Problem with Remote Access VPN on ASA 5505

Similar Messages

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?

• Remote access vpn connects to 5505 but cannot ping any servers

  I have a cisco 5505 and am trying to configure it with ASDM 6.4.
  My vpn client connects ok to the network but I am unable to reach any of the servers.
  I'm sure its a simple configuration issue as I don't have much experience with Cisco configuation.
  Any suggestions on where to look would be much appreciated.
  Thanks in advance
  Graham

  Thanks Jennifer.
  Running config:
  Cryptochecksum: 21ec6d8c 73515258 ed808b45 e154b1c6
  : Saved
  : Written by admin at 17:42:19.318 GMT/IDT Thu Sep 20 2012
  ASA Version 8.2(5)
  hostname IS-18241
  enable password p2SKmVPuBXX32cE encrypted
  passwd 2KFnbXXKXX encrypted
  names
  name 78.129.xxx.xx IS-18223_External
  name 192.168.100.2 IS-18223_Internal
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  nameif Inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif Outside
  security-level 0
  ip address 78.129.xxx.xx 255.255.255.0
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone GMT/IST 0
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list basic extended permit tcp any any eq 3389
  access-list basic extended permit tcp any any eq ssh
  access-list basic extended permit tcp any any eq www
  access-list basic extended permit tcp any any eq 902
  access-list basic extended permit tcp any any eq https
  access-list basic extended permit icmp any any
  access-list allow extended permit ip any any
  access-list Inside_nat0_outbound extended permit ip any host IS-18223_Internal
  access-list SplitTunnel standard permit 192.168.100.0 255.255.255.0
  access-list Inside_nat_outbound extended permit ip 192.168.100.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  ip local pool RemoteAddressPool 192.168.100.100-192.168.100.150 mask 255.255.255.128
  icmp unreachable rate-limit 1 burst-size 1
  asdm location IS-18223_External 255.255.255.255 Inside
  asdm location IS-18223_Internal 255.255.255.255 Inside
  no asdm history enable
  arp timeout 14400
  global (Inside) 1 interface
  global (Outside) 1 interface
  nat (Inside) 0 access-list Inside_nat0_outbound
  nat (Inside) 1 access-list Inside_nat_outbound
  static (Inside,Outside) IS-18223_External IS-18223_Internal netmask 255.255.255.255
  access-group allow in interface Inside
  access-group allow out interface Inside
  access-group basic in interface Outside
  access-group allow out interface Outside
  route Outside 0.0.0.0 0.0.0.0 78.129.xxx.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Outside
  no snmp-server location
  no snmp-server contact
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map Outside_map interface Outside
  crypto isakmp enable Outside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Outside
  ssh timeout 60
  ssh version 2
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  dns-server value 87.117.198.200 87.117.237.100
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SplitTunnel
  username XX password uvgXvd9nQEHdkA73 encrypted privilege 15
  username XX password 3CUtfh8r/IKb6DxX encrypted
  username XX attributes
  service-type remote-access
  tunnel-group Remote type remote-access
  tunnel-group Remote general-attributes
  address-pool RemoteAddressPool
  tunnel-group Remote ipsec-attributes
  pre-shared-key 5|J5XX&6u*
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:21ec6d8c73515258ed808b45e154b1c6
  : end

• Is it possible to this with remote-access vpn?

  Hi
  I have access to my enterprise network through Cisco VPN (software) client and it goes through remote-access ipsec vpn setup on an ASA 5510. Everything works fine.
  But now users that connect to the enterprise network have in addition need to access remote sites networks that are connected through the site-to-site VPN tunnels: IPSec tunnels between mentioned ASA5510 and remote ASA5510s and ASA5505s in branch offices.
  Is it possible?
  If yes what shoud I consider to make it work?
  My setup looks like
  enterprise network:                                    10.1.1.0/24
  remote vpn clients get ip adresses from:  10.0.5.0/28
  remote branch 1 network:                         10.1.10.0/24
  remote branch 2 network:                         10.1.20.0/24
  remote branch 3 network:                         10.1.30.0/24
  there is NAT exemption rule that exempts networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24
  All traffic from local network 10.1.1.0/24 have full ip connectivity with all the networks in branch offices. The PROBLEM is that remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.
  The ASAs in remote branch offices has set up NAT exemption towards both local network 10.1.1.0/24 and remote access clients network 10.0.5.0/28, but as I said, it doesn't go. Please help!
  Thanks in advance!
  Zoran

