PPTP VPN - Clients inside Cisco877w - server at workplace

Similar Messages

• How to configure Multiple PPTP VPN Clients on cisco 3g supported Router

  I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
  here is the config for the one that works:
  vpdn-group 1
  request-dialin
  protocol pptp
  rotary-group 0
  initiate-to ip xxx.xxx.xxx.xxx
  interface Dialer0
  mtu 1450
  ip address negotiated
  ip pim dense-mode
  ip nat outside
  ip virtual-reassembly
  zone-member security private
  encapsulation ppp
  ip igmp query-interval 125
  dialer in-band
  dialer idle-timeout 0
  dialer string 123
  dialer vpdn
  dialer-group 1
  no peer neighbor-route
  no cdp enable
  ppp pfc local request
  ppp pfc remote apply
  ppp encrypt mppe auto
  ppp authentication ms-chap-v2 ms-chap eap chap pap callin
  ppp eap refuse
  ppp chap hostname xxx@xxx
  ppp chap password 7 xxxpassword
  But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

  I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
  here is the config for the one that works:
  vpdn-group 1
  request-dialin
  protocol pptp
  rotary-group 0
  initiate-to ip xxx.xxx.xxx.xxx
  interface Dialer0
  mtu 1450
  ip address negotiated
  ip pim dense-mode
  ip nat outside
  ip virtual-reassembly
  zone-member security private
  encapsulation ppp
  ip igmp query-interval 125
  dialer in-band
  dialer idle-timeout 0
  dialer string 123
  dialer vpdn
  dialer-group 1
  no peer neighbor-route
  no cdp enable
  ppp pfc local request
  ppp pfc remote apply
  ppp encrypt mppe auto
  ppp authentication ms-chap-v2 ms-chap eap chap pap callin
  ppp eap refuse
  ppp chap hostname xxx@xxx
  ppp chap password 7 xxxpassword
  But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

• VPN Client and Terminal Server

  We have several clients that allow us to vpn into their systems and it has come to the point that we are getting software incompatabilities. What I am trying to do is set up "compatable" connections on a Terminal server box and let our people access this from their workstations. The problem is when the acuall connection thru the vpn client is made they loose connection to the terminal server. I have tried putting in 2 nic's into the terminal server and am able to allocate one for the terminal server but can not find a way to allocate the other to the VPN CLient. Is this possable or is there another way to accomplish this?
  Thanks

  Close,
  What I have is one machine with 2 nic's
  NIC #1 = Terminal Server Access (local lan only) Locked in via registry settings to use ONLY this NIC
  NIC #2 = I would like to "LOCK" the Client software to use ONLY this nic (has a dynamic IP for local lan and access to the Inet via a router.
  Problem: When you connect to the T-Server all is fine UNTIL you start up the client software to access our clients systems via the web connection to the T-Server on the local side stops and gives the appearance of a frozen screen.
  manualy disconnect person from the T-Server and kill the cisco client software then you can re-connect to the T-Server (and it all starts over again)
  The Cisco software acualy makes the connection to our clients system but we can not tell because it want BOTH the NIC's for itself and stops access via NIC#1 to the T-Server.

• How to enable traffic between VPN clients in Windows Server 2012 R2?

  Hello, 
  I installed Remote Access role with VPN.
  IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
  VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
  One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
  VPN server uses Windows Authentication and Windows Accounting.
  With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
  For example, VPN server has ip 192.168.99.5
  VPN Client 1 - 192.168.99.6
  VPN Client 2 - 192.168.99.7
  I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
  If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
  What else should I configure to allow network traffic between VPN clients?

  Hi,
  To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Snow Leopard PPTP VPN Client with Microsoft  Networks

  I have Snow Leopard machine working fine in local Microsoft network, in this environment it's easy setup wins server, in this case i can see and access all windows machines, but when I access my office network via PPTP VPN I can only see windows machines over finder, when i try to access any machine the connection fails, if i use a windows xp or vista it works fine. How i can tell to VPN the wins server address?

