Remote access VPN client gets connected no access to LAN

Similar Messages

• Remote access VPN client gets connected fails on hosts in LAN

  Hi,
  VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)

  Hi Mashal,
  Thanks for your time,
  VPN Pool(Client) 192.168.100.0/24
  Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
  =============
  On the Switch
  =============
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 192.168.2.5 to network 0.0.0.0
       172.32.0.0/24 is subnetted, 1 subnets
  C       172.32.0.0 is directly connected, Vlan101
  C    192.168.200.0/24 is directly connected, Vlan2000
  C    192.9.200.0/24 is directly connected, Vlan4000
  S    192.168.250.0/24 [1/0] via 192.9.200.125
  S    192.168.1.0/24 [1/0] via 192.9.200.125
  C    192.168.2.0/24 is directly connected, Vlan1000
  S    192.168.252.0/24 [1/0] via 192.9.200.125
  S*   0.0.0.0/0 [1/0] via 192.168.2.5
  ===============
  On ASA
  ===============
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is 172.32.0.2 to network 0.0.0.0
  C    172.32.0.0 255.255.255.0 is directly connected, outside
  C    192.9.200.0 255.255.255.0 is directly connected, inside
  C    192.168.168.0 255.255.255.0 is directly connected, failover
  C    192.168.2.0 255.255.255.0 is directly connected, MGMT
  S    192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
  S    192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
  S*   0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
  We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route  on the being pointing to on the switch.
  So we are left to do with how to on the switch with default route.

• VPN client get connect but Request Timed out when ping

  Hi, I'm using the cisco 837 router as my VPN server. I get  connected using Cisco VPN Client Version 5. But when I ping the router  ip, i get request timed out. Here is my configuration :
  Building configuration...
  Current configuration : 3704 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname michael
  boot-start-marker
  boot-end-marker
  memory-size iomem 5
  no logging console
  enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0
  aaa new-model
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa session-id common
  resource policy
  ip subnet-zero
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1
  ip dhcp pool michael
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 202.134.0.155
  ip dhcp pool excluded-address
     host 192.168.1.4 255.255.255.0
     hardware-address 01c8.d719.957a.b9
  ip cef
  ip name-server 202.134.0.155
  ip name-server 203.130.193.74
  vpdn enable
  username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f.
  username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp xauth timeout 15
  crypto isakmp client configuration group michaelvpn
  key vpnpassword
  pool SDM_POOL_1
  acl 199
  netmask 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SDM_DYNMAP_1 1
  set transform-set ESP-3DES-SHA
  crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
  crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
  crypto map SDM_CMAP_1 client configuration address respond
  crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
  interface Ethernet0
  description $FW_INSIDE$
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  hold-queue 100 out
  interface Ethernet2
  no ip address
  shutdown
  hold-queue 100 out
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto
  pvc 0/35
    pppoe-client dial-pool-number 1
  interface FastEthernet1
  duplex auto
  speed auto
  interface FastEthernet2
  duplex auto
  speed auto
  interface FastEthernet3
  duplex auto
  speed auto
  interface FastEthernet4
  duplex auto
  speed auto
  interface Virtual-PPP1
  no ip address
  interface Dialer1
  description $FW_OUTSIDE$
  mtu 1492
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  ppp chap hostname ispusername
  ppp chap password 0 isppassword
  ppp pap sent-username ispusername password 0 isppassword
  crypto map SDM_CMAP_1
  ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
  ip classless
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  no ip http secure-server
  ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723
  ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21
  ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
  access-list 1 remark SDM_ACL Category=16
  access-list 1 permit 192.0.0.0 0.255.255.255
  access-list 102 remark SDM_ACL Category=2
  access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 102 permit ip 192.168.1.0 0.0.0.255 any
  access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  route-map SDM_RMAP_1 permit 1
  match ip address 102
  control-plane
  banner motd ^C
  Authorized Access Only
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
  You must have explicit permission to access this device.
  All activities performed on this device are logged.
  Any violations of access policy will result in disciplinary action.
  ^C
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  scheduler max-task-time 5000
  end
  Thank you, anny help will be appreciated.

  Thank you for your response, here is the debug :
  Log Buffer (4096 bytes):
    1 15:19:47.011: ISAKMP: set new node 856647599 to QM_IDLE     
  May  1 15:19:47.015: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
       spi 2182802952, message ID = 856647599
  May  1 15:19:47.015: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8A
  May  1 15:19:47.015: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE     
  May  1 15:19:47.019: ISAKMP:(0:8:SW:1):purging node 856647599
  May  1 15:19:47.019: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
  May  1 15:19:47.019: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  May  1 15:19:49.979: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B4F274, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:49.983: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B4F274, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:58.383: ISAKMP (0:134217736): received packet from 120.168.1.24 dport 4500 sport 52667 Global (R) QM_IDLE     
  May  1 15:19:58.383: ISAKMP: set new node -1340288848 to QM_IDLE     
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1): processing HASH payload. message ID = -1340288848
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
       spi 0, message ID = -1340288848, sa = 81A7DCEC
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1):deleting node -1340288848 error FALSE reason "Informational (in) state 1"
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  May  1 15:19:58.387: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  May  1 15:19:58.391: ISAKMP:(0:8:SW:1):DPD/R_U_THERE received from peer 120.168.1.24, sequence 0xA3285B8B
  May  1 15:19:58.391: ISAKMP: set new node -752454119 to QM_IDLE     
  May  1 15:19:58.395: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
       spi 2182802952, message ID = -752454119
  May  1 15:19:58.395: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8B
  May  1 15:19:58.395: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE     
  May  1 15:19:58.399: ISAKMP:(0:8:SW:1):purging node -752454119
  May  1 15:19:58.399: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
  May  1 15:19:58.399: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  May  1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81F84148, count=0
  -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  May  1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81F84148, count=0
  -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
  After searching thru the internet, I've found :
  CSCsb46264
  Symptoms: When a dialer interface is configured as an endpoint for a  IPSec+GRE tunnel, tracebacks with bad refcount may be generated.
  Conditions: This symptom is observed on a Cisco 837 when router-generated packets such as routing updates are being switched.
  Is that possible that the root of the problem was that ? Thank you.

