Pix 501 IPSec VPN no LAN access and no ping

Similar Messages

• IPSec VPN b/w ISA500 and RV042

  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=Could not change to directory '/etc/ipsec.d/crls';
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=Could not change to directory '/etc/ipsec.d/aacerts': /;
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  error in X.509 certificate default.pem;
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  loaded CA cert file 'default.pem' (2745 bytes);
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  error in X.509 certificate default_key.pem;
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  loaded CA cert file 'default_key.pem' (1675 bytes);
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=Changed path to directory '/mnt/shiner/certificate';
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  loaded CA cert file 'default.pem' (2745 bytes);
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  error in X.509 certificate default_key.pem;
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=  loaded CA cert file 'default_key.pem' (1675 bytes);
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=Changed path to directory '/mnt/shiner/certificate';
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=loading secrets from "/etc/ipsec.secrets";
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=forgetting secrets;
  2013-07-30 11:37:04
  Information
  IPsec VPN
  msg=added connection description "Tunnel0";
  2013-07-30 11:37:02
  Information
  IPsec VPN
  msg="Alabang" #117: deleting state (STATE_MAIN_R1);
  2013-07-30 11:37:02
  Information
  IPsec VPN
  msg="Alabang": deleting connection;
  2013-07-30 11:36:55
  Warning
  IPsec VPN
  msg="Alabang" #117: STATE_MAIN_R1: sent MR1, expecting MI2;
  2013-07-30 11:36:55
  Error
  IPsec VPN
  msg=ERROR: "Alabang" #117: sendto on ppp0 to 112.209.172.XXX:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable;
  2013-07-30 11:36:55
  Information
  IPsec VPN
  msg="Alabang" #117: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1;
  2013-07-30 11:36:55
  Information
  IPsec VPN
  msg="Alabang" #117: responding to Main Mode;
  2013-07-30 11:36:55
  Warning
  IPsec VPN
  msg=packet from 112.209.172.XXX:500: received Vendor ID payload [Dead Peer Detection];
  2013-07-30 11:36:46
  Information
  IPsec VPN
  msg=Could not change to directory '/etc/ipsec.d/crls';
  2013-07-30 11:36:46
  Information
  IPsec VPN
  msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
  ==============================================================
  Site 1 = Cisco ISA 500. Named as CHI
  Site 2 = Cisco RV042. Named as Alabang
  Shown above is the logs from my ISA 570 IPSec VPN. I have set the same settings for my IKE Policies and my Transform Sets. Attached are the screenshots of my the VPN Settings of my 2 systems. It does show in the table above that the 112.209.172.XXX is unreachable, but please look at screen6.bmp and see that I can very well ping the RV042 system. Please feel free to ask me for more info about my setup.
  On a side note, take a look at Screen5.bmp. This screenie shows that I have an existing WORKING VPN connection to another site with a Linksys RV042, named as Villa. So as you can also see in the screenshot, it has a VPN setup for CHI but it can not connect. Hence my problem above. The VPN setting for Villa is the same as CHI (PFS, IKE, Transforms, PFS).

  Dan,
  Since I'm not a Cisco employee, don't have access to spare ISAs and RVs to setup a lab and test, don't have a setup similar enough to yours to test with, don't have access to your devices, and wouldn't have other than UI access if I did, doing a little trial and error is all I have to work with to assist you.
  That said, it's not random trial and error. From what I'm able to see via your screenshots and explanations, all of your config looks correct. So if everything for Phase 1 & 2 are accurate, then it should work unless there is an interesting traffic mismatch.
  Usually this is pretty straightforward and simple to troubleshoot and confirm. However when you add in additional challenges that come with Multi-WAN support, terminating the VPN on the secondary WAN interface, and PBR, there is a lot of room for possible mistakes as the config is becoming fairly complex.
  So my thought was to remove what I perceived to be the least impacting piece of complexity, which is the custom PBR that is sending those 2 laptops out WAN 2 instead of WAN 1, so that the only non-typical configuration was the VPN terminating on WAN 2.
  Right now I'm assuming the issue isn't the the possibility of the ISA and RV042 being incapable of establishing a VPN. I'm assuming it is either an issue with VPN termination on WAN 2 (which I don't believe is an issue) or something not quite right with PBR and VPN interesting traffic.
  Sent from Cisco Technical Support iPhone App