  I have Snow Leopard machine working fine in local Microsoft network, in this environment it's easy setup wins server, in this case i can see and access all windows machines, but when I access my office network via PPTP VPN I can only see windows machines over finder, when i try to access any machine the connection fails, if i use a windows xp or vista it works fine. How i can tell to VPN the wins server address?

• Can't authenticate Mac VPN client from RADIUS server

  Hello,
  I'm a real noob here so please bear with me.
  I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
  I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
  TIA for any direction you can provide me.
  Christine

  If it helps, here is my config with a some of the non-related bits deleted:
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 DMZ security50
  enable password ********* encrypted
  passwd ******* encrypted
  hostname pixfirewall
  domain-name acme.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol http 80
  fixup protocol http 82
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
  access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
  access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
  access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
  access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  ip address outside 207.XXX.XXX.130 255.255.255.0
  ip address inside 192.168.10.1 255.255.255.0
  ip address DMZ 192.168.100.1 255.255.255.0
  multicast interface inside
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
  pdm location 192.168.10.50 255.255.255.255 inside
  pdm group CBI_Servers inside
  pdm logging warnings 100
  pdm history enable
  arp timeout 14400
  global (outside) 200 interface
  global (DMZ) 200 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 200 192.168.10.0 255.255.255.0 0 0
  static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
  static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
  access-group 100 in interface outside
  route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server radius-authport 1812
  aaa-server radius-acctport 1812
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.10.3 255.255.255.255 inside
  no floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
  crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication RADIUS
  crypto map outside_map interface outside
  crypto map inside_map interface inside
  isakmp enable outside
  isakmp nat-traversal 3600
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup Test_VPN address-pool CBI_VPN_Pool
  vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
  vpngroup Test_VPN default-domain acme.com
  vpngroup Test_VPN idle-time 1800
  vpngroup Test_VPN authentication-server RADIUS
  vpngroup Test_VPN user-authentication
  vpngroup Test_VPN user-idle-timeout 1200
  vpngroup Test_VPN password ********
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.10.100-192.168.10.254 inside
  dhcpd dns 142.77.2.101 142.77.2.36
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside

• I cannot route to remote subnets from cisco vpn client and pptp client

  Hi guys,
  I've a big problem, I configured a 877 cisco router as a cisco vpn server (the customer use it to connect to his network from pc) and a pptp vpn server (he use it to connet to the network from a smartphone).
  In this router I created 2 vlan, one for wired network (192.168.10.0/24) and the second one (10.0.0.0/24) for wireless clients and I use fastethernet 3 port to connect these to the router.
  this is the issue, when the customer try to connect to a wireless network from both of vpn clients he cannot do this, but if he try to connect to a wired network client all working fine.
  following the addresses taken from the router.
  - encrypted vpn client -
  ip address. 192.168.10.20
  netmask 255.255.255.0
  Default Gateway. none (blank)
  - pptp vpn client -
  ip address. 192.168.10.21
  netmask. 255.255.255.255
  Default Gateway. 192.168.10.21
  Is possible that I cannot reach the remote subnet because the clients doesn't receive a gateway (in the first case) or receive the wrong subnet/gateway (in the second one)..?
  There is anyone can help me..?
  Thank you very much.
  Many Kisses and Kindly Regards..
  Ilaria

  The default gateway on your PC is not the problem, it will always show as the same IP address (this is no different when you dial up to an ISP, your DG will again be set to your negotiated IP address).
  The issue will be routing within the campus network and more importantly on the PIX itself. The campus network needs a route to the VPN pool of addresses that eventually points back to the PIX.
  The issue here is that the PIX will have a default gateway pointing back out towards your laptop. When you establish a VPN and try and go to an Internet address, the PIX is going to route this packet according to its routing table and send it back out the interface it came in on. The PIX won't do this, and the packet will be dropped. Unless you can set the PIX's routing table to forward Internet packets to the campus network, there's no way around this. Of course if you do that then you'll break connectivity thru the PIX for all the internal users.
  The only way to do this is to configure split tunnelling on the PIX, so that packets destined for the Internet are sent directly from your laptop in the clear just like normal, and any packet destined for the campus network is encrypted and sent over the tunnel.
  Here's the format of the command:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1048524

• Phonefactor with RRAS(Windows Server 2003) - VPN client timeout after 20 seconds -- too fast!