• Allow VPN client to connect from the inside to another remote network

  Hi, if I have a Cisco VPN client software on the inside of network and client is to connect to a remote network, over the internet. What ports need to be opened and on the outside interface/inside/both?
  Thanks.

  Basically, all you need is UDP port 500, NAT-T will do the rest.
  Connections are initiated from the inside and while everything is allowed in that direction, this should work by default.
  If you have an access-list that limits traffic from inside to outside, you might need to allow this traffic.
  Regards,
  Leo

• VPN Client Tunnel Connection Pix506E

  Situation:  Trying to connect to PiX 506e for vpn client tunnel.  The tunnel shows the following when using the sho isa sa command:
  qm_idle 0 0 
  then after about 3-4 minutes the client workstaiton is receiving error:  Reason 412:  the remote peer is no longer responding
  The same workstation on the same internet connection from the home office is able to connect to an ASA 5505 vpn client with no problems.
  I have enabled:  nat traversal on the pix506e and tried serveral options on the client side.
  The Pix506E also has site to site vpn tunnels that are working without any problems.
  Pix Software version:  6.3.5
  Any ideas?

  Try to connect from a different internet connection and see if you are having the same issue.
  Also, turn on the logs on the vpn client and see why it's failing.

• VPN clients can connect via SSTP but not IKEv2 due to error 808

  I have a Windows Server 2012 R2 with RRAS configured to allow SSTP / IKEv2 VPN connections. I'm using an external certificate for server authentication and the client authentication is done via domain username/password (Protected EAP). The clients can
  connect successfully when using SSTP, but if IKEv2 is selected, then the following error is displayed:
  Error 808:
  The network connection between your computer and the VPN server could not be established because the remote server refused the connection. This is typically caused by a mismatch between the server's configuration and your connection settings. Please
  contact the remote server's Administrator to verify the server configuration and your connection settings.
  My external certificate has the Server Authentication EKU but not the IP security IKE intermediate, however it's the only
  certificate installed, so I believe the certificate is OK.
  Any ideas on what is causing the error?
  Thank you.
  Ricardo Costa

  Hi,
  What NAT device you are using? You must configure the IKEv2 related protocol on your NAT device too. For example if you are using the Cisco® NAT device you must
  enable the IKEv2 support on the outside interface:
  Enabling IKE on the Outside Interface
   You must enable IKE on the interface that terminates the VPN tunnel. Typically this is the outside, or public interface. To enable IKEv1 or
  IKEv2, use the crypto ikev1 | ikev2 enable command from global configuration mode:
  =================================================
  crypto ikev1 | ikev2 enable interface-name
   For example:
  hostname(config)# crypto ikev1 enable outside
  =================================================
  The related third party information:
  Configuring IPSec and ISAKMP
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_ike.html#wp1042302
  You can refer the following KB to enable the RRAS logging.
  RRAS: Logging should be enabled on the RRAS server
  http://technet.microsoft.com/zh-cn/library/ee922651(v=ws.10).aspx
  Hope this helps.
  *** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does
  not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers
  in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Client get connected occationally with WLC 5508

  Hi ,
  I have one strange problem on wireless connection.
  I just upgraded several 1131 APs to LAP with 2 new Cisco 5508 controller deployed, and we found the clients sometime can get conneted to the 1131 AP, and connection well, sometimes cannot. during our test, one conecion is ok, next one cannot, the third one seems ok again and again.
  And we also have 2 new 1140 APs, seems no such problem,
  The version for controller is  6.0.196.0, and Client is Lenevo PC with XP.
  Any suggestion? or some troubleshooting procedure I can follow?
  Thanks!
  Roy

  Thanks!
  Seems some problem with open authentication.
  On the Client, it reported cannot get associated.
  on the WLC, while I am debug client it reports:
  *Jul 14 10:18:51.844: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:a5:c0 (status 12)
  *Jul 14 10:18:51.889: 00:1f:3c:c2:e9:71 Ignoring 802.11 assoc request from mobile pending deletion
  *Jul 14 10:18:51.889: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:a5:c0 (status 12)
  *Jul 14 10:18:51.928: 00:1f:3c:c2:e9:71 Ignoring 802.11 assoc request from mobile pending deletion
  *Jul 14 10:18:51.928: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:ae:b0 (status 12)
  *Jul 14 10:18:52.446: 00:1f:3c:c2:e9:71 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
  *Jul 14 10:18:52.446: 00:1f:3c:c2:e9:71 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 00:1f:3c:c2:e9:71 on AP c4:7d:4f:47:ae:b0 from Associated to Disassociated
  I am using remote radius with WLC only.
  The strange thing is, when get connected, it looks fine, but I tried disconnect manually, then connect again, it reported cannot get associated, then I try again, it can get connect again,....

