dns-server value 10.0.0.15
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value umeemp_splitTunnelAcl
  default-domain value kappa.loc
  username gwadmin password AVjtEPq7nvtiAAk0 encrypted
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool vpn-pool
  authentication-server-group BBPA-SRV-DC01
  authorization-required
  tunnel-group KappaVPN type ipsec-ra
  tunnel-group KappaVPN general-attributes
  address-pool vpn-pool
  authentication-server-group BBPA-SRV-DC01
  default-group-policy KappaVPN
  tunnel-group KappaVPN ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.131.62 type ipsec-l2l
  tunnel-group x.x.131.62 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.232.2 type ipsec-l2l
  tunnel-group x.x.232.2 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.49.114 type ipsec-l2l
  tunnel-group x.x.49.114 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.226.218 type ipsec-l2l
  tunnel-group x.x.226.218 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.116.133 type ipsec-l2l
  tunnel-group x.x.116.133 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.21.36 type ipsec-l2l
  tunnel-group x.x.21.36 ipsec-attributes
  pre-shared-key *
  tunnel-group umeemp type ipsec-ra
  tunnel-group umeemp general-attributes
  address-pool vpn-pool
  authentication-server-group UMAP
  default-group-policy umeemp
  tunnel-group umeemp ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.81.81 type ipsec-l2l
  tunnel-group x.x.81.81 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.84.41 type ipsec-l2l
  tunnel-group x.x.84.41 ipsec-attributes
  pre-shared-key *
  prompt hostname context
  Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
  : end
  asdm image disk0:/asdm-523.bin
  no asdm history enable

  I'm sorry, I misunderstood what you were asking.  Yes those three networks are on the inside of our ASA.  we have 2 outside of the ASA (10.0.2.x, 10.0.10.x).  When our clients vpn they connect to the x.x.205.210 ip address, which maps them depending on the preshared key that puts them on either the kappaVPN or the umeempVPN.  (I am kind of new to configuring the ASA).  When the cisco vpn client connects to the network, I checked the statistics and it lists all of our LAN networks under secure routes.  I cannot ping anything inside the LAN nor can I connect RDP, telnet or anything.
  Hope this answers your questions, just let me know if you need any more information.
  -Rudy

• IPSEC VPN clients can't reach internal nor external resources

  Hi!
  At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
  Im pretty sure it's not ACL's, although I might be wrong.
  The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
  # Issue 1.
  IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
  When trying to access an external resource, the "translate_hits" below are changed:
  Auto NAT Policies (Section 2)
  1 (outside) to (outside) source dynamic vpn_nat interface
     translate_hits = 37, untranslate_hits = 11
  When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
  5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
      translate_hits = 31, untranslate_hits = 32
  Most NAT, some sensitive data cut:
  Manual NAT Policies (Section 1)
  <snip>
  3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
      translate_hits = 0, untranslate_hits = 0
  4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
      translate_hits = 0, untranslate_hits = 0
  5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
      translate_hits = 22, untranslate_hits = 23
  Auto NAT Policies (Section 2)
  1 (outside) to (outside) source dynamic vpn_nat interface
      translate_hits = 37, untranslate_hits = 6
  Manual NAT Policies (Section 3)
  1 (something_free) to (something_outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  2 (something_something) to (something_outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  3 (inside) to (outside) source dynamic any interface
      translate_hits = 5402387, untranslate_hits = 1519419
  ##  Issue 2, vpn user cannot access anything on internet
  asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Relevant configuration snippet:
  interface Vlan2
  nameif outside
  security-level 0
  ip address 1.2.3.2 255.255.255.248
  interface Vlan3
  nameif inside
  security-level 100
  ip address 10.0.0.5 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network anywhere
  subnet 0.0.0.0 0.0.0.0
  object network something_free
  subnet 10.0.100.0 255.255.255.0
  object network something_member
  subnet 10.0.101.0 255.255.255.0
  object network obj-ipsecvpn
  subnet 172.16.31.0 255.255.255.0
  object network allvpnnet
  subnet 172.16.32.0 255.255.255.0
  object network OFFICE-NET
  subnet 10.0.0.0 255.255.255.0
  object network vpn_nat
  subnet 172.16.32.0 255.255.255.0
  object-group network the_office
  network-object 10.0.0.0 255.255.255.0
  access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
  ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
  ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
  nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
  nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
  nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
  object network vpn_nat
  nat (outside,outside) dynamic interface
  nat (some_free,some_outside) after-auto source dynamic any interface
  nat (some_member,some_outside) after-auto source dynamic any interface
  nat (inside,outside) after-auto source dynamic any interface
  group-policy companyusers attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol IPSec
  default-domain value company.net
  tunnel-group companyusers type remote-access
  tunnel-group companyusers general-attributes
  address-pool ipsecvpnpool
  default-group-policy companyusers
  tunnel-group companyusers ipsec-attributes
  pre-shared-key *****

