Remote access vpn clients, access to Internet resources
Hello, we currently have a remote access vpn set up terminating on an ASA 5520. Remote access users connect into this ASA and are able to access resources inside of the firewall- the public IP of the ASA is 1.1.1.135. We need these users to be able to access resources natted behind another ASA firewall on the same public IP segment, at IP address 1.1.1.165.
I have gotten to the point where I believe I have all of my Nat/global statements in place, along with my ACLs on both firewalls, but I am not able to make the connection to the server behind the second ASA.
running packet tracer on the second ASA (hosting the 1.1.1.165 server) shows that the packet will be allowed. RUnning packet tracer on the Remote access VPN ASA is showing that the packet is dropped due to :
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
To me, this should be a simple setup, very similar to a company that tunnels all traffic (including Internet traffic) for remote access VPN users. It just doesn't seem like my traffic is getting to the second ASA wioth the remote host.
Anyone have any ideas?
I figured out the answer- I had to add a nat statement form my VPN user subnet to be natted to the outside global IP:
nat (outside) 1 10.2.2.0 255.255.255.0 (this is my vpn subnet)
global (outside) 1 interface
Similar Messages
-
Remote access VPN clients connected to Internet from VPN
Greetings,
I need to let remote VPN clients to connect to Internet from the same ASA VPN server
" client connects to ASA through VPN tunnel from outside interface then access Internet from the same ASA from outside interface again
thanksyou'll need to configure 'same-security-traffic permit intra-interface' on the ASA .
Also, need to setup the corresponding nat statements for your clients pool range.
i.e.
global (outside) 1 interface
nat (outside) 1 access-list anyconnectacl
where anyconnectacl is the pool for your clients:
access-list anyconnectacl permit ip 172.16.1.0 255.255.255.0 any -
Can ASA5505 forward remote-access-VPN clients to LAN
I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
Are these two cases possible?:
(1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
(2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
Thanks.I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA. -
RV042 VPN Client Access not able to connect two users at same time
I have a RV042 and have set it up for VPN Client access using the QuickVPN client to connect my remote users. I discovered today that I cannot have two users connect in at the same time. Both users are in the same remote office. They can connect individually with no problem but if one is connected and the other tries connect also the second user gets a message the gateway is not responding. They are both running WinXPPRo SP3. Any help is greatly appreciated.
Were your QuickVPN clients behind a firewall router of some sort? For multiple QuickVPN clients to be able to connect to the remote RV042 at the same time, the local firewall router must have VPN Passthrough correctly implemented. You could try using a RV042 as the firewall router for your QuickVPN clients and you should be able to maintain 2 tunnels at the same time to the remote RV042.
-
I am using a window 7 professional service pack 1 and I purchase REMOTE DESKTOP SERVICES CLIENT ACCESS LICENSES FOR MICROSOFT WINDOWS SERVER 2012 STANDARD AND DATACENTER. but the seller did not send me any installation CD or instruction
on how to use it.
Please how can I use it on my window 7 professional service pack 1.
Thank you.Though Bill is absolutely correct for most CALs, Remote Desktop Services does have its own special licensing server. I haven't installed one on 2012, yet, but here is a step-by-step guide for 2008.
http://technet.microsoft.com/en-us/library/dd983943(v=ws.10).aspx
Here is a lab guide for 2012 -
http://technet.microsoft.com/en-us/library/jj134160.aspx
But, the explanation of your environment begs the question - what are you trying to do? You say you have a desktop OS and you are talking about Windows Server products. In that light, your question does not make a lot of sense.
. : | : . : | : . tim -
Host in DMZ try to access VPN Client.
ASA5510,
VPN client 192.168.250.249 have only port 1433 access to DMZ host 192.168.250.8.
DMZ host 192.168.250.8 have all ports access to VPN Client 192.168.250.249
I added the following rules into VPN Group policy
access-list AM_SVR02_EXT extended permit tcp host 192.168.250.249 host 192.168.250.8
access-list AM_SVR02_EXT extended permit tcp host 192.168.250.8 host 192.168.250.249 eq 1433
but doesn't work.. VPN client access host 1433 is ok.. but host can't access VPN client ..
How to do what I want?
Thanks in advance.There is not much point in adding 192.168.22.0/24 to the split tunnel ACL because it is already included in 192.168.0.0/16. It might be helpful to add 192.168.22.0 to the VPN_Routes ACL. Can you tell us what is 192.20.3.0/24 that is currently specified in that ACL?
Can you verify that devices in the DMZ have a route to the address pool for VPN?
HTH
Rick -
NAT for remote access VPN clients
Hello,
I have a simple remote access VPN setup on a 2811 router. The remote subnet of the clients connecting have access to the local LAN subnet, but I am wondering if it is possible to somehow NAT those remote access users, so that they can go beyond the local LAN, and through the VPN routers outside connection, giving them access to other resources.
The remote subnet would need to be added to the NAT overload pool that the local LAN is on somehow, but since no interface is created, I am unsure where I would need to put "ip nat inside" if it even needs to be done, or if I am just missing something.
I guess really what I want to do is tunnel all traffic, and have that remote client IP translate to the NAT pool on the router for internet access.