• VPN Clients getting different default gateways

  Hello,
       We have a new Cisco ASA 5520 and are trying to setup the VPN with split tunneling.  We mostly have clients running XP and the problem is that some of the clients connect (using Cisco Anyconnect 2.5) and the split tunneling works as expected --these clients keep their default gateway-- and then some clients connect and get a default gateway of 192.168.119.1 (our VPN addresses subnet) and of course these users cannot connect to the internet while connected to the VPN.
  Here is our config:
  ASA Version 9.1(1)
  hostname xxxxxx
  names
  name 178.239.80.0 Deny178.239.80.0 description 178.239.80.0
  name 74.82.64.0 Deny74.82.64.0 description 74.82.64.0
  name 173.247.32.0 Deny173.247.32.0 description 173.247.32.0
  name 193.109.81.0 Deny193.109.81.0 description 193.109.81.0
  name 204.187.87.0 Deny204.187.87.0 description 204.187.87.0
  name 206.51.26.0 Deny206.51.26.0 description 206.51.26.0
  name 206.53.144.0 Deny206.53.144.0 description 206.53.144.0
  name 67.223.64.0 Deny67.223.64.0 description 67.223.64.0
  name 93.186.16.0 Deny93.186.16.0 description 93.186.16.0
  name 216.9.240.0 Deny216.9.240.0 description 216.9.240.0
  name 68.171.224.0 Deny68.171.224.0 description 68.171.224.0
  ip local pool PAIUSERS 192.168.119.10-192.168.119.100 mask 255.255.255.0
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 63.86.112.194 255.255.255.192
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.129.5 255.255.255.192
  interface GigabitEthernet0/2
  nameif dmz
  security-level 10
  ip address 192.168.20.10 255.255.255.0
  interface GigabitEthernet0/3
  nameif vpn_dmz
  security-level 25
  ip address 192.168.30.10 255.255.255.0
  interface Management0/0
  management-only
  shutdown
  nameif management
  security-level 100
  ip address 192.168.102.4 255.255.255.0
  object network obj-192.168.119.0
  subnet 192.168.119.0 255.255.255.0
  access-list outside_access_in extended permit ip host 192.168.119.11 host 192.168.35.23
  access-list outside_access_in extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_3 object-group UDP_TCP_Domain inactive
  access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 eq isakmp
  access-list outside_access_in extended permit ip any4 object obj-192.168.30.11
  access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 object-group UDP10000
  access-list outside_access_in extended permit udp any4 object-group DM_INLINE_NETWORK_7 eq domain inactive
  access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_8 eq domain inactive
  access-list outside_access_in extended permit tcp host 216.81.43.190 host 192.168.35.30 eq ssh inactive
  access-list outside_access_in extended permit tcp host 216.81.43.190 object obj-192.168.35.30 object-group DM_INLINE_TCP_6 inactive
  access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_9 eq www inactive
  access-list outside_access_in extended permit tcp any4 object obj-192.168.30.11 eq www
  access-list outside_access_in extended permit esp any4 object obj-192.168.30.11
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq www
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq https
  access-list outside_access_in extended permit tcp any4 host 192.168.35.34 eq https
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.30 object-group Ports_UDpTCP
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 object-group DM_INLINE_TCP_7
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 eq ftp
  access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.248
  access-list outside_access_in extended permit udp any4 host 162.95.80.115 eq isakmp
  access-list outside_access_in extended permit tcp any4 host 162.95.80.115 object-group Ports_115
  access-list outside_access_in extended permit udp any4 host 162.95.80.115 object-group Ports_2746_259
  access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.245 object-group Service_Group_245 inactive
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.40 object-group UDP_TCP_Domain
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.40 object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group DM_INLINE_TCP_1
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.129.11 object-group UDP_TCP_Domain
  access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group Network_Service_2703_6277
  access-list outside_access_in extended permit udp any4 object obj-192.168.129.11 object-group UDP_443
  access-list outside_access_in extended permit ip any4 host 192.168.101.75 inactive
  access-list outside_access_in extended permit tcp any4 host 64.78.239.50 eq www
  access-list outside_access_in extended permit tcp any4 host 64.78.239.54 object-group TCP_4445
  access-list outside_access_in extended permit icmp any4 any4
  access-list outside_access_in extended permit udp any4 object obj-192.168.35.40 object-group UDP_443
  access-list outside_access_in extended permit tcp any4 host 63.86.112.204 object-group DM_INLINE_TCP_5
  access-list outside_access_in extended permit tcp any4 host 63.86.112.204
  access-list outside_access_in extended permit udp any4 host 63.86.112.204
  access-list outside_access_in extended permit object-group TCPUDP any4 host 192.168.102.12 object-group Network_Server_1194
  access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq www
  access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq https
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.41 object-group Network_Server_1194
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 eq www
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 object-group DM_INLINE_TCP_3
  access-list outside_access_in extended permit tcp any4 host 63.86.112.193 object-group Network_Service_TCP_1194
  access-list outside_access_in extended deny tcp object Deny206.51.26.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny193.109.81.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny204.187.87.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny206.53.144.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny216.9.240.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny67.223.64.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny93.186.16.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny68.171.224.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny74.82.64.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny178.239.80.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny173.247.32.0 object obj-192.168.35.40 eq https
  access-list vpn_dmz_access_in extended permit ip host 192.168.35.23 192.168.119.0 255.255.255.0
  access-list vpn_dmz_access_in extended permit gre host 192.168.30.11 any4
  access-list vpn_dmz_access_in extended permit tcp any4 host 23.0.214.60 eq https
  access-list vpn_dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_28 any4
  access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105 object-group DM_INLINE_TCP_4
  access-list vpn_dmz_access_in extended permit esp any4 object obj-192.168.35.105
  access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105
  access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.105
  access-list vpn_dmz_access_in extended permit tcp any4 host 192.168.129.11
  access-list vpn_dmz_access_in remark RDP
  access-list vpn_dmz_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389
  access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.23
  access-list inside_nat0_outbound extended permit ip any4 192.168.119.0 255.255.255.0
  access-list ftp-timeout extended permit tcp host 216.81.43.190 host 63.86.112.248
  access-list ftp-timeout extended permit tcp host 63.86.112.248 host 216.81.43.190
  access-list ftp-timeout extended permit tcp host 192.168.35.30 host 216.81.43.190
  access-list ftp-timeout extended permit tcp host 216.81.43.190 host 192.168.35.30
  access-list Split_Tunnel_List remark northwoods
  access-list Split_Tunnel_List standard permit host 192.168.35.23
  access-list Split_Tunnel_List remark paits2
  access-list Split_Tunnel_List standard permit host 192.168.35.198
  access-list Split_Tunnel_List standard deny 192.168.102.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list IS_Split_Tunnel standard permit 192.168.102.0 255.255.255.0
  access-list IS_Split_Tunnel standard permit 192.168.82.0 255.255.255.0
  access-list IS_Split_Tunnel standard permit 192.168.35.0 255.255.255.0
  nat (inside,outside) source static object-192.168.35.0 object-192.168.35.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
  nat (inside,outside) source static obj-192.168.82.0 obj-192.168.82.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
  nat (inside,outside) source static obj-192.168.102.0 obj-192.168.102.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
  webvpn
  enable outside
  enable inside
  enable dmz
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  anyconnect profiles pairemoteuser disk0:/pairemoteuser.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy PAIGroup internal
  group-policy PAIGroup attributes
  vpn-tunnel-protocol ssl-clientless
  webvpn
    url-list value PAI
  group-policy PAIUSERS internal
  group-policy PAIUSERS attributes
  wins-server value 192.168.35.57
  dns-server value 192.168.35.57
  vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain none
  webvpn
    anyconnect firewall-rule client-interface private value vpn_dmz_access_in
    anyconnect profiles value pairemoteuser type user
  group-policy PAIIS internal
  group-policy PAIIS attributes
  wins-server value 192.168.35.57
  dns-server value 192.168.35.57
  vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value IS_Split_Tunnel
  default-domain none
  webvpn
    anyconnect firewall-rule client-interface private value vpn_dmz_access_in
    anyconnect profiles value pairemoteuser type user
  group-policy DfltGrpPolicy attributes
  banner value Welcome to PAI
  wins-server value 192.168.35.57
  dns-server value 192.168.35.57
  address-pools value PAIUSERS
  webvpn
    anyconnect firewall-rule client-interface public none
    anyconnect firewall-rule client-interface private value vpn_dmz_access_in
    anyconnect ask enable default anyconnect timeout 5
  group-policy Anyconnect internal
  : end