  Yes you can..
  Let's take 1 remote branch network as an example: branch 1 network (10.1.10.0/24):
  On Enterprise ASA:
  - If you have split tunnel configured for the VPN Client, you would need to also add the remote branch network in the list (10.1.10.0/24).
  - Crypto ACL between the Enterprise ASA and remote branch 1 ASA needs to have the following added:
  access-list permit ip 10.0.5.0 255.255.255.240 10.1.10.0 255.255.255.0
  - "same-security-traffic permit intra-interface" needs to be configured
  On remote branch 1 ASA:
  - Crypto ACL between remote branch 1 ASA and Enterprise ASA needs to have the following added:
  access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240
  - NAT exemption rule to exempt the traffic:
  access-list permit ip 10.1.10.0 255.255.255.0 10.0.5.0 255.255.255.240
  Clear the tunnels from both end, and test the connectivity.
  Hope this helps.

• VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

  Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
  Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
  VLAN 1 - inside (has separate dhcp scope assigned by ASA)
  VLAN 99 - guest (has separate dhcp scope assigned by ASA)
  SG200
  purpose
  ASA 5505 (Sec Plus license)
  purpose
  g2
  Trunk 1UP,99T
  Ubiquiti AP (VLAN 1 works, VLAN 99 does not
  g3
  Access port 99T
  vlan 99 does not work
  g8
  Trunk 1UP, 99T
  < Trunk between switch and ASA >
  Int e0/2
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Int e0/3
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Second ubiquiti AP
  Both VLAN 1 and VLAN 99 clients work properly

  Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
  There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
  No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
  Anything connected to the SG200 on the native VLAN works properly.
  Anything connected to the ASA VLANs (1 or 99) works properly
  I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
  I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
  SG200 g2 - trunk port (1UP, 99T) -- Access Point
  SG200 g2 - access port (99U)
  SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
  ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
  Thanks,