Thanks.Have a look here for solution
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
Regards -
Remote Access VPN Clients Cannot Access inside LAN
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: endHi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni -
ASA Remote Access VPN Clients - Multiple DNS Suffixes?
Hi community!
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
Full marks for helpful posts!
Kind regards, Ash.Hi
I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
I have a remote access requirement for users from separate AD's to authenticate through an ASA.
I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
Regards -
Remote access VPN client gets connected fails on hosts in LAN
Hi,
VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)Hi Mashal,
Thanks for your time,
VPN Pool(Client) 192.168.100.0/24
Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
=============
On the Switch
=============
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.5 to network 0.0.0.0
172.32.0.0/24 is subnetted, 1 subnets
C 172.32.0.0 is directly connected, Vlan101
C 192.168.200.0/24 is directly connected, Vlan2000
C 192.9.200.0/24 is directly connected, Vlan4000
S 192.168.250.0/24 [1/0] via 192.9.200.125
S 192.168.1.0/24 [1/0] via 192.9.200.125
C 192.168.2.0/24 is directly connected, Vlan1000
S 192.168.252.0/24 [1/0] via 192.9.200.125
S* 0.0.0.0/0 [1/0] via 192.168.2.5
===============
On ASA
===============
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.32.0.2 to network 0.0.0.0
C 172.32.0.0 255.255.255.0 is directly connected, outside
C 192.9.200.0 255.255.255.0 is directly connected, inside
C 192.168.168.0 255.255.255.0 is directly connected, failover
C 192.168.2.0 255.255.255.0 is directly connected, MGMT
S 192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
S 192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route on the being pointing to on the switch.
So we are left to do with how to on the switch with default route. -
Remote Access VPN, no split tunneling, internet access. NAT translation problem
Hi everyone, I'm new to the forum. I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices. The configuration has been working without issues for the last couple years.
I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
I reviewed the new NAT rules for the VPN and found the culprit.
I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
Here are the NAT rules I have in place: (The "inactive" rule is the culprit. As soon as I enable this rule, the port forwarding hits a wall)
nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic VPN_Subnet interface inactive
object network obj_any
nat (inside,outside) dynamic interface
object network XXX_HTTP
nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Any help would be appreciated.Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
With Regards,
Safwan -
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
Remote Access VPN clients on LAN IP range
I need to setup a VPN Client configuration where the clients receive an IP on the LAN IP address range.
Attached is my config with the pool in its own range.(non-pertinent configuration excluded)
I've modified my pool to place the clients in a range within the LAN ip scheme. I have also modified my 110 ACL to exclude the NAT and my 111 ACL to allow for split-tunneling by the client.
When I connect, I get the proper address but I am unable to ping any devices internally.
Any suggestions as to the configuration or troubleshooting would be appreciated. I have seen documentaiton that it will not work in the form of TAC cases and config guides, but they were specific to ASA and Pix devices. I have not found any configuration guides of IOS routers showing examples of this configuration, but I did see mention in a config guide that said "if you assign addresses from a non-local subnet" which tells me that it is an option to assign local addresses.Ok, let's go
you should assign a pool that has a diferent range than your internal like
ip pool vpn_pool 10.0.0.1 10.0.0.10
then you must NAT it to make it seems it came from inside to whatever you want to be the destination, then do the following
configure your external interface as "nat outside"
fastethernet 0/0
ip nat outside
Configure your internal interface as "nat inside"
fastethernet 0/1
ip nat inside
configure the NAT
ip nat outside sourse static network 10.0.0.0 192.168.0.0 255.255.255.240
please rate if helps -
Allow remote Cisco VPN ASDM Access
Hi,
I am trying to setup asdm access for remote vpn user. Our ASA is running verion 9.1(1). ASDM is running version 7.1(1)52
I have outside interface, inside interface enabled for vpn tunnel and I use 3rd interface(asdm_inf) dedicated for this purpose.
In the asdm, I have enabled management interface for asdm_inf. In the ASDM/HTTPS/Telnet/SSH section, I also add ASDM/HTTPS(port 444) for asdm_inf, ip_address 0.0.0.0, mask 0.0.0.0.
However, when I connect to vpn client and trying https://asdm_inf:444, the connection is failed with timeout.
Where could I go wrong? Any help would be appreciated.
Thanks
JinYes. I configured management-access asdm_inf
Now I made some changes to try to use internal interface for remote VPN asdm access. Here are some of my running-config:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.10.10.250 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 1
no ip address
interface GigabitEthernet0/1.100
vlan 307
nameif BFD
security-level 100
ip address 192.168.244.152 255.255.255.0
interface Management0/0
management-only
nameif management
security-level 10
ip address 192.55.194.112 255.255.255.0
object network vpn_pool
subnet 10.50.16.0 255.255.240.0
object network NETWORK_OBJ_10.50.16.0_20
subnet 10.50.16.0 255.255.240.0
object network NETWORK_OBJ_192.168.244.0_24
subnet 192.168.244.0 255.255.255.0
object-group network All_vpn_networks
description This is used for split tunnel network list
network-object 172.16.66.0 255.255.255.0
access-list testacl standard permit 172.16.66.0 255.255.255.0
nat (BFD,outside) source static NETWORK_OBJ_192.168.244.0_24 NETWORK_OBJ_192.168.244.0_24 destination static NETWORK_OBJ_10.50.16.0_20 NETWORK_OBJ_10.50.16.0_20 no-proxy-arp route-lookup
http server enable 444
http 192.55.194.0 255.255.255.0 management
http 10.50.16.0 255.255.240.0 BFD
ssh scopy enable
ssh 10.50.16.0 255.255.240.0 BFD
ssh 192.55.194.0 255.255.255.0 management
ssh timeout 60
console timeout 0
management-access BFD
As you could read, vpn tunnel the traffic to 172.16.66.x network and our vpn address pool is 10.50.16.x, vlan BFD(under inside interface) has management access and vpn address pool is allowed to access.
Please advise what I can do.
Thanks
Jin -
Remote access VPN client gets connected no access to LAN
: Saved
ASA Version 8.6(1)2
hostname COL-ASA-01
domain-name dr.test.net
enable password i/RAo1iZPOnp/BK7 encrypted
passwd i/RAo1iZPOnp/BK7 encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.32.0.11 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.126 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif failover
security-level 0
ip address 192.168.168.1 255.255.255.0 standby 192.168.168.2
interface Management0/0
nameif management
security-level 0
ip address 192.168.2.11 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dr.test.net
object network RAVPN
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
object-group network inside_network
network-object 192.9.200.0 255.255.255.0
object-group network Outside
network-object host 172.32.0.25
access-list RAVPN_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
access-list test123 extended permit ip host 192.168.200.1 host 192.9.200.190
access-list test123 extended permit ip host 192.9.200.190 host 192.168.200.1
access-list test123 extended permit ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0
access-list test123 extended permit ip 192.9.200.0 255.255.255.0 object NETWORK_OBJ_192.9.200.0_24
pager lines 24
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu failover 1500
ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
route outside 0.0.0.0 0.0.0.0 172.32.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=KWI-COL-ASA-01.dr.test.net,O=KWI,C=US
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 outside
ssh 66.35.45.128 255.255.255.192 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy RAVPN internal
group-policy RAVPN attributes
wins-server value 192.9.200.164
dns-server value 66.35.46.84 66.35.47.12
vpn-filter value test123
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test123
default-domain value dr.kligerweiss.net
username test password xxxxxxx encrypted
username admin password aaaaaaaaaaaa encrypted privilege 15
username vpntest password ddddddddddd encrypted
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool RAVPN
default-group-policy RAVPN
tunnel-group RAVPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 2
subscribe-to-alert-group configuration periodic monthly 2
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea
: end
COL-ASA-01#
Here is some capture done on the inside interface which may help too, I tried pointing the gateway to inside interface on the target device but I think this was a switch without ip route available on it I believe that is still sending packet back to Cisco inside interface
COL-ASA-01# sho cap test | in 192.168.200
25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request
29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137: udp 68
38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137: udp 68
56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137: udp 68
69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request
98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request
99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137: udp 68
108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137: udp 68
115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137: udp 68
116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request
COL-ASA-01#
Any help or pointers greatly appreciated, I am doing this config after a long gap on Cisco last time I was working it was all PIX so just need some expert eyes to let me know if I am missing something.
And Yes I do not have a Host in Inside network to test against, all I have is a switch which cannot route and ip default gateway is not helping too...Hi,
The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.
You could try the following changes
tunnel-group RAVPN general-attributes
no address-pool RAVPN
no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0
tunnel-group RAVPN general-attributes
address-pool RAVPN
no nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.
object network LAN
subnet 192.168.200.0 255.255.255.0
object network VPN-POOL
subnet 192.168.201.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.
You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.
no nat (inside,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users
Hope this helps
Let me know if it works for you
- Jouni
Maybe you are looking for
-
Migration of balances for new ledger using the New GL
Hi everyone, I have a specific scenario into this customer where we have implemented the SAP version ECC6.0 with the table FAGLFLEXT is active and using just one ledger (0L - standard). We need to create a new ledger for IFRS (e.g: 1L), as the custom
-
Internal Order with 241 movement
Hello Expert, We have FG stock which will be used for captive used, hence need to be capitalised. We can issue FG to Assets by 241 movement, but we track the Capex budget by internal order. 241 movement does not reflect on Internal order budget. Seco
-
Good receipt entry not possible
hi sap guru, while entering good receipt, i am getting error of ACCOUNT DETERMINATION FOR ENTRY INT GBB___BSA 3000 not possible please throw some light thank in advance
-
TS1367 My MacPro won't start up properly?
My MackBook pro won't start up properly. Screen comes on with apple logo and sound but won't boot properly. Any help would be appreciated, thanks PS I'm not computer savvy!
-
New iPod Updater will not download in iTunes 7.0
When I plug in my iPod it asks me if I want to Download and Install the new iPod Updater for iTunes 7.0, but when I click yes it tells me that I am not connected to the internet when I clearly am. Everything else works fine including the iTunes Store