  Check is the users fall into DfltGrpPolicy because it has no split tunneling active.
  Michael
  Please rate all helpful posts

• Cisco VPN Client and Quick VPN interaction?

  I have both a Cisco VPN client for connecting to my company LAN and a QuickVPN client for connecting to my home LAN installed on my W2K laptop.  Both start and run correctly, and both connect just as they should.  My home LAN uses a WRV54G router to provide VPN connection.  I can alternate back and forth between the two clients and connect to each LAN with no obvious issues, but not at the same time, of course.
  Here's the question.  When I connect to the home LAN, I can log on with no problem and I can remotely administer the WRV54G with no problem.  I can ping all of the wired and wireless W2K computers on my home LAN with no problem.  However, I cannot "see", browse or map any of the shared resources on my home LAN.  I have created user accounts on the home LAN computers for my laptop and router logins and I have given these accounts permissions to my shared resources, but I still cannot get to them.  Linksys tech support has been absolutely no help whatsoever, even after repeated attempts.
  While trying to troubleshoot this myself, I've noticed that when the Cisco VPN client is running and I'm connected to my company LAN, the IP address and subnet of my computer is changed to ones assigned by the DHCP server at my company.  This seems to happen because the Cisco client activates the "Local Area Connection Number 2" on my laptop and assigns IP addresses using it.  However, when I'm using the QuickVPN client to connect to my home, the IP address and subnet of my laptop continues to be those assigned by whatever local network I'm connected to (e.g. hotel, etc).
  I'm wondering if the QuickVPN is supposed to be assigning an IP address and subnet to my laptop from the WRV54G's DHCP server when I connect to my home LAN.  If so, could the Cisco VPN client installed on my laptop be preventing that from happening?
  Sorry for the long post, but I'm at my wit's end on this one and Linksys is just no help at all.

  1. The Cisco VPN client creates a virtual interface on your computer. This allows you to route traffic to the tunnel. The QuickVPN client is simpler. It only encrypts the traffic to the other end. It does not use a virtual interface. That's why you don't have another IP address when connected with QuickVPN. QuickVPN only encrypts IP packets with IPSec from your computer to 192.168.1.* (or whatever you may use on your WRV LAN) and sends them to the WRV's public IP address.
  2. Microsoft Windows file sharing and LAN network browsing depends on network broadcasts. Those only work inside a LAN. If you connect from the outside to a LAN, broadcasts won't go through the VPN tunnel. This means you cannot use standard name windows workgroup name resolution to access shares. Those are propagated with broadcasts which will never go through the VPN tunnel. This means you are not able to use workgroup browsing. All you can to do access your shares is to use the IP address of the other computer.
  In short:
  \\mycomputer\share won't work
  \\192.168.1.50\share works
  (assuming the general sharing setup is O.K., i.e. you can use sharing correctly inside your LAN).
  Of course, firewalls on the server end may cause problems. Access comes in from a public IP address. This may be blocked. Check the firewall logs on the server to find out if this is the case or not.
  Moreover, establishing the VPN connection from a private LAN to a private LAN may not work. This is due to the double network address translation which breaks IPSec and thus the connection. If the hotel uses private IP addresses, this may be the case. But in that case you won't get ping responses from your WRV LAN.
  What definitively won't work is in case when the hotel uses the same IP address subnet as you. If the hotel uses 192.168.1.* addresses and your WRV uses 192.168.1.* addresses you cannot connect. QuickVPN does only IPSec tunneling. There is no address translation in QuickVPN. Therefore connecting the identical private IP address subnet through QuickVPN will never work because all addresses exists twice, once on either side.

• Remote access VPN clients connected to Internet from VPN

  Greetings,
  I need to let remote VPN clients to connect to Internet from the same ASA VPN server
  " client connects to ASA through VPN tunnel from outside interface then access Internet from the same ASA from outside interface again
  thanks

  you'll need to configure 'same-security-traffic permit intra-interface' on the ASA .
  Also, need to setup the corresponding nat statements for your clients pool range.
  i.e.
  global (outside) 1 interface
  nat (outside) 1 access-list anyconnectacl
  where anyconnectacl is the pool for your clients:
  access-list anyconnectacl permit ip 172.16.1.0 255.255.255.0 any

• ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

  Hi community,
  I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
  object-group network RemoteVPN_LocalNet
   network-object 172.29.168.0 255.255.255.0
   network-object 172.29.169.0 255.255.255.0
   network-object 172.29.173.0 255.255.255.128
   network-object 172.29.172.0 255.255.255.0
  access-list Split_Tunnel remark The Corporation network behind ASA
  access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
  ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
  nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set myset
  crypto map mymap 65000 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  tunnel-group remotevpngroup type remote-access
  tunnel-group remotevpngroup general-attributes
   address-pool remotevpnpool
   authentication-server-group MS_LDAP LOCAL
   default-group-policy Split_Tunnel_Policy
  I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
  Thanks in advanced.

  Hi tranminhc,
  Step 1: Create an object.
  object network vpn_clients
   subnet 10.88.61.0 mask 255.255.255.0
  Step 2: Create a standard ACL.
  access-list my-split standard permit ip object RemoteVPN_LocalNet
  Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
  no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  Step 4: Create new nat exemption.
  nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
  Step 5: Apply ACL on the tunnel.
  group-policy Split_Tunnel_Policy attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value my-split
  Step 6:
  I assume you have a default route on your inside L3 switch point back to ASA's inside address.  If you don't have one.
  Please add a default or add static route as shown below.
  route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx 
  xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• VPN Clients cannot access remote site