• Help with Remote access VPN on Cisco router 3925 via Dialer Interface

  Hi Everybody,
  I need help for my work now, I appreciate if someone can fix my problem.I have a Cisco router 3925 and access Internet via PPPoE link.  I want config VPN Remote Access and using software Cisco VPN client. But it doesn't  work.. Here my config router :
  HUNRE#show running-config
  Building configuration...
  Current configuration : 5515 bytes
  ! No configuration change since last restart
  version 15.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname HUNRE
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$vEFw$rLfvLglzUgddCVwXDx03K.
  enable password cisco
  aaa new-model
  aaa session-id common
  crypto pki trustpoint TP-self-signed-1050416327
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1050416327
   revocation-check none
   rsakeypair TP-self-signed-1050416327
  crypto pki certificate chain TP-self-signed-1050416327
   certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31303530 34313633 3237301E 170D3134 30393235 31313534
    31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353034
    31363332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100CC79 74FCFABE 81183B70 5A9F4A53 EB609754 7D5F8587 9150B76E 3207A86E
    5B65F9E9 6CDAC21A 6D69221D 1FF61632 14763308 43B2A1CC 8EE5ABAC EF07530E
    3F0D35FE F08C955B 60B52B92 F8F54D53 DD6DD623 01F83493 02F9C49A F0C3483D
    3B48A008 8D96700E 88924BFE DE00201B DE5965DE 32898CAD 9012AB55 76B6F39B
    2D470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14C3418C BC35F3D9 B26B2475 2BB5F826 060525AB B3301D06
    03551D0E 04160414 C3418CBC 35F3D9B2 6B24752B B5F82606 0525ABB3 300D0609
    2A864886 F70D0101 05050003 81810070 AC7C26C6 4606A551 1A3FD6C5 2A5AEAE8
    35DAC86E F8885E26 51F6EEAE 7565D3AA D532C8F3 55F6656F D103F38C 8FBDE7F1
    83E77143 76469040 7FEA41E8 14963DB3 F7F28EA0 C5F2F42C B186B75C AAB04900
    15F9CB38 A16964F5 4E7B4378 35041AA8 AE8EC181 D58D6A62 676E286A 7B9D80E6
    35A0B9FB FB76E976 3D2A19D7 006078
          quit
  ip name-server 210.245.1.253
  ip name-server 210.245.1.254
  ip cef    
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 1
  vpdn-group 2
  license udi pid C3900-SPE100/K9 sn FOC1823839B
  license boot module c3900 technology-package securityk9
  username cisco privilege 15 secret 5 $1$aAjB$D3iLyPFTE7O1bHPnKSJcH0
  username kdhong privilege 15 secret 5 $1$nfyX$FO1BPTabCUaE6uKQwpLT.1
  redundancy
  track 1 ip sla 1 reachability
  track 2 ip sla 2 reachability
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp client configuration group VPN-HUNRE
   key hunre
   dns 8.8.8.8
   domain hunre
   pool IP-VPN
   acl 199
   max-users 100
  crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
   mode tunnel
  crypto dynamic-map DYNMAP 1
   set transform-set encrypt-method-1
  crypto map VPN client configuration address respond
  crypto map VPN 65535 ipsec-isakmp dynamic DYNMAP
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   ip address 192.168.1.1 255.255.255.0
   ip mtu 1492
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   description FPT
   no ip address
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 1
  interface GigabitEthernet0/2
   description Connect to CMC
   no ip address
   ip mtu 1442
   ip nat outside
   ip virtual-reassembly in
   ip tcp adjust-mss 1412
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 2
   no cdp enable
  interface Dialer1
   ip address negotiated
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname [USERNAME]
   ppp chap password 0 [PASSWORD]
   ppp pap sent-username [USERNAME] password 0 [PASSWORD]
   ppp ipcp dns request
   crypto map VPN
  interface Dialer2
   description Logical ADSL Interface 2
   ip address negotiated
   ip mtu 1442
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1344
   dialer pool 2
   dialer-group 2
   ppp authentication chap pap callin
   ppp chap hostname [USERNAME]
   ppp chap password 0 [PASSWORD]
   ppp pap sent-username [USERNAME] password 0 [PASSWORD]
   ppp ipcp address accept
   no cdp enable
  ip local pool IP-VPN 10.252.252.2 10.252.252.245
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 10 interface Dialer1 overload
  ip nat inside source list 11 interface Dialer2 overload
  ip nat inside source static 10.159.217.10 interface Dialer1
  ip nat inside source list 199 interface Dialer1 overload
  ip nat inside source static tcp 10.159.217.10 80 210.245.54.49 80 extendable
  ip nat inside source static tcp 10.159.217.10 3389 210.245.54.49 3389 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.159.217.0 255.255.255.0 192.168.1.8
  ip sla auto discovery
  ip sla responder
  dialer-list 1 protocol ip permit
  dialer-list 2 protocol ip permit
  access-list 10 permit any
  access-list 11 permit any
  access-list 101 permit icmp any any
  access-list 199 permit ip any any
  control-plane
  line con 0
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   password cisco
   transport input all
  line vty 5 15
   password cisco
   transport input all
  scheduler allocate 20000 1000
  ntp master
  end
  However, I cannot ping interfac Dialer 1. I using Cisco vpn client software ver 5.0.07.0290.
  Hopeful for your answers !
  Thanks

  Hi David Castro,
  Thanks for your answer,
  I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE  and my router receive IP from ISP. Here show ip int brief :
  GigabitEthernet0/0         192.168.1.1     YES NVRAM  up                    up      
  GigabitEthernet0/1         unassigned      YES NVRAM  up                    up      
  GigabitEthernet0/2         unassigned      YES NVRAM  up                    up      
  Dialer1                    210.245.54.49   YES IPCP   up                    up      
  Dialer2                    101.99.7.73     YES IPCP   up                    up      
  NVI0                       192.168.1.1     YES unset  up                    up      
  Virtual-Access1            unassigned      YES unset  up                    up      
  Virtual-Access2            unassigned      YES unset  up                    up      
  Virtual-Access3            unassigned      YES unset  up                    up 
  But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?
  Thanks very much !