• ASA 5505 VPN client LAN access problem

  Hello,
  I'm not expert in ASA and routing so I ask some support the following case.
  There is a Cisco VPN client (running on Windows 7) and an ASA5505.
  The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
  The Skype works well but I cannot access devices in the interface inside via VPN connection.
  Can you please check my following config and give me advice to correct NAT or VPN settings?
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password wDnglsHo3Tm87.tM encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
  access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 1 10.0.0.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (outside) 1 10.0.0.0 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.33 inside
  dhcpd dns xx.xx.xx.xx interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server value 84.2.44.1
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem enable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy XXXXXX internal
  group-policy XXXXXX attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
  username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
  username XXXXXX attributes
  vpn-group-policy XXXXXX
  username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
  tunnel-group XXXXXX type ipsec-ra
  tunnel-group XXXXXX general-attributes
  address-pool VPNPOOL
  default-group-policy XXXXXX
  tunnel-group XXXXXX ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
  : end
  ciscoasa#
  Thanks in advance!
  fbela

  config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
  Need to add - config#same-security-traffic permit intra-interface
                                   #access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
                                   #nat (inside) 0 access-list nonat
  Please add and test it.
  Thanks
  Ajay

• Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

  Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
  The following is the Layout:
  There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
  I have been able to configure  Client to Site IPSec VPN
  1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
  2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
  But I have not been able to make tradiotional Hairpinng model work in this scenario.
  I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
  Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
  LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
  running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
  ASA Version 8.2(1)
  hostname ciscoasa
  domain-name cisco.campus.com
  enable password xxxxxxxxxxxxxx encrypted
  passwd xxxxxxxxxxxxxx encrypted
  names
  interface GigabitEthernet0/0
  nameif internet1-outside
  security-level 0
  ip address 1.1.1.1 255.255.255.240
  interface GigabitEthernet0/1
  nameif internet2-outside
  security-level 0
  ip address 2.2.2.2 255.255.255.224
  interface GigabitEthernet0/2
  nameif dmz-interface
  security-level 0
  ip address 10.0.1.1 255.255.255.0
  interface GigabitEthernet0/3
  nameif campus-lan
  security-level 0
  ip address 172.16.0.1 255.255.0.0
  interface Management0/0
  nameif CSC-MGMT
  security-level 100
  ip address 10.0.0.4 255.255.255.0
  boot system disk0:/asa821-k8.bin
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.campus.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network cmps-lan
  object-group network csc-ip
  object-group network www-inside
  object-group network www-outside
  object-group service tcp-80
  object-group service udp-53
  object-group service https
  object-group service pop3
  object-group service smtp
  object-group service tcp80
  object-group service http-s
  object-group service pop3-110
  object-group service smtp25
  object-group service udp53
  object-group service ssh
  object-group service tcp-port
  object-group service udp-port
  object-group service ftp
  object-group service ftp-data
  object-group network csc1-ip
  object-group service all-tcp-udp
  access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
  access-list CSC-OUT extended permit ip host 10.0.0.5 any
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
  access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
  access-list CAMPUS-LAN extended permit ip any any
  access-list csc-acl remark scan web and mail traffic
  access-list csc-acl extended permit tcp any any eq smtp
  access-list csc-acl extended permit tcp any any eq pop3
  access-list csc-acl remark scan web and mail traffic
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
  access-list INTERNET2-IN extended permit ip any host 1.1.1.2
  access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
  access-list DNS-inspect extended permit tcp any any eq domain
  access-list DNS-inspect extended permit udp any any eq domain
  access-list capin extended permit ip host 172.16.1.234 any
  access-list capin extended permit ip host 172.16.1.52 any
  access-list capin extended permit ip any host 172.16.1.52
  access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
  access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
  access-list capout extended permit ip host 2.2.2.2 any
  access-list capout extended permit ip any host 2.2.2.2
  access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu internet1-outside 1500
  mtu internet2-outside 1500
  mtu dmz-interface 1500
  mtu campus-lan 1500
  mtu CSC-MGMT 1500
  ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
  ip verify reverse-path interface internet2-outside
  ip verify reverse-path interface dmz-interface
  ip verify reverse-path interface campus-lan
  ip verify reverse-path interface CSC-MGMT
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  no asdm history enable
  arp timeout 14400
  global (internet1-outside) 1 interface
  global (internet2-outside) 1 interface
  nat (campus-lan) 0 access-list campus-lan_nat0_outbound
  nat (campus-lan) 1 0.0.0.0 0.0.0.0
  nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
  static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
  access-group INTERNET2-IN in interface internet1-outside
  access-group INTERNET1-IN in interface internet2-outside
  access-group CAMPUS-LAN in interface campus-lan
  access-group CSC-OUT in interface CSC-MGMT
  route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
  route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.2 255.255.255.255 CSC-MGMT
  http 10.0.0.8 255.255.255.255 CSC-MGMT
  http 1.2.2.2 255.255.255.255 internet2-outside
  http 1.2.2.2 255.255.255.255 internet1-outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map internet2-outside_map interface internet2-outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
          a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as
    quit
  crypto isakmp enable internet2-outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash md5
  group 2
  lifetime 86400
  telnet 10.0.0.2 255.255.255.255 CSC-MGMT
  telnet 10.0.0.8 255.255.255.255 CSC-MGMT
  telnet timeout 5
  ssh 1.2.3.3 255.255.255.240 internet1-outside
  ssh 1.2.2.2 255.255.255.255 internet1-outside
  ssh 1.2.2.2 255.255.255.255 internet2-outside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy VPN_TG_1 internal
  group-policy VPN_TG_1 attributes
  vpn-tunnel-protocol IPSec
  username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
  username administrator password xxxxxxxxxxxxxx encrypted privilege 15
  username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
  username vpnuser1 attributes
  vpn-group-policy VPN_TG_1
  tunnel-group VPN_TG_1 type remote-access
  tunnel-group VPN_TG_1 general-attributes
  address-pool vpnpool1
  default-group-policy VPN_TG_1
  tunnel-group VPN_TG_1 ipsec-attributes
  pre-shared-key *
  class-map cmap-DNS
  match access-list DNS-inspect
  class-map csc-class
  match access-list csc-acl
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class csc-class
    csc fail-open
  class cmap-DNS
    inspect dns preset_dns_map
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
  : end
  Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
  Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
  That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
  I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
  Thanks & Regards
  maxs