  Hey there,
  I am pretty new in configuring Cisco devices and now I need some help.
  I have 2 site here:
  site A
  Cisco 891
  external IP: 195.xxx.yyy.zzz
  VPN Gateway for Remote users
  local IP: VLAN10 10.133.10.0 /23
  site B
  Cisco 891
  external IP: 62.xxx.yyy.zzz
  local IP VLAN10 10.133.34.0 /23
  Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.
  I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.
  What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.
  Here is the config of site A
  Building configuration...
  Current configuration : 24257 bytes
  version 15.2
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Englerstrasse
  boot-start-marker
  boot config usbflash0:CVO-BOOT.CFG
  boot-end-marker
  aaa new-model
  aaa group server radius Radius-AD
  server 10.133.10.5 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  clock timezone Berlin 1 0
  clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
  crypto pki trustpoint TP-self-signed-27361994
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-27361994
  revocation-check none
  rsakeypair TP-self-signed-27361994
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki certificate chain TP-self-signed-27361994
  certificate self-signed 01
    30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238
    5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
    2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939
    3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709
    64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53
    BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234
    2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615
    9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203
    010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
    18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E
    04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886
    F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC
    20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB
    14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895
    C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF
    AF3EF676 26AD3F31 D368F5
        quit
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  no ip source-route
  ip auth-proxy max-login-attempts 5
  ip admission max-login-attempts 5
  no ip bootp server
  no ip domain lookup
  ip domain name yourdomain.com
  ip inspect log drop-pkt
  ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
  ip inspect name CCP_MEDIUM ftp
  ip inspect name CCP_MEDIUM h323
  ip inspect name CCP_MEDIUM sip
  ip inspect name CCP_MEDIUM https
  ip inspect name CCP_MEDIUM icmp
  ip inspect name CCP_MEDIUM netshow
  ip inspect name CCP_MEDIUM rcmd
  ip inspect name CCP_MEDIUM realaudio
  ip inspect name CCP_MEDIUM rtsp
  ip inspect name CCP_MEDIUM sqlnet
  ip inspect name CCP_MEDIUM streamworks
  ip inspect name CCP_MEDIUM tftp
  ip inspect name CCP_MEDIUM udp
  ip inspect name CCP_MEDIUM vdolive
  ip inspect name CCP_MEDIUM imap reset
  ip inspect name CCP_MEDIUM smtp
  ip cef
  no ipv6 cef
  appfw policy-name CCP_MEDIUM
    application im aol
      service default action allow alarm
      service text-chat action allow alarm
      server permit name login.oscar.aol.com
      server permit name toc.oscar.aol.com
      server permit name oam-d09a.blue.aol.com
      audit-trail on
    application im msn
      service default action allow alarm
      service text-chat action allow alarm
      server permit name messenger.hotmail.com
      server permit name gateway.messenger.hotmail.com
      server permit name webmessenger.msn.com
      audit-trail on
    application http
      strict-http action allow alarm
      port-misuse im action reset alarm
      port-misuse p2p action reset alarm
      port-misuse tunneling action allow alarm
    application im yahoo
      service default action allow alarm
      service text-chat action allow alarm
      server permit name scs.msg.yahoo.com
      server permit name scsa.msg.yahoo.com
      server permit name scsb.msg.yahoo.com
      server permit name scsc.msg.yahoo.com
      server permit name scsd.msg.yahoo.com
      server permit name cs16.msg.dcn.yahoo.com
      server permit name cs19.msg.dcn.yahoo.com
      server permit name cs42.msg.dcn.yahoo.com
      server permit name cs53.msg.dcn.yahoo.com
      server permit name cs54.msg.dcn.yahoo.com
      server permit name ads1.vip.scd.yahoo.com
      server permit name radio1.launch.vip.dal.yahoo.com
      server permit name in1.msg.vip.re2.yahoo.com
      server permit name data1.my.vip.sc5.yahoo.com
      server permit name address1.pim.vip.mud.yahoo.com
      server permit name edit.messenger.yahoo.com
      server permit name messenger.yahoo.com
      server permit name http.pager.yahoo.com
      server permit name privacy.yahoo.com
      server permit name csa.yahoo.com
      server permit name csb.yahoo.com
      server permit name csc.yahoo.com
      audit-trail on
  parameter-map type inspect global
  log dropped-packets enable
  multilink bundle-name authenticated
  redundancy
  ip tcp synwait-time 10
  class-map match-any CCP-Transactional-1
  match dscp af21
  match dscp af22
  match dscp af23
  class-map match-any CCP-Voice-1
  match dscp ef
  class-map match-any sdm_p2p_kazaa
  match protocol fasttrack
  match protocol kazaa2
  class-map match-any CCP-Routing-1
  match dscp cs6
  class-map match-any sdm_p2p_edonkey
  match protocol edonkey
  class-map match-any CCP-Signaling-1
  match dscp cs3
  match dscp af31
  class-map match-any sdm_p2p_gnutella
  match protocol gnutella
  class-map match-any CCP-Management-1
  match dscp cs2
  class-map match-any sdm_p2p_bittorrent
  match protocol bittorrent
  policy-map sdm-qos-test-123
  class class-default
  policy-map sdmappfwp2p_CCP_MEDIUM
  class sdm_p2p_edonkey
  class sdm_p2p_gnutella
  class sdm_p2p_kazaa
  class sdm_p2p_bittorrent
  policy-map CCP-QoS-Policy-1
  class sdm_p2p_edonkey
  class sdm_p2p_gnutella
  class sdm_p2p_kazaa
  class sdm_p2p_bittorrent
  class CCP-Voice-1
    priority percent 33
  class CCP-Signaling-1
    bandwidth percent 5
  class CCP-Routing-1
    bandwidth percent 5
  class CCP-Management-1
    bandwidth percent 5
  class CCP-Transactional-1
    bandwidth percent 5
  class class-default
    fair-queue
    random-detect
  crypto ctcp port 10000
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key REMOVED address 62.20.xxx.yyy 
  crypto isakmp key REMOVED address 195.243.xxx.yyy
  crypto isakmp key REMOVED address 195.243.xxx.yyy
  crypto isakmp key REMOVED address 83.140.xxx.yyy  
  crypto isakmp client configuration group VPN_local
  key REMOVED
  dns 10.133.10.5 10.133.10.7
  wins 10.133.10.7
  domain domain.de
  pool SDM_POOL_2
  acl 115
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group VPN_local
     client authentication list ciscocp_vpn_xauth_ml_2
     isakmp authorization list ciscocp_vpn_group_ml_2
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA11
  set isakmp-profile ciscocp-ike-profile-1
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to62.20.xxx.xxx
  set peer 62.20.xxx.xxx
  set transform-set ESP-3DES-SHA
  match address 105
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to195.243.xxx.xxx
  set peer 195.243.xxx.xxx
  set transform-set ESP-3DES-SHA4
  match address 107
  crypto map SDM_CMAP_1 3 ipsec-isakmp
  description Tunnel to83.140.xxx.xxx
  set peer 83.140.xxx.xxx
  set transform-set ESP-DES-SHA1
  match address 118
  interface Loopback2
  ip address 192.168.10.1 255.255.254.0
  interface Null0
  no ip unreachables
  interface FastEthernet0
  switchport mode trunk
  no ip address
  spanning-tree portfast
  interface FastEthernet1
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  no ip address
  spanning-tree portfast
  interface FastEthernet4
  description Internal LAN
  switchport access vlan 10
  switchport trunk native vlan 10
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  no ip address
  spanning-tree portfast
  interface FastEthernet8
  description $FW_OUTSIDE$$ETH-WAN$
  ip address 62.153.xxx.xxx 255.255.255.248
  ip access-group 113 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip inspect CCP_MEDIUM out
  no ip virtual-reassembly in
  ip verify unicast reverse-path
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  service-policy input sdmappfwp2p_CCP_MEDIUM
  service-policy output CCP-QoS-Policy-1
  interface Virtual-Template1 type tunnel
  ip unnumbered FastEthernet8
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface GigabitEthernet0
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Vlan1
  no ip address
  interface Vlan10
  description $FW_INSIDE$
  ip address 10.133.10.1 255.255.254.0
  ip access-group 112 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  interface Async1
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  encapsulation slip
  ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200
  ip local pool VPN_Pool 192.168.20.2 192.168.20.100
  ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip forward-protocol nd
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload
  ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx
  ip access-list extended VPN1
  remark VPN_Haberstrasse
  remark CCP_ACL Category=4
  permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  ip radius source-interface Vlan10
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.10.10.0 0.0.0.7
  access-list 23 remark CCP_ACL Category=17
  access-list 23 permit 195.243.xxx.xxx
  access-list 23 permit 10.133.10.0 0.0.1.255
  access-list 23 permit 10.10.10.0 0.0.0.7
  access-list 100 remark CCP_ACL Category=4
  access-list 100 permit ip 10.133.10.0 0.0.1.255 any
  access-list 101 remark CCP_ACL Category=16
  access-list 101 permit udp any eq bootps any eq bootpc
  access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
  access-list 101 permit icmp any any echo-reply
  access-list 101 permit icmp any any time-exceeded
  access-list 101 permit icmp any any unreachable
  access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 101 deny   ip host 255.255.255.255 any
  access-list 101 deny   ip any any
  access-list 102 remark auto generated by CCP firewall configuration
  access-list 102 remark CCP_ACL Category=1
  access-list 102 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply
  access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded
  access-list 102 permit icmp any host 62.153.xxx.xxx unreachable
  access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 102 deny   ip host 255.255.255.255 any
  access-list 102 deny   ip host 0.0.0.0 any
  access-list 102 deny   ip any any log
  access-list 103 remark auto generated by CCP firewall configuration
  access-list 103 remark CCP_ACL Category=1
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
  access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp
  access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp
  access-list 103 permit esp any host 62.153.xxx.xxx
  access-list 103 permit ahp any host 62.153.xxx.xxx
  access-list 103 permit udp host 194.25.0.60 eq domain any
  access-list 103 permit udp host 194.25.0.68 eq domain any
  access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
  access-list 103 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply
  access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded
  access-list 103 permit icmp any host 62.153.xxx.xxx unreachable
  access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 103 deny   ip host 255.255.255.255 any
  access-list 103 deny   ip host 0.0.0.0 any
  access-list 103 deny   ip any any log
  access-list 104 remark CCP_ACL Category=4
  access-list 104 permit ip 10.133.10.0 0.0.1.255 any
  access-list 105 remark CCP_ACL Category=4
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
  access-list 106 remark CCP_ACL Category=2
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
  access-list 106 permit ip 10.10.10.0 0.0.0.7 any
  access-list 106 permit ip 10.133.10.0 0.0.1.255 any
  access-list 107 remark CCP_ACL Category=4
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 108 remark Auto generated by SDM Management Access feature
  access-list 108 remark CCP_ACL Category=1
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd
  access-list 108 deny   tcp any host 10.133.10.1 eq telnet
  access-list 108 deny   tcp any host 10.133.10.1 eq 22
  access-list 108 deny   tcp any host 10.133.10.1 eq www
  access-list 108 deny   tcp any host 10.133.10.1 eq 443
  access-list 108 deny   tcp any host 10.133.10.1 eq cmd
  access-list 108 deny   udp any host 10.133.10.1 eq snmp
  access-list 108 permit ip any any
  access-list 109 remark CCP_ACL Category=1
  access-list 109 permit ip 10.133.10.0 0.0.1.255 any
  access-list 109 permit ip 10.10.10.0 0.0.0.7 any
  access-list 109 permit ip 192.168.10.0 0.0.1.255 any
  access-list 110 remark CCP_ACL Category=1
  access-list 110 permit ip host 195.243.xxx.xxx any
  access-list 110 permit ip host 84.44.xxx.xxx any
  access-list 110 permit ip 10.133.10.0 0.0.1.255 any
  access-list 110 permit ip 10.10.10.0 0.0.0.7 any
  access-list 110 permit ip 192.168.10.0 0.0.1.255 any
  access-list 111 remark CCP_ACL Category=4
  access-list 111 permit ip 10.133.10.0 0.0.1.255 any
  access-list 112 remark CCP_ACL Category=1
  access-list 112 permit udp host 10.133.10.5 eq 1812 any
  access-list 112 permit udp host 10.133.10.5 eq 1813 any
  access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp
  access-list 112 permit udp any host 10.133.10.1 eq isakmp
  access-list 112 permit esp any host 10.133.10.1
  access-list 112 permit ahp any host 10.133.10.1
  access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1
  access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1
  access-list 112 remark auto generated by CCP firewall configuration
  access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1
  access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1
  access-list 112 permit udp host 10.133.10.7 eq domain any
  access-list 112 permit udp host 10.133.10.5 eq domain any
  access-list 112 deny   ip 62.153.xxx.xxx 0.0.0.7 any
  access-list 112 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 112 deny   ip host 255.255.255.255 any
  access-list 112 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 112 permit ip any any
  access-list 113 remark CCP_ACL Category=1
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255
  access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp
  access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx
  access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx
  access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx
  access-list 113 remark auto generated by CCP firewall configuration
  access-list 113 permit udp host 194.25.0.60 eq domain any
  access-list 113 permit udp host 194.25.0.68 eq domain any
  access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
  access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx
  access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp
  access-list 113 permit esp any host 62.153.xxx.xxx
  access-list 113 permit ahp any host 62.153.xxx.xxx
  access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
  access-list 113 remark Pop3
  access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx
  access-list 113 remark Pop3
  access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx
  access-list 113 remark SMTP
  access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx
  access-list 113 remark IMAP
  access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx
  access-list 113 deny   ip 10.133.10.0 0.0.1.255 any
  access-list 113 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply
  access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded
  access-list 113 permit icmp any host 62.153.xxx.xxx unreachable
  access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 113 deny   ip host 255.255.255.255 any
  access-list 113 deny   ip host 0.0.0.0 any
  access-list 113 deny   ip any any log
  access-list 114 remark auto generated by CCP firewall configuration
  access-list 114 remark CCP_ACL Category=1
  access-list 114 deny   ip 10.133.10.0 0.0.1.255 any
  access-list 114 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 114 permit icmp any any echo-reply
  access-list 114 permit icmp any any time-exceeded
  access-list 114 permit icmp any any unreachable
  access-list 114 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 114 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 114 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 114 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 114 deny   ip host 255.255.255.255 any
  access-list 114 deny   ip host 0.0.0.0 any
  access-list 114 deny   ip any any log
  access-list 115 remark VPN_Sub
  access-list 115 remark CCP_ACL Category=5
  access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255
  access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255
  access-list 115 permit ip 10.133.20.0 0.0.0.255 any
  access-list 116 remark CCP_ACL Category=4
  access-list 116 remark IPSec Rule
  access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 117 remark CCP_ACL Category=4
  access-list 117 remark IPSec Rule
  access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 118 remark CCP_ACL Category=4
  access-list 118 remark IPSec Rule
  access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 118 remark IPSec Rule
  access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  no cdp run
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  control-plane
  mgcp profile default
  line con 0
  transport output telnet
  line 1
  modem InOut
  speed 115200
  flowcontrol hardware
  line aux 0
  transport output telnet
  line vty 0 4
  session-timeout 45
  access-class 110 in
  transport input telnet ssh
  line vty 5 15
  access-class 109 in
  transport input telnet ssh
  scheduler interval 500
  end

  The crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.
  On Site A:
  should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"
  You should also remove the following line as the pool is incorrect:
  access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  On Site B:
  should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"
  NAT exemption on site B should also be configured with deny on the above ACL.

• Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

  I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
  Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
  I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

  Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
  Share the configuration if you want help with the NAT exemption part.

• Can ASA5505 forward remote-access-VPN clients to LAN

  I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
  Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
  Are these two cases possible?:
  (1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
  (2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
  Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
  Thanks.

  I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
  You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA.

• VPN client connected to VPN but can't ping or access to server

  HI ,
  i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
  Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
  This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
  VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
  Software itself shown connected but request time out when ping.
  Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
  aaa new-model
  aaa authentication login userauthen local
  aaa authorization network adminmap group VPNClient
  aaa authorization network groupauthor local
  aaa authorization network map-singapore local
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key emptyspace address 203.142.83.218 no-xauth
  crypto isakmp keepalive 15 periodic
  crypto isakmp client configuration address-pool local ippool
  crypto isakmp client configuration group map-singapore
  key cisco123
  dns 192.168.6.3
  domain cisco.com
  pool ippool
  acl 102
  crypto isakmp profile VPNclient
     match identity address 27.54.43.210 255.255.255.255
     match identity group vpnclient
     client authentication list userauthen
     client configuration address respond
  crypto ipsec security-association idle-time 86400
  crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
  crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
  crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set DYNSET
  set isakmp-profile VPNclient
  reverse-route
  crypto map VPNMAP client authentication list userauthen
  crypto map VPNMAP isakmp authorization list map-singapore
  crypto map VPNMAP client configuration address respond
  crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
  crypto map VPNMAP 11 ipsec-isakmp
  description VPN to ASA5520
  set peer 203.142.83.218
  set security-association lifetime kilobytes 14608000
  set security-association lifetime seconds 86400
  set transform-set REMSET
  match address 100
  interface GigabitEthernet0/0
  ip address 27.54.43.210 255.255.255.240
  ip nat outside
  no ip virtual-reassembly
  duplex full
  speed 100
  crypto map VPNMAP
  interface GigabitEthernet0/1
  ip address 192.168.6.1 255.255.255.0
  ip nat inside
  no ip virtual-reassembly
  duplex full
  speed 100
  interface GigabitEthernet0/2
  description $ES_LAN$
  no ip address
  shutdown
  duplex auto
  speed auto
  ip local pool ippool 10.20.1.0 10.20.1.100
  ip forward-protocol nd
  ip pim bidir-enable
  no ip http server
  ip http authentication local
  no ip http secure-server
  ip nat inside source list 1 interface GigabitEthernet0/0 overload
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
  ip nat inside source static 192.168.6.3 27.54.43.212
  ip route 0.0.0.0 0.0.0.0 27.54.43.209
  ip route 192.168.1.0 255.255.255.0 27.54.43.209
  ip route 192.168.151.0 255.255.255.0 192.168.6.151
  ip route 192.168.208.0 255.255.255.0 27.54.43.209
  ip access-list extended RA_SING
  permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
  permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
  permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny   ip any any log
  access-list 1 remark Local Network
  access-list 1 permit 192.168.6.0 0.0.0.255
  access-list 1 permit 192.168.102.0 0.0.0.255
  access-list 1 permit 192.168.151.0 0.0.0.255
  access-list 2 remark VPNClient-range
  access-list 2 permit 10.0.0.0 0.255.255.255
  access-list 10 permit 192.168.6.0 0.0.0.255
  access-list 10 permit 192.168.102.0 0.0.0.255
  access-list 10 permit 192.168.151.0 0.0.0.255
  access-list 10 permit 10.0.0.0 0.255.255.255
  access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
  access-list 101 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 101 permit ip 10.0.0.0 0.255.255.255 any
  access-list 101 permit ip 192.168.6.0 0.0.0.255 any
  access-list 102 permit ip 10.0.0.0 0.255.255.255 any
  access-list 120 deny   ip any any log
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  no cdp run
  route-map nonat permit 10
  match ip address 120
  control-plane
  alias isakmp-profile sh crypto isakmp sa
  alias exec ipsec sh crypto ipsec sa
  banner motd ^CC^C

  I did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.