• Problems with SMTP port forwarding on ASA 5505

  Cannot telnet to port 25 to test for SMTP traffic.  Packet trace indicates that the packet is dropped by the implicit rule, but I have tried an access rule specifically for SMTP, and the trace appears to skip the rule and drop the packet when it hits the implicit default drop rule.  Can anyone help?  Here is my configuration:
  ASA Version 8.2(5)
  hostname XXXXXXXXXXXXXXXXX
  enable pXXXXXXXXXXXXXXXXXXXXX encrypted
  passwd XXXXXXXXXXXXXXXXXX encrypted
  names
  name XXX.XXX.XXX.74 DNI-HOST1
  name XXX.XXX.XXX.184 DNI-HOST2
  name 192.168.1.2 Server
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.130 255.255.255.248
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  object-group service rdp tcp
  port-object eq 3389
  access-list INBOUND extended permit icmp any any time-exceeded
  access-list INBOUND extended permit icmp any any echo-reply inactive
  access-list INBOUND extended permit icmp any any
  access-list INBOUND extended permit tcp any any eq smtp
  access-list INBOUND extended permit tcp any any eq https
  access-list INBOUND extended permit tcp any eq 3389 any object-group rdp
  pager lines 24
  logging enable
  logging buffered warnings
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  access-group INBOUND in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http DNI-HOST2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca [REDACTED]
    quit
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh 206.190.255.0 255.255.255.0 outside
  ssh DNI-HOST2 255.255.255.255 outside
  ssh DNI-HOST1 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  username Administrator password XXXXXXXXXXXXXXXXXXXX encrypted
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  : end

  Thanks.  I made the suggested changes, here are the results of packer-tracer:
  ASA# packet-tracer input outside tcp 1.2.3.4 1234 XXX.XXX.XXX.130 25
  Phase: 1
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    match tcp inside host Server eq 25 outside any
      static translation to XXX.XXX.XXX.130/25
      translate_hits = 0, untranslate_hits = 3
  Additional Information:
  NAT divert to egress interface inside
  Untranslate XXX.XXX.XXX.130/25 to Server/25 using netmask 255.255.255.255
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group INBOUND in interface outside
  access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
  Additional Information:
  Phase: 3
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 4
  Type: INSPECT
  Subtype: inspect-smtp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect esmtp _default_esmtp_map
  service-policy global_policy global
  Additional Information:
  Phase: 5
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    match tcp inside host Server eq 25 outside any
      static translation to XXX.XXX.XXX.130/25
      translate_hits = 0, untranslate_hits = 3
  Additional Information:
  Phase: 7
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    match tcp inside host Server eq 25 outside any
      static translation to XXX.XXX.XXX.130/25
      translate_hits = 0, untranslate_hits = 3
  Additional Information:
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 24392, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: allow
  I'm not all that experienced with translating these results, but on the surface, it appears to be passing traffic.  However, I still cannt telnet to the public IP using port 25.  I am using Putty as my telnet client and it doesn't generate an error.  At no time am I able to interact with the prompt in the putty window. The putty window just closes abruptly after about 10 seconds.  Does the line in Phase 7 containing 'untranslate_hits=3' have anything to do with my issue?
  Here is the new config:
  NUGENT-ASA# show run
  : Saved
  ASA Version 8.2(5)
  hostname NUGENT-ASA
  enable password XXXXXXXXXXXXXXXXXXXX encrypted
  passwd XXXXXXXXXXXXXXXXXX encrypted
  names
  name XXX.XXX.XXX.74 DNI-HOST1
  name XXX.XXX.XXX.184 DNI-HOST2
  name 192.168.1.2 Server
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.130 255.255.255.248
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  object-group service rdp tcp
  port-object eq 3389
  access-list INBOUND extended permit icmp any any time-exceeded
  access-list INBOUND extended permit icmp any any echo-reply inactive
  access-list INBOUND extended permit icmp any any
  access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
  pager lines 24
  logging enable
  logging buffered warnings
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 192.168.1.0 255.255.255.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (outside,inside) tcp interface smtp Server smtp netmask 255.255.255.255
  access-group INBOUND in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http DNI-HOST2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca [REDACTED]
    quit
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh 206.190.255.0 255.255.255.0 outside
  ssh DNI-HOST2 255.255.255.255 outside
  ssh DNI-HOST1 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd dns 8.8.8.8 4.2.2.2
  dhcpd address 192.168.1.100-192.168.1.131 inside
  dhcpd dns 8.8.8.8 4.2.2.2 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  username Administrator password XXXXXXXXXXXXXXXXXXXXXXX encrypted
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
  : end