  [Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
  We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
  just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
  So... now we are trying Phonefactor.
  Our VPN setup is RRAS on a Windows Server 2003 domain controller.
  We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
  call.
  It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
  nimble, that is frequently not enough time!
  When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
  How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
  Things we have tried:
  1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
  2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
  3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
  4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
  5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
  6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
  7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
  8) Try this registry hack:
  http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
  Any ideas?
  thanks!

  Hi fdc2005,
  Thanks for the post.
  However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
  Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
  Regarding error 718, please check if the following could help:
  If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
  Steps to follow for resolution:
  (1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
  (2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
  Quote from:
  Troubleshooting Vista VPN problems.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Leopard Server PPTP VPN and Airport, can connect VPN but not AFP/SMB/VNC

  I have on several occasions enabled a PPTP VPN service on Leopard Server and forwarded the appropriate ports in my Airport Extreme with this result: Outside clients can connect to the Leopard Server, but trying to connect to the server with AFP, SMB, Screen sharing or Remote Desktop over this VPN just times out.
  The VPN seems to be working OK, but after establishing the VPN I can't use it. The client (iMac with Mac OS X 10.5.3) gets an IP, DNS, Router etc. from the network's DHCP.
  I have tried setting the server as default host with no effect.
  Everything is running the latest available updates.
  Is there any bug/problem with PPTP VPN passthrough an Airport Extreme on the Server side? Is there anything that needs to be configured other than forwarding port 1723 on the Airport?

  I had a similar problem. Hope my solution can help you.
  Check if the routers on both sides of the VPN connection use the same ip address style (ie. 10.0.0.x, 192.168.1.x). If they both use the same style then they conflict.
  I have a Airport Extreme at home and was VPNing to a server behind a time capsule. Both were using the 10.0.0.x style IP. I switched my home IP style to 192.168.1.x and everything worked right away.

• Remote Desktop/Access shared files over PPTP VPN

  Hello,
  I just bought the RV180W so I can connect to my office computer from anywhere as a VPN client. The two things I need to do while I am connected as a VPN client is to be able to access my files on my office desktop and be able to remote desktop to it as well. I have Win7 on all of my computers. Ideally, I would like to do that over PPTP VPN connection but if that is not possible I can try Cisco QuickVPN software.
  I enabled PPTP on my router and created a user account. I was also able to successfully establish the connection remotely. While I was connected as a PPTP VPN client, I was able to access the Internet and my router setup page which is telling me that the connection is good. However, I was not able to either discover my office PC under my network tab in Win7 nor I was able to remote desktop. I keep my office PC on all the time and it never go to sleep. I did not create any connection policy but maybe this is the problem. Please let me know if you know of a solution.
  Thanks!

  Hi David,
  Thank you for the response.
  I was able to access the router configuration using the local IP address (in my case 192.168.1.1). I don't think I would have been able to access it using the public IP address since I have the router remote management feature disabled.
  Now after reading your email, I was finally able to remote desktop and access shared files through a PPTP VPN connection. Here is what I did:
  1- I separted the PPTP VPN IP address range from my DHCP range (in my case, PPTP VPN range is 192.168.1.200 to 210 and my DHCP range is from 192.168.1.100 to 199)
  2- I assigned my office desktop PC that I am trying to remote desktop to a fixed IP address (192.168.1.20)
  3- For remote desktop, I had to type the IP address (192.168.1.20). Typing the PC name (officepc) or searching for was not working.
  4- For shared files, I had to map a network drive as //192.168.1.20/My Pictures for example. I couldn't find my PC when searched for it under Network.
  After doing all that, I was able to do kinda what I wanted. Ideally, I would have liked to avoid using fixed IP addresses and be able to access computers by their name and see them under the Network tab. Is their a way to do this? I noticed that RV220W offers SSL VPN, would that help me?
  I would appreciate it if you could answer my last two questions.
  Thanks!
  Mustafa

• Using VPN to access Windows server at work - Possible?

