Remote Access VPN ASA

Similar Messages

• Multicast via Remotes Access VPN (ASA)

  Hi all,
    I have an ASA 5505 that I would like to use as a head end device for several customers to RA into so they can access our TEST network.  The trouble is that the TEST net provides multicast video streams that my clients need to see.  I am currently doing this with a Windows Server and Clients via L2TP.  How can I do this with the ASA instead?  I know IPSEC doesn't support multicast.....can anything be done?

  Hi,
  Currently IPSec / Any connect doesn't support multicast over vpn tunnel. As you have now it is possible through L2TP with L2TP client / ASA / Windows Server or if you have IOS router it can be possible through DMVPN/GETVPN....
  Regards
  Karthik

• Remote access vpn clients, access to Internet resources

  Hello, we currently have a remote access vpn set up terminating on an ASA 5520.  Remote access users connect into this ASA and are able to access resources inside of the firewall- the public IP of the ASA is 1.1.1.135.  We need these users to be able to access resources natted behind another ASA firewall on the same public IP segment, at IP address 1.1.1.165.
  I have gotten to the point where I believe I have all of my Nat/global statements in place, along with my ACLs on both firewalls, but I am not able to make the connection to the server behind the second ASA.
  running packet tracer on the second ASA (hosting the 1.1.1.165 server) shows that the packet will be allowed.  RUnning packet tracer on the Remote access VPN ASA is showing that the packet is dropped due to :
  Action: drop
  Drop-reason: (ipsec-spoof) IPSEC Spoof detected
  To me, this should be a simple setup, very similar to a company that tunnels all traffic (including Internet traffic) for remote access VPN users.  It just doesn't seem like my traffic is getting to the second ASA wioth the remote host.
  Anyone have any ideas?

  I figured out the answer- I had to add a nat statement form my VPN user subnet to be natted to the outside global IP:
  nat (outside) 1 10.2.2.0 255.255.255.0 (this is my vpn subnet)
  global (outside) 1 interface

• ASA Remote Access VPN Clients - Multiple DNS Suffixes?

  Hi community!
  I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
  We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
  I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
  Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
  Full marks for helpful posts!
  Kind regards, Ash.

  Hi
  I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
  I have a remote access requirement for users from separate AD's to authenticate through an ASA.
  I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
  Regards

• Problem with Remote Access VPN on ASA 5505

  I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
  The VPN client logs are as follows:
  Cisco Systems VPN Client Version 5.0.07.0440
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.2.9200
  2      15:09:21.240  12/11/12  Sev=Info/4    CM/0x63100002
  Begin connection process
  3      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100004
  Establish secure connection
  4      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100024
  Attempt connection with server "**.**.***.***"
  5      15:09:21.287  12/11/12  Sev=Info/6    IKE/0x6300003B
  Attempting to establish a connection with **.**.***.***.
  6      15:09:21.287  12/11/12  Sev=Info/4    IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  7      15:09:21.303  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
  8      15:09:21.365  12/11/12  Sev=Info/6    GUI/0x63B00012
  Authentication request attributes is 6h.
  9      15:09:21.334  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  10     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
  11     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  12     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports XAUTH
  13     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports DPD
  14     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports NAT-T
  15     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
  Peer supports IKE fragmentation payloads
  16     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000001
  IOS Vendor ID Contruction successful
  17     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
  18     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000055
  Sent a keepalive on the IPSec SA
  19     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000083
  IKE Port in use - Local Port =  0xFBCE, Remote Port = 0x1194
  20     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  21     15:09:21.334  12/11/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  22     15:09:21.365  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  23     15:09:21.365  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  24     15:09:21.365  12/11/12  Sev=Info/4    CM/0x63100015
  Launch xAuth application
  25     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700008
  IPSec driver successfully started
  26     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  27     15:09:27.319  12/11/12  Sev=Info/4    CM/0x63100017
  xAuth application returned
  28     15:09:27.319  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  29     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  30     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  31     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  32     15:09:27.365  12/11/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  33     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300005E
  Client sending a firewall request to concentrator
  34     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
  35     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  36     15:09:27.397  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
  37     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
  38     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
  39     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
  40     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
  41     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
  42     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
  43     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
  44     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
  45     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
  46     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
  47     15:09:27.397  12/11/12  Sev=Info/4    CM/0x63100019
  Mode Config data received
  48     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000056
  Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
  49     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
  50     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  51     15:09:27.444  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
  52     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  53     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000047
  This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
  54     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  55     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
  56     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
  57     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000049
  Discarding IPsec SA negotiation, MsgID=CE99A8A8
  58     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
  59     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = **.**.***.***
  60     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000058
  Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
  61     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
  62     15:09:27.490  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  63     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
  64     15:09:30.475  12/11/12  Sev=Info/4    CM/0x63100012
  Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  65     15:09:30.475  12/11/12  Sev=Info/5    CM/0x63100025
  Initializing CVPNDrv
  66     15:09:30.475  12/11/12  Sev=Info/6    CM/0x63100046
  Set tunnel established flag in registry to 0.
  67     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x63000001
  IKE received signal to terminate VPN connection
  68     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  69     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  70     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  71     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x6370000A
  IPSec driver successfully stopped
  The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
  : Saved
  ASA Version 8.2(5)
  hostname NCHCO
  enable password hTjwXz/V8EuTw9p9 encrypted
  passwd hTjwXz/V8EuTw9p9 encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address **.**.***.*** 255.255.255.248
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit NCHCO 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 0 access-list outside_nat0_outbound
  route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http **.**.***.*** 255.255.255.255 outside
  http 74.218.158.238 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec transform-set l2tp-transform mode transport
  crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp ipsec-over-tcp port 10000
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol IPSec l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Pool
  group-policy NCHVPN internal
  group-policy NCHVPN attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol IPSec l2tp-ipsec
  default-domain value NCHCO
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  pre-shared-key *****
  tunnel-group NCHVPN type remote-access
  tunnel-group NCHVPN general-attributes
  address-pool VPN_Pool
  default-group-policy NCHVPN
  tunnel-group NCHVPN ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:15852745977ff159ba808c4a4feb61fa
  : end
  asdm image disk0:/asdm-645.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  Anyone have any idea why this is happening?
  Thanks!

  Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
  VPN Client Log:
  Cisco Systems VPN Client Version 5.0.07.0440
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 6.2.9200
  331    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100002
  Begin connection process
  332    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100004
  Establish secure connection
  333    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100024
  Attempt connection with server "69.61.228.178"
  334    13:11:41.362  12/17/12  Sev=Info/6    IKE/0x6300003B
  Attempting to establish a connection with 69.61.228.178.
  335    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000001
  Starting IKE Phase 1 Negotiation
  336    13:11:41.424  12/17/12  Sev=Info/6    GUI/0x63B00012
  Authentication request attributes is 6h.
  337    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
  338    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  339    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
  340    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  341    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports XAUTH
  342    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports DPD
  343    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports NAT-T
  344    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
  Peer supports IKE fragmentation payloads
  345    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000001
  IOS Vendor ID Contruction successful
  346    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
  347    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000055
  Sent a keepalive on the IPSec SA
  348    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000083
  IKE Port in use - Local Port =  0xD271, Remote Port = 0x1194
  349    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  350    13:11:41.393  12/17/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  351    13:11:41.424  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  352    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
  353    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100015
  Launch xAuth application
  354    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100017
  xAuth application returned
  355    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
  356    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  357    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
  358    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
  359    13:11:41.456  12/17/12  Sev=Info/4    CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  360    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300005E
  Client sending a firewall request to concentrator
  361    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
  362    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  363    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
  364    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
  365    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
  366    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
  367    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
  368    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
  369    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
  370    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000F
  SPLIT_NET #1
      subnet = 192.168.2.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0
  371    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
  372    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
  373    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
  374    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
  375    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
  MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
  376    13:11:41.502  12/17/12  Sev=Info/4    CM/0x63100019
  Mode Config data received
  377    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000056
  Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
  378    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
  379    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  380    13:11:41.534  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
  381    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  382    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000047
  This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
  383    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  384    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
  385    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 28800 seconds
  386    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
  387    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000059
  Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
  388    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000025
  Loaded OUTBOUND ESP SPI: 0xD2DBADEA
  389    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000026
  Loaded INBOUND ESP SPI: 0x14762837
  390    13:11:41.549  12/17/12  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
    192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
    192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
  391    13:11:41.877  12/17/12  Sev=Info/6    CVPND/0x63400001
  Launch VAInst64 to control IPSec Virtual Adapter
  392    13:11:43.455  12/17/12  Sev=Info/4    CM/0x63100034
  The Virtual Adapter was enabled:
      IP=192.168.2.70/255.255.255.0
      DNS=192.168.2.1,8.8.8.8
      WINS=0.0.0.0,0.0.0.0
      Domain=NCHCO.local
      Split DNS Names=
  393    13:11:43.455  12/17/12  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
    192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
    192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      266
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
  255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      266
  394    13:11:47.517  12/17/12  Sev=Info/4    CM/0x63100038
  Successfully saved route changes to file.
  395    13:11:47.517  12/17/12  Sev=Info/5    CVPND/0x63400013
      Destination           Netmask           Gateway         Interface   Metric
          0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
    69.61.228.178   255.255.255.255       192.168.1.1     192.168.1.162      100
        127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
        127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
  127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.2   255.255.255.255     192.168.1.162     192.168.1.162      100
    192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
    192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      266
      192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
     192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      266
    192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      266
        224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
        224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
        224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      266
  255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
  255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
  255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      266
  396    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100036
  The routing table was updated for the Virtual Adapter
  397    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310001A
  One secure connection established
  398    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
  Address watch added for 192.168.1.162.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
  399    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
  Address watch added for 192.168.2.70.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
  400    13:11:47.517  12/17/12  Sev=Info/5    CM/0x63100001
  Did not find the Smartcard to watch for removal
  401    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700008
  IPSec driver successfully started
  402    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  403    13:11:47.517  12/17/12  Sev=Info/6    IPSEC/0x6370002C
  Sent 109 packets, 0 were fragmented.
  404    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
  Deleted all keys
  405    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  406    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0xeaaddbd2 into key list
  407    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
  Created a new key structure
  408    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
  Added key with SPI=0x37287614 into key list
  409    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370002F
  Assigned VA private interface addr 192.168.2.70
  410    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700037
  Configure public interface: 192.168.1.162. SG: 69.61.228.178
  411    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100046
  Set tunnel established flag in registry to 1.
  412    13:11:52.688  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  413    13:11:52.688  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476009
  414    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  415    13:11:52.704  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  416    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
  417    13:12:03.187  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  418    13:12:03.187  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476010
  419    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  420    13:12:03.202  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  421    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
  422    13:12:14.185  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  423    13:12:14.185  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476011
  424    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  425    13:12:14.201  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  426    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
  427    13:12:24.762  12/17/12  Sev=Info/4    IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
  428    13:12:24.762  12/17/12  Sev=Info/6    IKE/0x6300003D
  Sending DPD request to 69.61.228.178, our seq# = 2722476012
  429    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x6300002F
  Received ISAKMP packet: peer = 69.61.228.178
  430    13:12:24.778  12/17/12  Sev=Info/4    IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
  431    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x63000040
  Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
  New running configuration:
  : Saved
  ASA Version 8.4(1)
  hostname NCHCO
  enable password hTjwXz/V8EuTw9p9 encrypted
  passwd hTjwXz/V8EuTw9p9 encrypted
  names
  name 192.168.2.0 NCHCO description City Offices
  name 192.168.2.80 VPN_End
  name 192.168.2.70 VPN_Start
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 69.61.228.178 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  object network NCHCO
  subnet 192.168.2.0 255.255.255.0
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object network obj-192.168.2.64
  subnet 192.168.2.64 255.255.255.224
  object network obj-0.0.0.0
  subnet 0.0.0.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
  access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
  access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
  access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
  access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
  access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
  nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
  nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
  object network obj_any
  nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  network-acl outside_nat0_outbound
  webvpn
    svc ask enable default svc
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 69.61.228.178 255.255.255.255 outside
  http 74.218.158.238 255.255.255.255 outside
  http NCHCO 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set l2tp-transform mode transport
  crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dyn-map 10 set pfs group1
  crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 74.219.208.50
  crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map vpn-map 1 match address outside_1_cryptomap_1
  crypto map vpn-map 1 set pfs group1
  crypto map vpn-map 1 set peer 74.219.208.50
  crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto isakmp identity address
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto ikev1 policy 15
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 35
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 192.168.1.0 255.255.255.0 inside
  telnet NCHCO 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh NCHCO 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.150-192.168.2.225 inside
  dhcpd dns 216.68.4.10 216.68.5.10 interface inside
  dhcpd lease 64000 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  default-domain value nchco.local
  group-policy DfltGrpPolicy attributes
  dns-server value 192.168.2.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
  password-storage enable
  ipsec-udp enable
  intercept-dhcp 255.255.255.0 enable
  address-pools value VPN_Pool
  group-policy NCHCO internal
  group-policy NCHCO attributes
  dns-server value 192.168.2.1 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value NCHCO_splitTunnelAcl_1
  default-domain value NCHCO.local
  username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
  username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
  username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool (inside) VPN_Pool
  address-pool VPN_Pool
  authentication-server-group (inside) LOCAL
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  authorization-server-group (inside) LOCAL
  authorization-server-group (outside) LOCAL
  default-group-policy DefaultRAGroup
  strip-realm
  strip-group
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  peer-id-validate nocheck
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  no authentication ms-chap-v1
  authentication ms-chap-v2
  tunnel-group DefaultWEBVPNGroup ppp-attributes
  authentication pap
  authentication ms-chap-v2
  tunnel-group 74.219.208.50 type ipsec-l2l
  tunnel-group 74.219.208.50 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group NCHCO type remote-access
  tunnel-group NCHCO general-attributes
  address-pool VPN_Pool
  default-group-policy NCHCO
  tunnel-group NCHCO ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
  : end
  asdm image disk0:/asdm-649.bin
  asdm location VPN_Start 255.255.255.255 inside
  asdm location VPN_End 255.255.255.255 inside
  no asdm history enable
  I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
  Thanks so much!
  Matthew

• Remote Access VPN on Cisco ASA Problem

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

• Remote access VPN with ASA 5510 using DHCP server

  Hi,
  Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
  I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
  ASA Version 8.2(5)
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.6.0.12 255.255.254.0
  ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
  route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
  crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dyn1 1 set transform-set FirstSet
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface inside
  crypto isakmp enable inside
  crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
  vpn-addr-assign aaa
  vpn-addr-assign dhcp
  group-policy testgroup internal
  group-policy testgroup attributes
  dhcp-network-scope 10.6.192.1
  ipsec-udp enable
  ipsec-udp-port 10000
  username testlay password *********** encrypted
  tunnel-group testgroup type remote-access
  tunnel-group testgroup general-attributes
  default-group-policy testgroup
  dhcp-server 10.6.20.3
  tunnel-group testgroup ipsec-attributes
  pre-shared-key *****
  I got following output when I test connect to ASA with Cisco VPN client 5.0
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
  4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
  Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
  [OK]
  kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
  Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
  Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT  Client Application Version: 5.0.07.0440
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
  Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
  Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected.  No last packet to retransmit.
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
  Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
  Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  Regards,
  Lay

  For RADIUS you need a aaa-server-definition:
  aaa-server NPS-RADIUS protocol radius
  aaa-server NPS-RADIUS (inside) host 10.10.18.12
    key *****   
    authentication-port 1812
    accounting-port 1813
  and tell your tunnel-group to ask that server:
  tunnel-group VPN general-attributes
    authentication-server-group NPS-RADIUS LOCAL
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

  Hi community,
  I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
  object-group network RemoteVPN_LocalNet
   network-object 172.29.168.0 255.255.255.0
   network-object 172.29.169.0 255.255.255.0
   network-object 172.29.173.0 255.255.255.128
   network-object 172.29.172.0 255.255.255.0
  access-list Split_Tunnel remark The Corporation network behind ASA
  access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
  ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
  nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set myset
  crypto map mymap 65000 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  tunnel-group remotevpngroup type remote-access
  tunnel-group remotevpngroup general-attributes
   address-pool remotevpnpool
   authentication-server-group MS_LDAP LOCAL
   default-group-policy Split_Tunnel_Policy
  I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
  Thanks in advanced.

  Hi tranminhc,
  Step 1: Create an object.
  object network vpn_clients
   subnet 10.88.61.0 mask 255.255.255.0
  Step 2: Create a standard ACL.
  access-list my-split standard permit ip object RemoteVPN_LocalNet
  Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
  no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  Step 4: Create new nat exemption.
  nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
  Step 5: Apply ACL on the tunnel.
  group-policy Split_Tunnel_Policy attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value my-split
  Step 6:
  I assume you have a default route on your inside L3 switch point back to ASA's inside address.  If you don't have one.
  Please add a default or add static route as shown below.
  route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx 
  xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Does ASA Service Module on 6509-E support Remote Access VPN ?

  I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported  or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
  Tech Info:
  6509-E running SUP 2T 15.1(2)SY
  ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
  Licenses on ASA:
  Encryption-DES - Enabled
  Encryption-3DES-AES  -Enabled
  Thanks in Advance for support.

  Are you running multiple context mode?
  If you are, remote access VPN is not supported in that case:
  "Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
  Reference.

• Remote Access VPN Clients Cannot Access inside LAN

  I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
  : Saved
  ASA Version 8.2(1)
  hostname ASA5505
  domain-name default.domain.invalid
  enable password eelnBRz68aYSzHyz encrypted
  passwd eelnBRz68aYSzHyz encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group dataDSL
  ip address 76.244.75.57 255.255.255.255 pppoe
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.9.1 255.255.255.0
  interface Vlan10
  nameif outside_cable
  security-level 0
  ip address 50.84.96.178 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Netbios udp
  port-object eq 139
  port-object eq 445
  port-object eq netbios-ns
  object-group service Netbios_TCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.100.177
  network-object host 192.168.100.249
  object-group service Web_Services tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_10
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_11
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_3
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_4
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_5
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_6
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_7
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_8
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_9
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network VPN
  network-object 192.168.255.0 255.255.255.0
  access-list outside_access_in extended permit icmp any host 76.244.75.61
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
  access-list dmz_access_in remark Quickbooks
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
  access-list dmz_access_in remark Quickbooks range
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
  access-list dmz_access_in remark QB
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
  access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
  access-list dmz_access_in remark Printer
  access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
  access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
  access-list dmz_access_in remark QB probably does not need any udp
  access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark QB included in other rule range
  access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark May be required for Quickbooks
  access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
  access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500 
  mtu outside_cable 1500
  ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
  ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside_cable) 10 interface
  nat (inside) 0 access-list nonat-in
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
  static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  access-group outside_cable_access_in in interface outside_cable
  route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.100.0 255.255.255.0 inside
  http 204.107.173.0 255.255.255.0 outside
  http 204.107.173.0 255.255.255.0 outside_cable
  http 0.0.0.0 0.0.0.0 outside_cable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_cable_map interface outside_cable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp enable outside_cable
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.100.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh 204.107.173.0 255.255.255.0 outside
  ssh 204.107.173.0 255.255.255.0 outside_cable
  ssh 0.0.0.0 0.0.0.0 outside_cable
  ssh timeout 15
  console timeout 0
  vpdn group dataDSL request dialout pppoe
  vpdn group dataDSL localname [email protected]
  vpdn group dataDSL ppp authentication pap
  vpdn username [email protected] password *********
  dhcpd address 192.168.100.30-192.168.100.99 inside
  dhcpd dns 192.168.100.5 68.94.156.1 interface inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  group-policy cad_supplies_RAVPN internal
  group-policy cad_supplies_RAVPN attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
  split-tunnel-network-list value Local_LAN_Access
  client-firewall none
  client-access-rule none
  username swinc password BlhBNWfh7XoeHcQC encrypted
  username swinc attributes
  vpn-group-policy cad_supplies_RAVPN
  username meredithp password L3lRjzwb7TnwOyZ1 encrypted
  username meredithp attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone1 attributes
  vpn-group-policy VPNPHONE
  username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone2 attributes
  vpn-group-policy VPNPHONE
  username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone3 attributes
  vpn-group-policy VPNPHONE
  username oethera password WKJxJq7L6wmktFNt encrypted
  username oethera attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
  username markh attributes
  vpn-group-policy cad_supplies_RAVPN
  tunnel-group DefaultRAGroup general-attributes
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cad_supplies_RAVPN type remote-access
  tunnel-group cad_supplies_RAVPN general-attributes
  address-pool VPN_IP_range
  default-group-policy cad_supplies_RAVPN
  tunnel-group cad_supplies_RAVPN ipsec-attributes
  pre-shared-key *
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool VPN_Phone
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1500
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
  : end

  Hi,
  You have your "group-policy" set so that you have excluding some networks from being tunneled.
  In this access-list named Local_LAN_Access you specify "0.0.0.0"
  Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
  This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
  - Jouni

• Can i use same address pool for different remote access VPN tunnel groups and policy

  Hi all,
  i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
  can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
  thanks in advance
  Shnail

  Thanks Karsten..
  but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
  so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
  access-list 15 extended permit tcp any host 192.168.205.134 eq 80
  username test password password test
  username test attributes
  vpn-group-policy TEST
  vpn-filter value 15
  group-policy TEST internal
  group-policy TEST attributes
  dns-server value 192.168.200.16
  vpn-filter value 15
  vpn-tunnel-protocol IPSec
  address-pools value existing-pool
  tunnel-group RAVPN type ipsec-ra
  tunnel-group RAVPN general-attributes
  address-pool existing-pool
  default-group-policy TEST
  tunnel-group Payroll ipsec-attributes
  pre-shared-key xxx

• Remote Access VPN - Unable to Access LAN / Inside Network

  Hi,
  I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
  I have attached running configuration for your reference. Please let me know I miss any configuartion.
  FW : ASA5510
  Version : 8.0
  Note : Site to Site VPN is working without any issues
  Thanks
  Jamal

  Hi,
  Very nice network diagram
  Are you saying that originally the VPN Client user is behind the Jeddah ASA?
  If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
  In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
  Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
  Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
  isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
  isakmp nat-traversal natkeepalive
  no isakmp nat-traversal natkeepalive
  Syntax Description
  natkeepalive
  Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
  Defaults
  By default, NAT traversal (isakmp nat-traversal) is disabled.
  Command Modes
  The following table shows the modes in which you can enter the command:
  Command Mode
  Firewall Mode
  Security Context
  Routed
  Transparent
  Single
  Multiple
  Context
  System
  Global configuration
  Command History
  Release
  Modification
  Preexisting
  This command was preexisting.
  7.2(1)
  This command was deprecated. The crypto isakmp nat-traversal command replaces it.
  Usage Guidelines Network Address Translation (NAT), including Port Address Translation  (PAT), is used in many networks where IPSec is also used, but there are a  number of incompatibilities that prevent IPSec packets from  successfully traversing NAT devices. NAT traversal enables ESP packets  to pass through one or more NAT devices.
  The security appliance supports NAT traversal as described by Version 2  and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft,  available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
  This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
  Examples
  The following example, entered in global configuration mode, enables  ISAKMP and then enables NAT traversal with an interval of 30 seconds:
  hostname(config)# isakmp enable
  hostname(config)# isakmp nat-traversal 30
  - Jouni

• Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

  I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
  Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
  I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

  Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
  Share the configuration if you want help with the NAT exemption part.

• Can ASA5505 forward remote-access-VPN clients to LAN

  I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
  Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
  Are these two cases possible?:
  (1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
  (2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
  Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
  Thanks.

  I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
  You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA.

• Remote access VPN-unable to connect inside-URGENT

  Hi,
  I have configured Remote access VPN in cisco ASA 5520.Whenever I am trying to connect from outside it's connecting fine.It aslo getting IP from pool but prob is i am unable to connect/ping inside nw.
  Pls help me...how to resolve this issue.

  I had the same problem on an IOS router (871). My solution was one of two things. I downloaded the most up-to-date version of the VPN client (5.0.02.90) as opposed to the version I had or it was a software firewall (Norton 360). I have two different computers. One works just fine...the other connects but no traffic passes through. Here is what I have:
  Computer 1 (working)- VPN Client v5.0.02.0090 and Network Associates Enterprise VirusScan.
  Computer 2 (not working) - VPN Client v5.0.00.0340 and Norton 360.
  I highly doubt it is the VPN Client, but sometimes you never know. Check your software firewall and try disabling it. Let me know how this works.