• Remote Access VPN, how to specify on which interface clients will be placed on?

  Hi,
  I have a general understanding problem with remote access VPN and Cisco ASA.
  If I have an ASA with multiple interfaces and I want to make sure that a Remote Access VPN Client is placed onto a specific interface, how do I do this?
  example:
  ASA has 4 interfaces: outside, inside-clients, inside-workers, inside-lab.
  I want to allow multiple Remote Access VPN configurations that put clients coming from "outside" to "inside-lab" and "inside-clients", with two different profiles and two different IP pools, as the IP addresses for each of the interfaces is different.
  How do I do that?
  If possible be as explanatory as possible for me to really grasp the concept.
  Many thanks
  Pat

  Hi,
  The ASA will view the hosts in its routing table behind the ASA interface which forms the VPN connection with the VPN Client. This is most of the time the interface called "outside".
  By default the ASA allows all traffic coming from a VPN connection to bypass the interface ACL of the ASA. The thought process behind this is I guess the fact that the VPN devices/clients have already proven they have right to connect to the network to all traffic is allowed.
  The configuration that controls this setting globally on the ASA is
  sysopt connection permit-vpn
  The above is the default setting of the command and it WONT show up in the CLI format configurations because its a default setting.
  If you were to issue the following command
  no sysopt connection permit-vpn
  Then this would mean that the ASA would require an ACL statement on its VPN terminating interface (outside) to permit the traffic from the VPN Pool to the LAN networks.
  Naturally you would have to take into consideration also that if you have existing VPNs and insert the above global command they would also need ACL statements on the "outside" interface ACL or the inbound traffic from the VPN will start to get blocked.
  Other option (wihtout touching the above setting) would be to configure VPN Filter ACL that is a separate ACL that is only attached to a certain user or group of users.
  I personally prefer the method of using the above global setting and using the "outside" interface ACL to control traffic.
  Naturally it still leaves the question of how you are going to configure the Tunnel Groups, Group Policys and Usernames. To be honest, I have gotten a bit distracted from VPN client setups and have forgotten a lot of stuff since I dont work with them on a day to day basis. I mostly handle L2L VPN nowadays among normal firewall configurations.
  If I had to suggest something simple at this point it would be this
  Configure separate Tunnel Groups
  Configure separate VPN Pools for the above Tunnel Groups
  Configure separate Group Policys for the above Tunnel Groups
  Configure the above mentioned Global setting to limit inbound traffic from VPN
  Configure the "outside" interface ACL so that you only permit traffic from a certain VPN Tunnel Group users only to certain LAN networks
  Configure the required NAT0 configurations for traffic between these networks
  As Marcin said, there are multiple different ways to achieve the same thing as above.
  And as I said I have gotten a bit rusty with the VPN Client side on the ASA so I am not sure if at the moment I can even consider all the possible options but surely the simple ones.
  PS. The link that Marcin posted seems to point to a Group Policy setting that would let you lock the that VPN connection to use only a certain local Vlan (subinterface) on the ASA and therefore limit traffic from going to networks behind other interfacec
  Hope this helps
  - Jouni