  Hi Jouni,
  Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
  But my problem is not solved fully here.
  Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
  Here the packet tracer output for the traffic:
  packet-tracer output
  asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   172.16.0.0      255.255.0.0     campus-lan
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.150.1   255.255.255.255 internet2-outside
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group internnet1-in in interface internet2-outside
  access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: CP-PUNT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype:     
  Result: DROP
  Config:
  nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 14, untranslate_hits = 0
  Additional Information:
  Result:
  input-interface: internet2-outside
  input-status: up
  input-line-status: up
  output-interface: internet2-outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
  dynamic nat
  asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
  Is it possible to access both
  1)LAN behind ASA
  2)INTERNET via HAIRPINNING  
  simultaneously via a single tunnel-group?
  If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
  Thanks & Regards
  Abhijit

• Looking for help to set up l2tp Ipsec vpn on asa 5055

  I am trying to set up a L2tp Ipsec vpn on asa 5055 and I am using windows 8.1 build in VPN client to connect to it. I got the following error. Anyone has experence please help.
  Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, All IPSec SA proposals found unacceptable!
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending notify message
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing ipsec notify payload for msg id 1
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
  Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=6a50f8f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, QM FSM error (P2 struct &0xad6946b8, mess id 0x1)!
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE QM Responder FSM error history (struct &0xad6946b8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, 
  EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, 
  EV_COMP_HASH
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
  Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Removing peer from correlator table failed, no match!
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing IKE delete payload
  Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
  Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=232654dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Session is being torn down. Reason: Phase 2 Mismatch
  I am new to this so I don't know what I should do next. Thanks