  I have an iMac 2.6ghz, running 10.5.7. I have setup a PPTP VPN connection into my server at work, and it says 'connected'. How can I actually 'see' anything on this server? Also, can I see my mail on this server (mail.xxxxxx.com.au/exchange)

  Hi Anthony, and a warm welcome to the forums!
  Is the Server a Mac or PC? What OS? What Sharing is enabled on the other end?

• IPhone VPN client issues

  1. Even if you key in a password for the VPN client, putting the phone to sleep will cause the password to be cleared, requiring you to retype it the next time you start the client.
  2. the only place to type alphanumerics in for the password is on the VPN setup screen, if you just slide the VPN switch to On, you are presented with a numbers only dial pad
  3. The PPTP VPN client only recognizes maximum security, setting to either automatic or none will just hop back to maximum on save.
  4. The network stack doesn't allow you to easily set up special DNS servers for the VPN connection (the equivalent under OS X is to go into System Preferences, Network and select the VPN (PPTP) adapter and enter the DNS information there.
  Since we use VPN to secure our wireless network, that means our iPhone users are unable to use WiFi at the office.
  iPhone Windows XP
  Dell Optiplex GX620 Windows 2000
  iPhone   Windows 2000  

  Scott,
  You're correct (mostly). I've experienced the same issues and have tried to work around them as follows:
  1) Use a numeric password for the VPN user account. Of course, you'll have to enter it each time (did they even test this?) but at least it works.
  4) Depending on your VPN device you should be able to set the DNS addresses via that. I'm using a Cisco ASA and set the DNS via the Group Policy for the DefaultRAGroup.
  The bottom line? iPhone and VPN are not friends. Moreover, the iPhone has no EAP support wireless authentication. I'm a huge Apple fan but that is just stupid.

• VPN client cannot access inside hosts

  Hello,
      I have an ASA 5505 device with the attached configuration and my vpn clients can connect to it fine.  Although, once a vpn client is connected they cannot RDP, ping, or telnet any internal hosts.  The goal is to have a connected vpn client to have all access rights as anyone sitting on the internal network.  Any assistance is greatly appreciated.
  : Saved
  ASA Version 7.2(3)
  hostname Kappa-GW01
  domain-name Kappa.com
  enable password xxxxxxxxx encrypted
  names
  name 172.20.42.42 UMEFTP2 description UMAP FTP2
  name 172.20.40.246 UMEMAIL1 description Exchange Server
  name 172.20.41.3 UMERPS
  name x.x.81.81 Wilkes
  name x.x.84.41 KappaPittston
  dns-guard
  interface Ethernet0/0
  shutdown
  nameif outside
  security-level 0
  ip address x.x.148.194 255.255.255.248
  interface Ethernet0/1
  nameif Outside_Windstream
  security-level 0
  ip address x.x.205.210 255.255.255.240
  interface Ethernet0/2
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  passwd 7Tpgc2AiWGxbNjkj encrypted
  boot system disk0:/asa723-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name Kappa.com
  object-group network Blue_Bell_Internal_Networks
  description Blue Bell internal network Group
  network-object 192.168.100.0 255.255.255.0
  network-object 10.0.0.0 255.255.255.0
  network-object 10.0.1.0 255.255.255.0
  network-object 10.0.2.0 255.255.255.0
  object-group network VPN-Sites
  network-object host Wilkes
  network-object host KappaPittston
  object-group network Michigan_VPN_GRP
  network-object 172.20.40.0 255.255.252.0
  object-group network ASA_OutSide_Vendors
  description ASA OutSide Vendor Access
  access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl remark Blue Bell Office
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl remark Williamston Office
  access-list KappaVPN_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
  access-list KappaVPN_splitTunnelAcl remark Pittston Office
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.10.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.20.40.0 255.255.252.0 inactive
  access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.30.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.30.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
  access-list umeemp_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.30.0 255.255.255.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
  access-list outside_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list 102 extended permit tcp any any eq 2000
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq smtp
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq pop3 inactive
  access-list Outside_Winstream_access_in extended permit udp object-group VPN-Sites interface Outside_Windstream eq isakmp
  access-list Outside_Winstream_access_in extended permit tcp object-group ASA_OutSide_Vendors host x.x.205.217 eq 4080
  access-list Outside_Winstream_access_in remark SMTP Access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq smtp
  access-list Outside_Winstream_access_in remark POP access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq pop3
  access-list Outside_Winstream_access_in remark OWA Access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq https
  access-list Outside_Winstream_access_in extended permit tcp host x.x.87.65 host x.x.205.218 eq 3389
  access-list Outside_Winstream_access_in extended permit udp host x.x.56.111 eq ntp host x.x.205.216 eq ntp
  access-list Outside_Winstream_access_in remark OWA UMAP
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq https
  access-list Outside_Winstream_access_in remark JLAN
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.215 eq https
  access-list Outside_Winstream_access_in remark UMERPS
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq https
  access-list Outside_Winstream_access_in remark UMERPS
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq ssh
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq https
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq 5494
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.214 eq www
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq 8081
  access-list Outside_Winstream_access_in extended permit icmp any any echo
  access-list outside_6_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list outside_6_cryptomap extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_11 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_10 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_5 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_12 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
  access-list nonat extended permit ip any any inactive
  pager lines 24
  logging enable
  logging asdm debugging
  logging flash-bufferwrap
  mtu outside 1500
  mtu Outside_Windstream 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn-pool 192.168.100.100-192.168.100.200
  no failover
  monitor-interface outside
  monitor-interface Outside_Windstream
  monitor-interface inside
  monitor-interface management
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (Outside_Windstream) 1 x.x.205.216 netmask 255.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 172.20.40.0 255.255.252.0