• Remote Access VPN strange behavior

  Hello all,
  I have a problem with remote access VPN on a ASA5505 (8.2).
  I can establish a VPN connection and can ping the ASA, but nothing else on the network! Not only ping isn't working, I've also tried RDP, HTTP, and file access.
  Additionally there is a site-to-site VPN to this ASA, which is working perfectly.
  I have another ASA5505 which is almost configured the same and there it's working, so I really don't know where the problem is.
  I hope you guys can help me!
  Many thanks in advance!
  Here's my config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(1)
  hostname Shanghai
  domain-name *******.local
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 172.20.18.0 network-vpnclient
  name 172.20.16.8 SHDC01
  interface Vlan1
   nameif inside
   security-level 100
   ip address 172.20.16.1 255.255.248.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address ***.***.***.62 255.255.255.252
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone SGT 8
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 172.20.16.1
   domain-name *****.local
  same-security-traffic permit inter-interface
  access-list nonat extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
  access-list nonat extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
  access-list split_tunnel standard permit 172.20.16.0 255.255.248.0
  access-list acl-in extended permit icmp any any
  access-list acl-in extended permit tcp any host ***.***.***.190 eq h323
  access-list VPN_acl extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
  access-list outside_cryptomap extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool client-vpn 172.20.18.1-172.20.18.254 mask 255.255.248.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 172.20.16.0 255.255.248.0
  static (inside,outside) tcp interface h323 192.168.0.250 h323 netmask 255.255.255.255
  access-group acl-in in interface outside
  route outside 0.0.0.0 0.0.0.0 ***.***.***.61 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ActiveDirectory protocol ldap
  aaa-server ActiveDirectory (inside) host SHDC01
   server-port 3268
   ldap-base-dn DC=*****,DC=local
   ldap-scope subtree
   ldap-login-password *
   ldap-login-dn CN=Administrator,CN=Users,DC=lap-laser,DC=local
   server-type microsoft
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 172.20.0.0 255.255.248.0 inside
  http 172.20.16.0 255.255.248.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp inside
  crypto ipsec transform-set laplaserset esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 20 set transform-set laplaserset
  crypto map laplasermap 1 match address outside_cryptomap
  crypto map laplasermap 1 set pfs group5
  crypto map laplasermap 1 set peer **.***.***.51
  crypto map laplasermap 1 set transform-set ESP-AES-256-SHA
  crypto map laplasermap 65535 ipsec-isakmp dynamic dynmap
  crypto map laplasermap interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 5
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  crypto isakmp policy 11
   authentication pre-share
   encryption aes-256
   hash sha
   group 5
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd address 172.20.16.50-172.20.17.1 inside
  dhcpd dns SHDC01 interface inside
  dhcpd option 3 ip 172.20.16.1 interface inside
  dhcpd enable inside
  vpnclient vpngroup lapserver password ********
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  group-policy user-vpn internal
  group-policy user-vpn attributes
   wins-server value 172.20.16.8
   dns-server value 172.20.16.8
   vpn-tunnel-protocol IPSec webvpn
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value split_tunnel
   default-domain value *****.local
  username admin password VQiqjZZuUSQOWz6. encrypted
  username adminlogin password qZwgnR/XebVbOZxI encrypted
  tunnel-group connection2 type ipsec-l2l
  tunnel-group connection2 ipsec-attributes
   pre-shared-key *
  tunnel-group **.***.***.51 type ipsec-l2l
  tunnel-group **.***.***.51 ipsec-attributes
   pre-shared-key *
  tunnel-group user-vpn type remote-access
  tunnel-group user-vpn general-attributes
   address-pool client-vpn
   authentication-server-group ActiveDirectory
   default-group-policy user-vpn
   dhcp-server 172.20.16.1
  tunnel-group user-vpn ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny  
    inspect sunrpc
    inspect xdmcp
    inspect sip  
    inspect netbios
    inspect tftp
    inspect dns preset_dns_map
    inspect http
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:bc5e7b4ca01a2227885487ab3520ea9c
  : end

  I note in your config that the pool of addresses for remote access VPN is a group of addresses included within the range of addresses on the inside interface. I have seen situations where this caused problems and so have a couple of suggestions:
  - do the devices connected on the inside network have routes to the vpn pool of addresses?
  - if you change the vpn address pool to use addresses that do not overlap with your inside network, does the behavior change?
  HTH
  Rick

• Does ASA Service Module on 6509-E support Remote Access VPN ?

  I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported  or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
  Tech Info:
  6509-E running SUP 2T 15.1(2)SY
  ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
  Licenses on ASA:
  Encryption-DES - Enabled
  Encryption-3DES-AES  -Enabled
  Thanks in Advance for support.