  Here it is. Thanks.
  CL-T179-12IH# show run crypto
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint vpn
   enrollment self
   subject-name CN=174.142.90.17
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain vpn
   certificate 2d181c55
      308201ff 30820168 a0030201 0202042d 181c5530 0d06092a 864886f7 0d010105
      05003044 31163014 06035504 03130d31 37342e31 34322e39 302e3137 312a3028
      06092a86 4886f70d 01090216 1b434c2d 54313739 2d313249 482e7072 69766174
      65646e73 2e636f6d 301e170d 31353034 31363033 31393439 5a170d32 35303431
      33303331 3934395a 30443116 30140603 55040313 0d313734 2e313432 2e39302e
      3137312a 30280609 2a864886 f70d0109 02161b43 4c2d5431 37392d31 3249482e
      70726976 61746564 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
      03818d00 30818902 818100bf 797d1cc1 cfffc634 8c3b2a4b ce27b1c9 3fc3e026
      4f6cd8f4 c9675aca b5176cef 7f3df142 35ba4e15 2613d34c 91bb5da3 14b34b6c
      71e4ff44 f129046f 7f91e73f 2c9d42f9 93001559 ea6c71c1 1a848073 15da79f7
      a41081ee b4cd3cc3 baa7a272 3a5fb32d 66dedee6 5994d4b2 ad9d7489 44ec9eb9
      44038a2a 817e935f 1bb7ad02 03010001 300d0609 2a864886 f70d0101 05050003
      8181002c 6cee9ae7 a037698a 5690aca1 f01c87db 04d9cbc6 65bda6dc a17fc4b6
      b1fd419e 56df108f b06edfe6 ab5a5eb3 5474a7fe 58970da3 23e6bc6e 36ab8f62
      d5c442bf 43581eb3 26b8cf26 6a667a8b ddd25a73 a094f0d0 65092ff8 d2a644d8
      3d7da7ca efeb9e2f 84807fdf 0cf3d75e bcb65ba4 7b51cb49 f912f516 f95b5d86
      da0e01
    quit
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint vpn
  crypto ikev1 enable outside
  crypto ikev1 policy 10
   authentication crack
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 30
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 40
   authentication crack
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 50
   authentication rsa-sig
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 60
   authentication pre-share
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 70
   authentication crack
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 80
   authentication rsa-sig
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 100
   authentication crack
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 110
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 130
   authentication crack
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 140
   authentication rsa-sig
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 150
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400

• Site-to-site VPN with remote access

  Hello friends,
  Company has a few remote offices and goal is connect all in yhe VPN.
  I have one IPSec VPN tunnel between remote1 and central office.
  Tunnel status is active and everything is ok.
  Other remote offices access to central server over remote desktop public IP address.
  When I add this NAT command to central router configuration:
  ip nat inside source static 192.168.0.10 public_ip_address
  there is no ping in VPN tunnel!!!
  There is problem that at the same moment work station from VPN tunnel and work station of remote office (without VPN tunnel) cant access to central server.
  I have no idea...
  Here is the sh run config from central router>
  hostname ROUTER
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  no aaa new-model
  dot11 syslog
  ip source-route
  ip cef
  ip domain name XXXXXXXXXXXXXXXX.net
  multilink bundle-name authenticated
  username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  archive
  log config
  hidekeys
  crypto isakmp policy 1
  encr cccc
  cccccccc
  authentication pre-share
  group 2
  crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address AA.AA.AA.AA
  crypto ipsec transform-set TS XXXXXX XXXXXXXXX
  crypto map CMAP 10 ipsec-isakmp
  set peer AA.AA.AA.AA
  set transform-set TS
  match address VPN-TRAFFIC
  interface FastEthernet0/1
  description INTERNET
  ip address BB.BB.BB.BB 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map CMAP
  interface FastEthernet0/0/0
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  description LAN_MREZA
  ip address 192.168.0.5 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 BB.BB.BB.BB
  no ip http server
  no ip http secure-server
  ip nat pool NAT_POOL CC.CC.CC.CC netmask 255.255.255.252
  ip nat inside source list 100 pool NAT_POOL overload
  ip nat inside source static 192.168.0.10 FF.Ff.FF.FF
  ip access-list extended VPN-TRAFFIC
  permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.0.0 0.0.0.255 any
  control-plane
  line con 0
  password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  login
  line aux 0
  line vty 0 4
  login local
  transport input ssh
  scheduler allocate 20000 1000
  end

