Remote Access VPN (ipsec) can ping LAN interface of firewall but not clients on the company network.

Similar Messages

• Remote access VPN on ASA5520 Ping Issues.

  Hi I hope someone might be able to help me. I have setup a remote access VPN on an ASA 5520. The VPN client connects ok, accepts my username and password and then I am in. I get an allocated IP address of 172.16.1.1 from the local pool. The problem is that I cannot then ping the inside LAN which is 192.168.1.1. I've got isakmp nat traversal set to default which is 20. I've been looking at this all day and I think I've gone crossed eyed, a fresh pair of eyes are definitley required, so any help would be gratefully received. My config is
  Saved
  ASA Version 7.0(8)
  hostname Hospira-firewall
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  dns-guard
  interface GigabitEthernet0/0
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address 213.212.66.52 255.255.255.248
  interface GigabitEthernet0/1
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface GigabitEthernet0/2
  shutdown    
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  same-security-traffic permit intra-interface
  access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
  access-list Split standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip local pool mypool 172.16.1.1-172.16.1.253 mask 255.255.255.0
  no failover
  asdm image disk0:/asdm-508.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 192.168.1.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 213.212.66.49 1
  route outside 172.16.1.0 255.255.255.0 213.212.66.49 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  group-policy hospira internal
  group-policy hospira attributes
  vpn-simultaneous-logins 400
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split
  webvpn
  username user password 08S9WUsiSMr3RauN encrypted
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set hospira esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dmap 1 set transform-set hospira
  crypto dynamic-map dmap 1 set security-association lifetime seconds 28800
  crypto dynamic-map dmap 1 set security-association lifetime kilobytes 4608000
  crypto dynamic-map dmap 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dmap
  crypto map mymap 2 match address NONAT
  crypto map mymap 2 set security-association lifetime seconds 28800
  crypto map mymap 2 set security-association lifetime kilobytes 4608000
  crypto map mymap interface outside
  isakmp identity address
  isakmp enable outside
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption 3des
  isakmp policy 1 hash sha
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 86400
  isakmp policy 65535 authentication pre-share
  isakmp policy 65535 encryption 3des
  isakmp policy 65535 hash sha
  isakmp policy 65535 group 2
  isakmp policy 65535 lifetime 86400
  isakmp nat-traversal  20
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group hospira type ipsec-ra
  tunnel-group hospira general-attributes
  address-pool mypool
  default-group-policy hospira
  tunnel-group hospira ipsec-attributes
  pre-shared-key *
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
  inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  Cryptochecksum:98f85c39a5cbffe66b0f6585d5083c7c
  : end
  Many thanks

  Hi Richard ,
  - we don't need access-list with RA connection , we have the dynamic map that acts as a template , so your crypto config :
  crypto map mymap 1 ipsec-isakmp dynamic dmap
  crypto map mymap 2 match address NONAT
  crypto map mymap 2 set security-association lifetime seconds 28800
  crypto map mymap 2 set security-association lifetime kilobytes 4608000
  crypto map mymap interface outside
  map with seq 1 is being binded to the dynamic map , now map 2 you are using the nonat access list as the encryption trigger for this map , so this should not be there as it encrypt traffic from the inside subnet to the pool .
  please remove the second entry, then test if not working please provide a capture from the inside interface .
  HTH
  Mohammad.

• DNS Issues - Can ping server name and IPs but not FQDNs.

  Hi All, 
  Hopefully some one can help me here, I am having an issue where one of my domain attached servers cannot ping any FQDNs in the environment but it can ping the host names and the IPs and look up the host names from a reverse look up. 
  We have done the following troubleshooting:
  Flushed and registered DNS cache.
  Restarted the DNS client and net logon services on the effected server
  Preformed standard checks and commands such as:
  Checked the event logs and found there were warnings for DNS registration.
  Compared the DNS settings in the network adapters across the rest of the servers in the environment and found that they were all the same. DNS Suffixes are added in the correct order and are set to register.
  Pinging FQDNs which is not giving any results.
  Tracert FQDNs which is also not giving any results.
  Nslookup which is querying the DNS server directly and giving results as expected
  Ran the command which reported successful: dcdiag /test:registerindns /dnsdomain:sub.domain.net /v
  Checked and updated the permissions on DNS for the affected server to give the server full control of its own DNS entry. 
  Replaced the DNS Client service DLL with one from a server that is working as expected. 
  Also worth noting is that the affected server (as well as every other server in the environment) has 2 NICs, one that communicates with DNS and AD and the other does not have any DNS IPs set. 
  Not this is not the first time this happened, a reboot fixed the issue before but it seems to be a reoccurring problem now. 
  If any one can shed some light on this issue I would be grateful.
  Regards,
  Steve. 

  Hi Steve,
  First, we should confirm if this issue is caused by DNS.
  When you ping the FQDN, does the server show the correct corresponding IP address?
  If no, there should be some error messages. If it is possible, please post the screenshot of this issue.
  To check the process about how does server resolve the FQDN, please follow the steps below:
  clear local DNS cache with command ipconfig /flushdns
  perform the network capture
  ping the specified FQDN
  Check the DNS traffic
  To download Network Monitor, please click the link below:
  http://www.microsoft.com/en-hk/download/details.aspx?id=4865
  Besides, have you tried to update the NIC driver to the latest version?
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Can ping from Windows to Mac but not from Mac to Windows

  Hi all!
  New owner of a Mac Mini. Know nothing about it, so NewBie Alert!
  Windows PC with two NIC's. One connected to the internet, one connected to the Mac by using a crossover cable. Internet Connection Sharing on the Windows PC and the Mac can go out to the internet so there is connectivity between the Mac and the Windows PC.
  The problem: I cannot ping the Windows PC from the Mac. I can ping the Mac from the Windows PC, so my suspicion is that it has something to do with a firewall on the Mac, but as far as i know the firewall on the Mac is switched off. On the Windows PC the firewall is definitely switched off.
  Who can help me getting this working?
  Thanks,
  Ton.

  There can be multiple problems here:
  - no ping service provided on the Windows PC
  - ping traffic blocked by a firewall at either end
  - pinging the wrong host: You have two NICs in your Windows PC, with two IP addresses, and two host names. Only one of the two will be visible from the Mac. Use "ipconfig" at a command prompt to get the two IP addresses, or look at the Properties of your Network connections.
  - Name resolution problem: Try using the IP address with the ping command, not a host name.
  Ping from the Windows PC to the MAC, and observe the reported IP address. Make sure the IP address you use to ping from the Mac is in the same subnet, i.e. the first three numbers must be the same, like
  192.168.1.100 vs. 192.168.1.101
  What is the result of the ping operation, i.e. "host not reachable", "unknown host", or "no response".
  Tilman
  Mac Mini PPC   Mac OS X (10.4.6)  

• Remote Access VPN and NAT inside interface

  Hi everyone,
  I have configured Remote VPN access.
  Inside interface and vpn pool is 10.0.0.0 subnet.
  ASA inside interface has NAT exempt as per config below
  nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_10.0.0.0_25
  subnet 10.0.0.0 255.255.255.128
  Also i have ASA inside interface connected to R1 as below
  R1 ---10.0.0.2------------inside int  IP 10.0.0.1--------ASA
  R1 has loopback int 192.168.50.1 and ASA has static route to it.
  When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
  This ping works fine.
  Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
  Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
  Need to understand how this ping works without exempting 192.168.50.0 from natiing
  or
  how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
  Regards
  Mahesh

  Hi Jouni,
  IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
  Leting you  know that i have removed the NAT below config from inside to outside interface 
  ASA inside interface has NAT exempt as per config below
  nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_10.0.0.0_25
  subnet 10.0.0.0 255.255.255.128
  Still ping works fine from VPN client PC to IP 192.168.50.1
  Packet tracer output
  ASA1# packet-tracer input outside  icmp 10.0.0.52 8 0 192.168.50.1
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.50.1    255.255.255.255 inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit ip any host 192.168.50.1 log
  access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: CP-PUNT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: DROP
  Config:
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I can ping from PC command prompt to IP 192.168.50.1 fine.
  Here is second packet tracer
  ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside_access_in in interface inside
  access-list inside_access_in extended permit ip any any
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: DEBUG-ICMP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: DEBUG-ICMP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 18033, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  So question is how ping from outside is working without nat exempt from inside to outside?
  So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
  Regards
  Mahesh
  Message was edited by: mahesh parmar

• Remote access vpn issues

  Hi all, I have been having issues with my remote access vpn, I can connect but cannot ping anywhere, I have enabled ipsec over nat-t, but still does not work, I noticed that when I did an ipconfig on my machine, I get the ip address assigned by my asa, 10.120.50.2 /32
  but the default gateway is showing as 10.112.50.3, is this correct, I thought it should be the same as the interface address ?

  Hi Carl,
  Can you make sure you have the following in your config:
  isakmp nat-traversal
  Can you also ensure your internal network has routing in place to cover your VPN client pool.

• Remote Access VPN authentication through RADIUS

  Hi,
  I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.
  Server configuration:
  1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).
  2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
  3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.
  4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.
  On the Dial-in tab, select the option for Allow access
  ASA configuration:
  aaa-server vpn protocol radius
  aaa-server vpn host 10.155.20.25 (RADIUS server IP )
  key cisco321
  tunnel-group vpnacc type ipsec-ra
  tunnel-group vpnacc general-attributes
  authentication-server-group vpn
  but it is not working. Please guide to resolve this issue.
  Regards,
  som

  Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"
  Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.

• Remote Access VPN Query

  Hi All,
  I'm looking to setup a Remote Access VPN via my ASA 5510. The clients will be using Cisco Anyconnect (which I assume is compatible...?) When I use the wizard it only mentions Cisco VPN Client.
  When my clients connect up to the ASA via Anyconect, can I get them to just use DHCP via my AD servers or do I need to configure a seperate independent scope specifically for VPN clients?
  Thanks

  Hi Grant,
  When you configure Remote access VPN , you need to configure a seprated pool of ip address for the vpn user.
  Regards,
  Bikas R.Pandey.

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• Remote access VPN with Cisco Router - Can not get the Internal Lan .

  Dear Sir ,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
  I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Below is the IP address of the device.
  Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
  IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
  IP address:10.10.10.1
  Mask:255.255.255.0 F0/0
  IP Address :20.20.20.1
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.3
  Mask:255.255.255.0
  F0/0
  IP address :20.20.20.2
  Mask :255.255.255.0
  F0/1
  IP address :192.168.1.1
  Mask:255.255.255.0
  I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
  Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
  Need your help to fix the problem.
  Router R2 Configuration :!
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  ip tcp synwait-time 5
  interface FastEthernet0/0
  ip address 20.20.20.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 10.10.10.1 255.255.255.0
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  login
  end
  Router R1 Configuration :
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login USERAUTH local
  aaa authorization network NETAUTHORIZE local
  aaa session-id common
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  username vpnuser password 0 strongpassword
  ip tcp synwait-time 5
  crypto keyring vpnclientskey
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group remotevpn
  key cisco123
  dns 192.168.1.2
  wins 192.168.1.2
  domain mycompany.com
  pool vpnpool
  acl VPN-ACL
  crypto isakmp profile remoteclients
  description remote access vpn clients
  keyring vpnclientskey
  match identity group remotevpn
  client authentication list USERAUTH
  isakmp authorization list NETAUTHORIZE
  client configuration address respond
  crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
  crypto dynamic-map DYNMAP 10
  set transform-set TRSET
  set isakmp-profile remoteclients
  crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
  interface FastEthernet0/0
  ip address 20.20.20.1 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPNMAP
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpnpool 192.168.50.1 192.168.50.10
  ip forward-protocol nd
  ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
  no ip http server
  no ip http secure-server
  ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
  ip access-list extended NAT-ACL
  deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any
  ip access-list extended VPN-ACL
  permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
  control-plane
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line aux 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  line vty 0 4
  end

  Dear All,
  I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
  Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
  Waiting for your responce .
  --Milon

• Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

  I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
  Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
  I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

  Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
  Share the configuration if you want help with the NAT exemption part.

• Can ASA5505 forward remote-access-VPN clients to LAN

  I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
  Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
  Are these two cases possible?:
  (1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
  (2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
  Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
  Thanks.

  I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
  You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA.

• Remote Access VPN Clients Cannot Access inside LAN

  I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
  : Saved
  ASA Version 8.2(1)
  hostname ASA5505
  domain-name default.domain.invalid
  enable password eelnBRz68aYSzHyz encrypted
  passwd eelnBRz68aYSzHyz encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group dataDSL
  ip address 76.244.75.57 255.255.255.255 pppoe
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.9.1 255.255.255.0
  interface Vlan10
  nameif outside_cable
  security-level 0
  ip address 50.84.96.178 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Netbios udp
  port-object eq 139
  port-object eq 445
  port-object eq netbios-ns
  object-group service Netbios_TCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.100.177
  network-object host 192.168.100.249
  object-group service Web_Services tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_10
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_11
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_3
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_4
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_5
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_6
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_7
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_8
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_9
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network VPN
  network-object 192.168.255.0 255.255.255.0
  access-list outside_access_in extended permit icmp any host 76.244.75.61
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
  access-list dmz_access_in remark Quickbooks
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
  access-list dmz_access_in remark Quickbooks range
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
  access-list dmz_access_in remark QB
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
  access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
  access-list dmz_access_in remark Printer
  access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
  access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
  access-list dmz_access_in remark QB probably does not need any udp
  access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark QB included in other rule range
  access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark May be required for Quickbooks
  access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
  access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500 
  mtu outside_cable 1500
  ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
  ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside_cable) 10 interface
  nat (inside) 0 access-list nonat-in
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
  static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  access-group outside_cable_access_in in interface outside_cable
  route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.100.0 255.255.255.0 inside
  http 204.107.173.0 255.255.255.0 outside
  http 204.107.173.0 255.255.255.0 outside_cable
  http 0.0.0.0 0.0.0.0 outside_cable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_cable_map interface outside_cable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp enable outside_cable
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.100.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh 204.107.173.0 255.255.255.0 outside
  ssh 204.107.173.0 255.255.255.0 outside_cable
  ssh 0.0.0.0 0.0.0.0 outside_cable
  ssh timeout 15
  console timeout 0
  vpdn group dataDSL request dialout pppoe
  vpdn group dataDSL localname [email protected]
  vpdn group dataDSL ppp authentication pap
  vpdn username [email protected] password *********
  dhcpd address 192.168.100.30-192.168.100.99 inside
  dhcpd dns 192.168.100.5 68.94.156.1 interface inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  group-policy cad_supplies_RAVPN internal
  group-policy cad_supplies_RAVPN attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
  split-tunnel-network-list value Local_LAN_Access
  client-firewall none
  client-access-rule none
  username swinc password BlhBNWfh7XoeHcQC encrypted
  username swinc attributes
  vpn-group-policy cad_supplies_RAVPN
  username meredithp password L3lRjzwb7TnwOyZ1 encrypted
  username meredithp attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone1 attributes
  vpn-group-policy VPNPHONE
  username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone2 attributes
  vpn-group-policy VPNPHONE
  username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone3 attributes
  vpn-group-policy VPNPHONE
  username oethera password WKJxJq7L6wmktFNt encrypted
  username oethera attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
  username markh attributes
  vpn-group-policy cad_supplies_RAVPN
  tunnel-group DefaultRAGroup general-attributes
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cad_supplies_RAVPN type remote-access
  tunnel-group cad_supplies_RAVPN general-attributes
  address-pool VPN_IP_range
  default-group-policy cad_supplies_RAVPN
  tunnel-group cad_supplies_RAVPN ipsec-attributes
  pre-shared-key *
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool VPN_Phone
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1500
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
  : end

  Hi,
  You have your "group-policy" set so that you have excluding some networks from being tunneled.
  In this access-list named Local_LAN_Access you specify "0.0.0.0"
  Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
  This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
  - Jouni

• ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients

  Hi community,
  I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
  object-group network RemoteVPN_LocalNet
   network-object 172.29.168.0 255.255.255.0
   network-object 172.29.169.0 255.255.255.0
   network-object 172.29.173.0 255.255.255.128
   network-object 172.29.172.0 255.255.255.0
  access-list Split_Tunnel remark The Corporation network behind ASA
  access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
  ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
  nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dyn1 1 set ikev1 transform-set myset
  crypto map mymap 65000 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  tunnel-group remotevpngroup type remote-access
  tunnel-group remotevpngroup general-attributes
   address-pool remotevpnpool
   authentication-server-group MS_LDAP LOCAL
   default-group-policy Split_Tunnel_Policy
  I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
  Thanks in advanced.

  Hi tranminhc,
  Step 1: Create an object.
  object network vpn_clients
   subnet 10.88.61.0 mask 255.255.255.0
  Step 2: Create a standard ACL.
  access-list my-split standard permit ip object RemoteVPN_LocalNet
  Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
  no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
  Step 4: Create new nat exemption.
  nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
  Step 5: Apply ACL on the tunnel.
  group-policy Split_Tunnel_Policy attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value my-split
  Step 6:
  I assume you have a default route on your inside L3 switch point back to ASA's inside address.  If you don't have one.
  Please add a default or add static route as shown below.
  route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx 
  xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
  Hope this helps.
  Thanks
  Rizwan Rafeek

• Remote access VPN client gets connected fails on hosts in LAN

  Hi,
  VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)

  Hi Mashal,
  Thanks for your time,
  VPN Pool(Client) 192.168.100.0/24
  Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
  =============
  On the Switch
  =============
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is 192.168.2.5 to network 0.0.0.0
       172.32.0.0/24 is subnetted, 1 subnets
  C       172.32.0.0 is directly connected, Vlan101
  C    192.168.200.0/24 is directly connected, Vlan2000
  C    192.9.200.0/24 is directly connected, Vlan4000
  S    192.168.250.0/24 [1/0] via 192.9.200.125
  S    192.168.1.0/24 [1/0] via 192.9.200.125
  C    192.168.2.0/24 is directly connected, Vlan1000
  S    192.168.252.0/24 [1/0] via 192.9.200.125
  S*   0.0.0.0/0 [1/0] via 192.168.2.5
  ===============
  On ASA
  ===============
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is 172.32.0.2 to network 0.0.0.0
  C    172.32.0.0 255.255.255.0 is directly connected, outside
  C    192.9.200.0 255.255.255.0 is directly connected, inside
  C    192.168.168.0 255.255.255.0 is directly connected, failover
  C    192.168.2.0 255.255.255.0 is directly connected, MGMT
  S    192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
  S    192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
  S*   0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
  We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route  on the being pointing to on the switch.
  So we are left to do with how to on the switch with default route.