  nat (inside) 1 10.0.0.0 255.255.0.0
  static (inside,Outside_Windstream) x.x.205.217 10.0.0.20 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.220 10.0.0.21 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.218 10.0.0.15 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.215 172.20.40.145 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.211 UMEMAIL1 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.212 UMERPS netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.213 172.20.40.243 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.214 172.20.40.146 netmask 255.255.255.255
  access-group acl_inbound in interface outside
  access-group Outside_Winstream_access_in in interface Outside_Windstream
  route Outside_Windstream 0.0.0.0 0.0.0.0 x.x.205.209 1
  route inside 172.20.40.0 255.255.252.0 10.0.0.3 1
  route inside 10.0.30.0 255.255.255.0 10.0.0.254 1
  route inside 10.0.1.0 255.255.255.0 10.0.0.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server BBPA-SRV-DC01 protocol radius
  aaa-server BBPA-SRV-DC01 host 10.0.0.15
  timeout 5
  key G6G7#02bj!
  aaa-server UMAP protocol radius
  aaa-server UMAP host 172.20.40.245
  timeout 5
  key gfrt1a
  aaa-server UMAP host 172.20.40.244
  timeout 5
  key gfrt1a
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.0.0.0 255.255.255.0 inside
  http 10.0.0.15 255.255.255.255 inside
  http 192.168.1.0 255.255.255.0 management
  http 192.168.100.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map Outside_Windstream_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map Outside_Windstream_dyn_map 40 set pfs
  crypto dynamic-map Outside_Windstream_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto map outside_map 5 match address outside_5_cryptomap
  crypto map outside_map 5 set peer Wilkes
  crypto map outside_map 5 set transform-set ESP-3DES-SHA
  crypto map outside_map 10 match address outside_6_cryptomap
  crypto map outside_map 10 set peer KappaPittston
  crypto map outside_map 10 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto map Outside_Windstream_map 5 match address Outside_Windstream_cryptomap_5
  crypto map Outside_Windstream_map 5 set peer Wilkes
  crypto map Outside_Windstream_map 5 set transform-set ESP-3DES-SHA
  crypto map Outside_Windstream_map 10 match address Outside_Windstream_cryptomap_10
  crypto map Outside_Windstream_map 10 set peer KappaPittston
  crypto map Outside_Windstream_map 10 set transform-set ESP-3DES-SHA
  crypto map Outside_Windstream_map 65535 ipsec-isakmp dynamic Outside_Windstream_dyn_map
  crypto map Outside_Windstream_map interface Outside_Windstream
  crypto isakmp enable Outside_Windstream
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 3600
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 10.0.0.0 255.255.0.0 inside
  telnet timeout 5
  ssh 10.0.0.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ftp
    inspect skinny
    inspect pptp
  service-policy global_policy global
  webvpn
  enable Outside_Windstream
  svc image disk0:/sslclient-win-1.1.4.177.pkg 1
  svc enable
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc required
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy umeemp internal
  group-policy umeemp attributes
  dns-server value 172.20.40.245
  vpn-filter none
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value KappaVPN_splitTunnelAcl
  default-domain value umapinc.com
  group-policy KappaVPN internal
  group-policy KappaVPN attributes
  wins-server value 10.0.0.15
  dns-server value 10.0.0.15
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value umeemp_splitTunnelAcl
  default-domain value kappa.loc
  username gwadmin password AVjtEPq7nvtiAAk0 encrypted
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool vpn-pool
  authentication-server-group BBPA-SRV-DC01
  authorization-required
  tunnel-group KappaVPN type ipsec-ra
  tunnel-group KappaVPN general-attributes
  address-pool vpn-pool
  authentication-server-group BBPA-SRV-DC01
  default-group-policy KappaVPN
  tunnel-group KappaVPN ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.131.62 type ipsec-l2l
  tunnel-group x.x.131.62 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.232.2 type ipsec-l2l
  tunnel-group x.x.232.2 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.49.114 type ipsec-l2l
  tunnel-group x.x.49.114 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.226.218 type ipsec-l2l
  tunnel-group x.x.226.218 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.116.133 type ipsec-l2l
  tunnel-group x.x.116.133 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.21.36 type ipsec-l2l
  tunnel-group x.x.21.36 ipsec-attributes
  pre-shared-key *
  tunnel-group umeemp type ipsec-ra
  tunnel-group umeemp general-attributes
  address-pool vpn-pool
  authentication-server-group UMAP
  default-group-policy umeemp
  tunnel-group umeemp ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.81.81 type ipsec-l2l
  tunnel-group x.x.81.81 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.84.41 type ipsec-l2l
  tunnel-group x.x.84.41 ipsec-attributes
  pre-shared-key *
  prompt hostname context
  Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
  : end
  asdm image disk0:/asdm-523.bin
  no asdm history enable

  I'm sorry, I misunderstood what you were asking.  Yes those three networks are on the inside of our ASA.  we have 2 outside of the ASA (10.0.2.x, 10.0.10.x).  When our clients vpn they connect to the x.x.205.210 ip address, which maps them depending on the preshared key that puts them on either the kappaVPN or the umeempVPN.  (I am kind of new to configuring the ASA).  When the cisco vpn client connects to the network, I checked the statistics and it lists all of our LAN networks under secure routes.  I cannot ping anything inside the LAN nor can I connect RDP, telnet or anything.
  Hope this answers your questions, just let me know if you need any more information.
  -Rudy

• Remote Access VPN Clients Cannot Access inside LAN

  I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
  : Saved
  ASA Version 8.2(1)
  hostname ASA5505
  domain-name default.domain.invalid
  enable password eelnBRz68aYSzHyz encrypted
  passwd eelnBRz68aYSzHyz encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group dataDSL
  ip address 76.244.75.57 255.255.255.255 pppoe
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.9.1 255.255.255.0
  interface Vlan10
  nameif outside_cable
  security-level 0
  ip address 50.84.96.178 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Netbios udp
  port-object eq 139
  port-object eq 445
  port-object eq netbios-ns
  object-group service Netbios_TCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.100.177
  network-object host 192.168.100.249
  object-group service Web_Services tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_10
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_11
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_3
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_4
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_5
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_6
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_7
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_8
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_9
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network VPN
  network-object 192.168.255.0 255.255.255.0
  access-list outside_access_in extended permit icmp any host 76.244.75.61
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
  access-list dmz_access_in remark Quickbooks
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
  access-list dmz_access_in remark Quickbooks range
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
  access-list dmz_access_in remark QB
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
  access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
  access-list dmz_access_in remark Printer
  access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
  access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
  access-list dmz_access_in remark QB probably does not need any udp
  access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark QB included in other rule range
  access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark May be required for Quickbooks
  access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
  access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500 
  mtu outside_cable 1500
  ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
  ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside_cable) 10 interface
  nat (inside) 0 access-list nonat-in
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
  static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  access-group outside_cable_access_in in interface outside_cable
  route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.100.0 255.255.255.0 inside
  http 204.107.173.0 255.255.255.0 outside
  http 204.107.173.0 255.255.255.0 outside_cable
  http 0.0.0.0 0.0.0.0 outside_cable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_cable_map interface outside_cable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp enable outside_cable
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.100.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh 204.107.173.0 255.255.255.0 outside
  ssh 204.107.173.0 255.255.255.0 outside_cable
  ssh 0.0.0.0 0.0.0.0 outside_cable
  ssh timeout 15
  console timeout 0
  vpdn group dataDSL request dialout pppoe
  vpdn group dataDSL localname [email protected]
  vpdn group dataDSL ppp authentication pap
  vpdn username [email protected] password *********
  dhcpd address 192.168.100.30-192.168.100.99 inside
  dhcpd dns 192.168.100.5 68.94.156.1 interface inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  group-policy cad_supplies_RAVPN internal
  group-policy cad_supplies_RAVPN attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
  split-tunnel-network-list value Local_LAN_Access
  client-firewall none
  client-access-rule none
  username swinc password BlhBNWfh7XoeHcQC encrypted
  username swinc attributes
  vpn-group-policy cad_supplies_RAVPN
  username meredithp password L3lRjzwb7TnwOyZ1 encrypted
  username meredithp attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone1 attributes
  vpn-group-policy VPNPHONE
  username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone2 attributes
  vpn-group-policy VPNPHONE
  username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone3 attributes
  vpn-group-policy VPNPHONE
  username oethera password WKJxJq7L6wmktFNt encrypted
  username oethera attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
  username markh attributes
  vpn-group-policy cad_supplies_RAVPN
  tunnel-group DefaultRAGroup general-attributes
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cad_supplies_RAVPN type remote-access
  tunnel-group cad_supplies_RAVPN general-attributes
  address-pool VPN_IP_range
  default-group-policy cad_supplies_RAVPN
  tunnel-group cad_supplies_RAVPN ipsec-attributes
  pre-shared-key *
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool VPN_Phone
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1500
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
  : end

  Hi,
  You have your "group-policy" set so that you have excluding some networks from being tunneled.
  In this access-list named Local_LAN_Access you specify "0.0.0.0"
  Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
  This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
  - Jouni

• VPN client connect to CISCO 887 VPN Server bat they stop at router!!

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.5.2/24)
  |
  |
  CISCO-887 (192.168.5.4) with VPN server
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on xp machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
  They can ping only router!!!
  They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Peraps ACL problem?
  Building configuration...
  Current configuration : 5019 bytes
  ! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname gate
  boot-start-marker
  boot-end-marker
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-453216506
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-453216506
  revocation-check none
  rsakeypair TP-self-signed-453216506
  crypto pki certificate chain TP-self-signed-453216506
  certificate self-signed 01
          quit
  ip name-server 212.216.112.222
  ip cef
  no ipv6 cef
  password encryption aes
  license udi pid CISCO887VA-K9 sn ********
  username adm privilege 15 secret 5 *****************
  username user1 secret 5 ******************
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key 6 *********\*******
  dns 192.168.5.2
  wins 192.168.5.2
  domain domain.local
  pool SDM_POOL_1
  save-password
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group EXTERNALS
     client authentication list ciscocp_vpn_xauth_ml_2
     isakmp authorization list ciscocp_vpn_group_ml_2
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Loopback0
  ip address 10.10.10.10 255.255.255.0
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  pvc 8/35
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered Dialer0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.5.4 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly in
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ******@*******.****
  ppp chap password 0 alicenewag
  ppp pap sent-username ******@*******.**** password 0 *********
  ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.5.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 permit ip 192.168.5.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  end

  Hello,
  Your pool of VPN addresses is overlapping with the interface vlan1.
  Since proxy-arp is disabled on that interface, it will never work
  2 solutions
  1- Pool uses a different network than 192.168.5
  2- Enable ip proxy-arp on interface vlan1
  Cheers,
  Olivier