  Hi,
  Do you mean that you have
  A VPN Pool of 192.168.111.0/24
  You want it to be able to connect to networks behind a new L2L VPN
  If so, then I see no problem with it.
  You will naturally require NAT configurations and define the interesting traffic
  You will also need to make sure you have "same-security-traffic permit intra-interface" on the firewall with the VPN Client and L2L VPN configuration. This would enable the traffic to enter and leave the same interface which in this case is probably "outside" or something similiar
  - Jouni

• Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

  I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well.  Port forward configurations performed on the Actiontec are working well. 
  I installed an L2TP/IPSec VPN server, tested internally and it connected successfully.  So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
  I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
  Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
  With the port forwarding in place, I tested VPN externally but it didn't connect.
  I've done the following so far to no avail:
  Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
  There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
  There was an L2TP port triggering rule enabled, that I toggled on and off with no change
  Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
  Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router.  But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this.  For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
  My router details:
  Verizon Actiontec
  MI424WR-GEN2
  Revision E
  Firmware 20.21.0.2
  Verizon Actiontec built-in L2TP/IPSec rule templates.  They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
  Solved!
  Go to Solution.

  normally a vpn on that router, will have a GRE tunneling protocol as well.
  two ways to build the PF rules,
  Manually
  Preconfigured
  I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

• Trouble with PIX 501 user limit?

  I have installed a Cisco PIX 501 at a client's site, and now a couple of weeks later we are having an issue where some computers cannot access the Internet. The PCs can ping the internal interface of the firewall, and can resolve hostnames. But about three of them cannot ping public IP addresses. I thought the arp cache might be corrupted on the switch, so we restarted that to no good effect.
  I suspect that the client has somehow run up against the 10-user limit for their PIX 501 license.
  The site has eight PCs and a server, so it doesn't seem like they should be going over the 10-user limit.
  I'm not much of an expert when it comes to the PIX, so I wonder if someone can tell me how to determine whether this is the case, and maybe give me some tips on how to resolve the issue?
  Thanks very much for any advice you can offer.
  Best regards,
  Zac

  Any chance you can help me make sense of this? Does it really look like we have exceeded the number of allowed connections by over 3400?
  pixfirewall# show local-host
  Interface inside: 10 active, 10 maximum active, 3493 denied
  local host: <192.168.1.2>,
  TCP connection count/limit = 12/unlimited
  TCP embryonic count = 2
  TCP intercept watermark = unlimited
  UDP connection count/limit = 0/unlimited
  AAA:
  Xlate(s):
  PAT Global 67.115.121.230(38600) Local 192.168.1.2(3553)
  PAT Global 67.115.121.230(51033) Local 192.168.1.2(3215)
  PAT Global 67.115.121.230(51037) Local 192.168.1.2(3230)
  PAT Global 67.115.121.230(51050) Local 192.168.1.2(3271)
  PAT Global 67.115.121.230(55215) Local 192.168.1.2(4084)
  PAT Global 67.115.121.230(55228) Local 192.168.1.2(4136)
  PAT Global 67.115.121.230(55231) Local 192.168.1.2(4139)
  etc, etc.

• IPSec VPN & wierd ping issue

  Hi,
  I have a RVS4000 at one location and a second RVS4000 at home.  I have established an IPSec VPN tunnel between them and it is UP.  I can ping the routers from each end no problem.  I can ping  the IPs listed in the "Local Group Setup" and the "Remote Group Setup" from both ends no problem.  I can even open up a shared resource from a Win 7 machine (e.g. by typing \\10.10.10.100\ in start-run from a computer on my home network).
  But - i can't ping anything else on one network from the other.  What gives?  I need to access a 10.10.10.101 machine but can't even ping it.
  - both RVS4000 boxes have latest firmware (V1.3.3.5)
  - home RVS4000 setup with IP 10.10.11.1
  - home network has a server with IP 10.10.11.20
  - other location RVS4000 setup with IP 10.10.10.1
  - other location server setup with IP 10.10.10.100
  Tunnel settings on home RVS4000 (the other location properly mirror these).
    - Local Security Gateway Type :  IP Only
    - Local Security Group Type : Subnet
    - IP Address : 10.10.11.20
    - Subnet Mask : 255.255.255.0
    - Remote Security Gateway Type : IP Only
    - Remote Security Group Type : Subnet
    - IP Address : 10.10.10.100
    - Subnet Mask :  255.255.255.0
  thanks,
  rwpatterson357