  Are you running multiple context mode?
  If you are, remote access VPN is not supported in that case:
  "Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
  Reference.

• ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

  Hi community,
  I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
  object-group network RemoteVPN_LocalNet
   network-object 172.29.168.0 255.255.255.0
   network-object 172.29.169.0 255.255.255.0
   network-object 172.29.173.0 255.255.255.128
   network-object 172.29.172.0 255.255.255.0
  access-list Split_Tunnel remark The Corporation network behind ASA
  access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
  ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
  nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set myset
  crypto map mymap 65000 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  tunnel-group remotevpngroup type remote-access
  tunnel-group remotevpngroup general-attributes
   address-pool remotevpnpool
   authentication-server-group MS_LDAP LOCAL
   default-group-policy Split_Tunnel_Policy
  I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
  Thanks in advanced.

  Hi tranminhc,
  Step 1: Create an object.
  object network vpn_clients
   subnet 10.88.61.0 mask 255.255.255.0
  Step 2: Create a standard ACL.
  access-list my-split standard permit ip object RemoteVPN_LocalNet
  Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
  no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  Step 4: Create new nat exemption.
  nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
  Step 5: Apply ACL on the tunnel.
  group-policy Split_Tunnel_Policy attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value my-split
  Step 6:
  I assume you have a default route on your inside L3 switch point back to ASA's inside address.  If you don't have one.
  Please add a default or add static route as shown below.
  route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx 
  xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Remote Access VPN on Cisco ASA Problem

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

• Remote access VPN with ASA 5510 using DHCP server

  Hi,
  Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
  I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
  ASA Version 8.2(5)
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.6.0.12 255.255.254.0
  ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
  route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
  crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dyn1 1 set transform-set FirstSet
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface inside
  crypto isakmp enable inside
  crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
  vpn-addr-assign aaa
  vpn-addr-assign dhcp
  group-policy testgroup internal
  group-policy testgroup attributes
  dhcp-network-scope 10.6.192.1
  ipsec-udp enable
  ipsec-udp-port 10000
  username testlay password *********** encrypted
  tunnel-group testgroup type remote-access
  tunnel-group testgroup general-attributes
  default-group-policy testgroup
  dhcp-server 10.6.20.3
  tunnel-group testgroup ipsec-attributes
  pre-shared-key *****
  I got following output when I test connect to ASA with Cisco VPN client 5.0
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
  4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
  [OK]
  kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
  Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
  Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT  Client Application Version: 5.0.07.0440
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
  Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
  Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  Regards,
  Lay

  For RADIUS you need a aaa-server-definition:
  aaa-server NPS-RADIUS protocol radius
  aaa-server NPS-RADIUS (inside) host 10.10.18.12
    key *****   
    authentication-port 1812
    accounting-port 1813
  and tell your tunnel-group to ask that server:
  tunnel-group VPN general-attributes
    authentication-server-group NPS-RADIUS LOCAL
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Remote Access VPN ASA