  Hi,
  I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
  asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  asa# show capture capo
  12 packets captured
     1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
    10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
    11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
    12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
  asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
  asa# show capture capi
  8 packets captured
     1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
  Packet-capture.
  Phase: 1
  Type: CAPTURE
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   172.16.32.1     255.255.255.255 outside
  Phase: 4
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside_access_in in interface inside
  access-list inside_access_in extended permit ip any any log
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7     
  Type: DEBUG-ICMP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
  Additional Information:
  Static translate 10.0.0.72/0 to 10.0.0.72/0
  Phase: 9
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: VPN    
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_out out interface outside
  access-list outside_access_out extended permit ip any any log
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 5725528, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow

• Connecting Cisco VPN client v5 to asa 5505

  I am having problem configuring remote vpn between ASA5505 and Cisco VPN client v5. I can successfully establish connection between ASA and Vpn client and receive IP address from ASA. VPN client statistics windows shows that packets are send and encrypted but none of the packets is Received/Decrypted.
  Can not ping asa 5505
  Any ideas on what I have missed?

  Your NAT configuration is incomplete, enter the following commands to your configuration:
  access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
  nat (inside) 0 access-list nonat
  This tells the ASA that the traffic destined for the VPN Client should not be NATted and should be sent directly to the client via the VPN Tunnel!
  Please rate if the post helps!
  Regards,
  Michael

• Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication

  Hi Community.
  I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
  I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
  VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
  The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
  I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
  My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
  I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
  What do you think?

  Hi,
  Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
  This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
  - Jouni

• ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?

  Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.

  I don't think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

• ASA , Cisco VPN client with RADIUS authentication

  Hi,
  I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
  All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
  Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
  Thank you.
  Kind regards,
  Alex

  Hi Alex,
  It is working as it should.
  You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
  thanks
  John

• Please Help - CISCO VPN client disconnecting over wireless adapter

  Hi,
  I connect to my work network when at home using the CISCO VPN client. I have a wireless connection at home. My vpn conection had no problem until my laptop once dropped hitting the wireless card reader side on the floor. since then, my vpn disconnects after some time. And this also disconnects my wireless connection at home. When I am not connected to work through th eVPN, we have no problems with my wireless connection. But, when I need to work from home, my vpn keeps getting disconnected and throws me off my wireless conenction too everytime. Can someone please tell me how to check if anything is wrong with the laptop? 

  Ok lets see if we can clear somethings up.
  Using wireless and VPN before the "Drop" was ok?
  Using Wireless and no VPN after the "Drop" is fine?
  Using Wireless and VPN after the "Drop" causes the wireless adapter to disconnect?
  If this is correct probally the best thing to do is to remove the cisco VPN software and reinstall it.
  It can't be anything to do with the "Drop" as using normal wireless is working fine you say.
  and the Cisco VPN Adapter is Virtual.
  Let me know how you get on.

• Cisco VPN Client windows 7

  Hi All,
  We are upgrading from Windows XP to windows 7 , windows XP uses cisco VPN Client 5.0.07.0410 with start before logon ( SBL ), I have few questions
  1) what is the equivalent client for windows 7 ( anyconnect ??? ) and what version we should be going to
  2) We are using Cisco ASA 5520 do we need to do something different in the back end for anyconnect ?
  3) is there a document to install and configure the new client ( anyconnect ) ?? and what need to be done on the backend if any
  Any help is appreciated ,
  Many Thanks in advance
  Rabih

  Hi Rabih,
  1) what is the equivalent client for windows 7 ( anyconnect ??? ) and what version we should be going to.
  A/ Yes, AnyConnect. I would suggest the latest version 3.1.
       Download
  B/ We are using Cisco ASA 5520 do we need to do something different in the back end for anyconnect ?
       Cisco AnyConnect Secure Mobility Client Data Sheet
  C/ Is there a document to install and configure the new client ( anyconnect ) ?? and what need to be done on the backend if any.
      Deploying the AnyConnect Secure Mobility Client
      ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example
      ASA 8.X: AnyConnect Start Before Logon Feature Configuration
  HTH.
  Portu.
  Please rate any helpful posts
  Message was edited by: Javier Portuguez

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• Will the old Cisco VPN Client (version Windows - 5.0.07.0440) work on a 5510

  I plan to upgrade our Cisco ASA 5510 from 8.2 to 8.3.  However I have 20-30remote users running the older Cisco VPN Client that connect remotely to the ASA (version Windows - 5.0.07.0440 - not Anyconnect).  
  My question is will the upgrade to 8.3 still allow the users to use the same Cisco VPN client or will I need to upgrade each workstation to the newer Cisco AnyConnect?
  I appreciate any help that can be provided.  

  You can do that with no problem. Even the new 9.x ASA software is compatible with the old Cisco VPN client for IPSec remote access VPN.
  That client software might not work very well with newer client operating systems like Windows 8 but the ASA end will continue to allow them to connect.

• Boot camp with Cisco VPN client and smart card

  Looking at a Macbook or Macbook Air and the only reason I need to run windows is to be able to access my work network through the Cisco VPN client and my Smartcard then use remote desktop. From my understanding if I run Bootcamp it should work am I correct? Im going to an Apple store tomorrow hopefully they can help too.
  Thanks

  mrbacklash wrote:
  Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
  I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
  Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
  Message was edited by: BobTheFisherman