  hi
  Just out of interest, what happens when you change the following;
  Tunnel settings on home RVS4000 (the other location properly mirror these).
    - Local Security Gateway Type :  IP Only
    - Local Security Group Type : Subnet
    - IP Address : 10.10.11.20
    - Subnet Mask : 255.255.255.0
    - Remote Security Gateway Type : IP Only
    - Remote Security Group Type : Subnet
    - IP Address : 10.10.10.100
    - Subnet Mask :  255.255.255.0
  to
  Tunnel settings on home RVS4000 (the other location properly mirror these).
    - Local Security Gateway Type :  IP Only
    - Local Security Group Type : Subnet
    - IP Address : 10.10.11.0
    - Subnet Mask : 255.255.255.0
    - Remote Security Gateway Type : IP Only
    - Remote Security Group Type : Subnet
    - IP Address : 10.10.10.0
    - Subnet Mask :  255.255.255.0
  regards Dave

• PIX 501 and Linksys VPN Router (WRV200)

  I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
  sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
  I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
  Key Exchange Method: Auto (IKE)
  Encryption: Auto, 3DES, AES128, AES192, AES256
  Authentication: MD5
  Pre-Shared Key: xxx
  PFS: Enabled/Disabled
  ISAKMP Key Lifetime: 28800
  IPSec Key Lifetime: 3600
  On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
  I chose the following settings when doing the VPN Wizard:
  Type of VPN: Remote Access VPN
  Interface: Outside
  Type of VPN Client Device used: Cisco VPN Client
  (can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
  VPN Client Group
  Group Name: RabyEstates
  Pre Shared Key: rabytest
  Extended Client Authentication: Disabled
  Address Pool
  Pool Name: VPN-LAN
  Range Start: 192.168.2.200
  Range End: 192.168.2.250
  DNS/WINS/Default Domain: None
  IKE Policy
  Encryption: 3DES
  Authentication: MD5
  DH Group: Group 2 (1024-bit)
  Transform Set
  Encryption: 3DES
  Authentication: MD5
  I have attached the VPN log from the Linksys VPN Router.
  This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
  Thanks for your help!

  Hi again,
  I believe the pix has a 3des license because of the following parts of the "show version"
  Licensed Features:
  Failover: Disabled
  VPN-DES: Enabled
  VPN-3DES-AES: Enabled
  This PIX has a Restricted (R) license.
  I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
  As for the other show commands they give:
  pixfirewall# show crypto isakmp sa
  Total : 0
  Embryonic : 0
  dst src state pending created
  pixfirewall# show crypto ipsec sa
  interface: outside
  Crypto map tag: transam, local addr. 10.0.0.1
  local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
  current_peer: 10.0.0.2:0
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
  local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
  path mtu 1500, ipsec overhead 0, media mtu 1500
  current outbound spi: 0
  inbound esp sas:
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  outbound ah sas:
  outbound pcp sas:
  pixfirewall#
  Thanks again Daniel, i really appreciate your help on this matter.

• Problem with VPN by ASA 5505 and PIX 501

  Hi
  I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
  I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
  When i configure the ASA i have this problem, when i configure nat for easy vpn.
  This is my nat configuration:
  nat (inside) 0 access-list 100
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (inside) 0 0.0.0.0 0.0.0.0 outside
  when i put this command:
  nat (inside) 0 access-list no-nat
  this command is necessary for configuration of easy vpn, but the previous nat:
  nat (inside) 0 access-list 100
  is replace with the latest command.

  To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
  For regular dynamic NAT:
  nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
  no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
  For policy dynamic NAT and NAT exemption:
  nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
  no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

• Transparent Tunneling and Local Lan Access via VPN Client

  Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
  Mike Bowyer

  Hi Mike,
  "Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
  What do you mean exactly with "disabled once the connection is made" ?
  You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
  Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
  Are any local LAN routes displayed when your are connected ?
  And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
  1: This feature works only on one NIC card, the same NIC card as the tunnel.
  2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
  Carsten
  PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.

• PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

  One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.           
  Some other info from the client end:
  I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
  Also Tunnel received 0 and sent 115119
  Encryption is 168-bit 3-DES
  Authentication is HMAC-SHA1
  also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
  also Transparent tunneling is selcted but in the stats it states it is inactive
  I am connecting with the Cisco VPN Client Ver 5.0.07.0440
  This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
  I need to  see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x    I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
  Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
  I still cannot seem to find the issue with this config and any help will be greatly appreciated.
  This is the config
  interface ethernet0 100full
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password somepassword
  hostname hostname
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  object-group network internal_trusted_net
    network-object 192.168.40.0 255.255.255.0
  object-group icmp-type icmp_outside
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object time-exceeded
    icmp-object source-quench
  access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
  access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list OutToIn permit ip any any
  access-list outbound permit ip any any
  (NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside xxx.xxx.xxx.xxx 255.255.255.248
  ip address inside 192.168.40.2 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside  it still does not work.
  nat (inside) 0 access-list no_nat_inside
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group acl_outside_in in interface outside
  access-group outbound in interface inside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.40.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community $XXXXXX$
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
  crypto dynamic-map clientmap 50 set transform-set 3des_strong
  crypto map vpn 50 ipsec-isakmp dynamic clientmap
  crypto map vpn client configuration address initiate
  crypto map vpn client configuration address respond
  crypto map vpn client authentication LOCAL
  crypto map vpn interface outside
  isakmp enable outside
  isakmp identity address
  isakmp client configuration address-pool local vpn_client_pool outside
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  vpngroup remote-vpn split-tunnel split_tunnel
  vpngroup remote-vpn idle-time 10800
  vpngroup remote-vpn password ANOTHER PASSWORD
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 192.168.40.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 60
  dhcpd address 192.168.40.100-192.168.40.131 inside
  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd enable inside
  username AUSER password PASSWORD privilege 15
  terminal width 80
  ****************** End of config
  I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network)  was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper  for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
  Thank you once again.

  Hi,
  PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
  If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
  But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
  I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
  Here is a PDF of the original ASA5500 Series.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
  Here is a PDF of the new ASA5500-X Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
  I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
  Could you provide the requested outputs?
  From the PIX after connection test
  show crypto ipsec sa
  Screen captures of the VPN Client routing and statistics sections.
  - Jouni

• PIX 501 VPN HELP NO NETWORK ACCESS!

  I need some help please..
  I am trying to connect Windows 7 VPN to L2TP access on the PIX 501. I know that PIX 501 doesn't allow MSCHAP v2. The VPN connects fine but when trying to access the local network and shared drives remote desktop I am not able to connect. I already I have the IPV4 / IPV6 IP Settings on the VPN for use default gateway on remote network unchecked.  Can you please help me configure this correctly if I am configuring incorrectly.
  PIX Version 6.3(4)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd ANRIhDDsTteQmCkO encrypted
  hostname pixfirewall
  domain-name controller.hopto.org
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list out2in permit tcp any interface outside eq www
  access-list out2in permit tcp any interface outside eq https
  access-list out2in permit tcp any interface outside eq 3074
  access-list out2in permit udp any interface outside eq 88
  access-list out2in permit udp any interface outside eq 3074
  access-list out2in permit udp any interface outside eq domain
  access-list out2in permit tcp any interface outside eq domain
  access-list out2in permit udp any interface outside eq 1701
  access-list nonat permit ip 192.168.1.0 255.255.255.0 172.17.130.0 255.255.255.192
  access-list vpn-cryptomap permit ip any 172.17.130.0 255.255.255.0
  pager lines 24
  logging on
  logging timestamp
  logging standby
  logging buffered informational
  logging trap informational
  mtu outside 1500
  mtu inside 1500
  ip address outside dhcp setroute
  ip address inside 192.168.1.1 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool l2tp-pool 172.17.130.1-172.17.130.254
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 192.168.1.0 255.255.255.0 0 0
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp interface www 192.168.1.33 www netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface domain 192.168.1.30 domain netmask 255.255.255.255 0 0
  static (inside,outside) udp interface domain 192.168.1.30 domain netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface 3074 192.168.1.30 3074 netmask 255.255.255.255 0 0
  static (inside,outside) udp interface 3074 192.168.1.30 3074 netmask 255.255.255.255 0 0
  static (inside,outside) udp interface 88 192.168.1.30 88 netmask 255.255.255.255 0 0
  access-group out2in in interface outside
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  sysopt connection permit-l2tp
  crypto ipsec transform-set cisco-l2tp esp-3des esp-sha-hmac
  crypto ipsec transform-set cisco-l2tp mode transport
  crypto dynamic-map l2tp 30 set transform-set cisco-l2tp
  crypto map dmu 30 ipsec-isakmp dynamic l2tp
  crypto map dmu interface outside
  isakmp enable outside
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 5 authentication pre-share
  isakmp policy 5 encryption 3des
  isakmp policy 5 hash sha
  isakmp policy 5 group 2
  isakmp policy 5 lifetime 28800
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 15
  console timeout 0
  vpdn group 2 accept dialin l2tp
  vpdn group 2 ppp authentication pap
  vpdn group 2 client configuration address local l2tp-pool
  vpdn group 2 client authentication local
  vpdn group 2 l2tp tunnel hello 60
  vpdn username Brandon password *********
  vpdn enable outside
  dhcpd address 192.168.1.2-192.168.1.33 inside
  dhcpd dns 4.2.2.1 4.2.2.2
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  username Brandon password PX78ZeD.LCbQntqy encrypted privilege 15
  terminal width 80
  Cryptochecksum:6e43dff6ef4837997276c092f9204707
  : end
  Thanks,
  Brandon

  Yes, you can modify it.
  By the way, here is a good link about MS:
  Troubleshooting Microsoft Network Neighborhood After Establishing a VPN Tunnel With the Cisco VPN Client
  HTH.
  Portu.

• ASA 5505 IPSEC VPN connected but can't access to LAN

  ASA : 8.2.5
  ASDM: 6.4.5
  LAN: 10.1.0.0/22
  VPN Pool: 172.16.10.0/24
  Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
  I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
  Below is my configure, do I mis-configure anything?
  ASA Version 8.2(5)
  hostname asatest
  domain-name XXX.com
  enable password 8Fw1QFqthX2n4uD3 encrypted
  passwd g9NiG6oUPjkYrHNt encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.1.253 255.255.252.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.240
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name vff.com
  access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
  access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging trap warnings
  logging asdm informational
  logging device-id hostname
  logging host inside 10.1.1.230
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server AD protocol nt
  aaa-server AD (inside) host 10.1.1.108
  nt-auth-domain-controller 10.1.1.108
  http server enable
  http 10.1.0.0 255.255.252.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.1.0.0 255.255.252.0 inside
  ssh timeout 20
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy vpntest internal
  group-policy vpntest attributes
  wins-server value 10.1.1.108
  dns-server value 10.1.1.108
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpntest_splitTunnelAcl
  default-domain value XXX.com
  split-tunnel-all-dns disable
  backup-servers keep-client-config
  address-pools value vpnpool
  username admin password WeiepwREwT66BhE9 encrypted privilege 15
  username user5 password yIWniWfceAUz1sUb encrypted privilege 5
  username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
  tunnel-group vpntest type remote-access
  tunnel-group vpntest general-attributes
  address-pool vpnpool
  authentication-server-group AD
  authentication-server-group (inside) AD
  default-group-policy vpntest
  strip-realm
  tunnel-group vpntest ipsec-attributes
  pre-shared-key BEKey123456
  peer-id-validate nocheck
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
  : end

  I change  a Machine's gateway to this ASA and capture again, now we can see some reply.
  All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
  what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
  add two gateways to all PCs and swtichwes?
  1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
     9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
    10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
    17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
    18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
    19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
    20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
    21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
    22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
    23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request