                Hi Guys
  I have a problem with a Remote Access VPN on a ASA 5510 8.6.2
  I have created a IPSEC Remote Access VPN through the wizard this is pretty much a base install on the ASA without much configuration.
  I can connect to the ASA via the Remote Access client and get TX just no RX therefore i cannot access any of the LAN resources
  here is a copy of the config any help would be appreciated.    
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.252
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.2.1.252 255.255.240.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name perfectdomain.perfect-image.co.uk
  same-security-traffic permit inter-interface
  object network Inside-Network
  subnet 10.2.0.0 255.255.240.0
  description Inside Network
  object network NETWORK_OBJ_192.168.1.0_27
  subnet 192.168.1.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group network LOCAL_NETWORKS_VPN
  access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
  access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 4430
  http 10.2.0.0 255.255.240.0 management
  http 10.2.0.0 255.255.240.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.2.0.0 255.255.240.0 inside
  telnet timeout 5
  ssh 10.2.0.0 255.255.240.0 management
  ssh 10.2.0.0 255.255.240.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  dhcpd address 10.2.1.253-10.2.2.252 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RAIPSECTUNNEL internal
  group-policy RAIPSECTUNNEL attributes
  dns-server value 10.2.1.7 10.2.1.8
  vpn-tunnel-protocol ikev1
  default-domain value perfectdomain.perfect-image.co.uk
  username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
  username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
  tunnel-group RAIPSECTUNNEL type remote-access
  tunnel-group RAIPSECTUNNEL general-attributes
  address-pool RAIPSECPOOL
  default-group-policy RAIPSECTUNNEL
  tunnel-group RAIPSECTUNNEL ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
  : end
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.252
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.2.1.252 255.255.240.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name perfectdomain.perfect-image.co.uk
  same-security-traffic permit inter-interface
  object network Inside-Network
  subnet 10.2.0.0 255.255.240.0
  description Inside Network
  object network NETWORK_OBJ_192.168.1.0_27
  subnet 192.168.1.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group network LOCAL_NETWORKS_VPN
  access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any
  access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static Inside-Network Inside-Network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 4430
  http 10.2.0.0 255.255.240.0 management
  http 10.2.0.0 255.255.240.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.2.0.0 255.255.240.0 inside
  telnet timeout 5
  ssh 10.2.0.0 255.255.240.0 management
  ssh 10.2.0.0 255.255.240.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  dhcpd address 10.2.1.253-10.2.2.252 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RAIPSECTUNNEL internal
  group-policy RAIPSECTUNNEL attributes
  dns-server value 10.2.1.7 10.2.1.8
  vpn-tunnel-protocol ikev1
  default-domain value perfectdomain.perfect-image.co.uk
  username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
  username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
  tunnel-group RAIPSECTUNNEL type remote-access
  tunnel-group RAIPSECTUNNEL general-attributes
  address-pool RAIPSECPOOL
  default-group-policy RAIPSECTUNNEL
  tunnel-group RAIPSECTUNNEL ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:43c49a676e839e7821ff1473ddeaf90d
  : end

  Hi Jouni
  Still not working I am afraid, here is the current running config, I have noticed when I connect via VPN client the default gateway address on the VPN client is 192.168.1.2 ?? anymore help would be appreciated
  thank you
  hostname PIFW01
  domain-name perfectdomain.perfect-image.co.uk
  enable password pBWHd.sDdzPIDYW/ encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  ip address 10.2.1.251 255.255.255.0
  interface GigabitEthernet0/1
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  nameif outside
  security-level 0
  ip address 212.135.154.130 255.255.255.252
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.2.1.252 255.255.240.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name perfectdomain.perfect-image.co.uk
  same-security-traffic permit inter-interface
  object network Inside-Network
  subnet 10.2.0.0 255.255.240.0
  description Inside Network
  object network NETWORK_OBJ_192.168.1.0_27
  subnet 192.168.1.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network VPNPool
  subnet 192.168.1.0 255.255.255.0
  description VPNPool
  object network VPN-POOL
  subnet 192.168.1.0 255.255.255.0
  object network LAN
  subnet 10.2.1.0 255.255.255.0
  access-list inside_access_in extended permit ip object LAN any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
  nat (inside,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 212.135.154.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 4430
  http 10.2.0.0 255.255.240.0 management
  http 10.2.0.0 255.255.240.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.2.0.0 255.255.240.0 inside
  telnet timeout 5
  ssh 10.2.0.0 255.255.240.0 management
  ssh 10.2.0.0 255.255.240.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 10
  console timeout 0
  dhcpd address 10.2.1.253-10.2.2.252 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RAIPSECTUNNEL internal
  group-policy RAIPSECTUNNEL attributes
  dns-server value 10.2.1.7 10.2.1.8
  vpn-tunnel-protocol ikev1
  default-domain value perfectdomain.perfect-image.co.uk
  username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
  username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
  tunnel-group RAIPSECTUNNEL type remote-access
  tunnel-group RAIPSECTUNNEL general-attributes
  address-pool RAIPSECPOOL
  default-group-policy RAIPSECTUNNEL
  tunnel-group RAIPSECTUNNEL ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f50aaad7c3ecaf94382ff0cc887bb5ac
  : end

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan