Remote access vpn not working, VPNC client
Hi,
I have configured a remote access vpn client on cisco ASA 5520 with the following configuration. we are using cisco vpn client.
tunnel-group consultant type remote-access
tunnel-group consultant general-attributes
address-pool VPN
authentication-server-group RSA-AAA LOCAL
default-group-policy consultant
tunnel-group consultant ipsec-attributes
pre-shared-key *
group-policy consultant internal
group-policy consultant attributes
vpn-idle-timeout 120
vpn-session-timeout 720
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value access-spilt
access-list access-spilt standard permit host 10.101.50.60
One of the linux users is using vpnc and once the user connects to the vpn and the user adds a static route on the machine with the destination pointing to the vpn interface, for example 10.101.50.0/24, user is able to reach all the hosts in the subnet even though the access list on the firewall is configured for one host 10.101.50.60.
I did the same test on a windows machine, but was only able to reach the specific host allowed through vpn. why is the network filter not working for vpnc. please advise.
Thanks
Hi have solved the issue . enabling the demo 3DES & AES now my VPN is connecting
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
thx to friend "Jennifer Halim"
Similar Messages
-
Hi all
i am bad at configuring the Remote Access VPN --- please help me on this . i use 3des & AES we dont have the license
i have tried using "sysopt connection permit-vpn"
I have tried using both "same-security-traffic permit inter-interface" && "same-security-traffic permit intra-interface" no luck , please help me on this
VPN configuration - configured using IPsec-Wizard
access-list omsir_splitTunnelAcl standard permit 10.xxx.xxx.0 255.255.255.0
access-list Inside_nat0_outbound_1 line 1 extended permit ip 10.xxx.xxx.0 255.255.255.0 10.xxx.xxx.0 255.255.255.0
sysopt connection permit-vpn
ip local pool ip-pool 10.xxx.xxx.1-10.xxx.xxx.1 mask 255.255.255.0
group-policy omsir internal
group-policy omsir attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value omsir_splitTunnelAcl
dns-server value 10.xxx.xxx.x
default-domain value domain.in
tunnel-group omsir type remote-access
tunnel-group omsir general-attributes
default-group-policy omsir
address-pool ip-pool
tunnel-group omsir ipsec-attributes
pre-shared-key **********
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
nat (Inside) 0 access-list Inside_nat0_outbound_1 tcp 0 0 udp 0
ASA logs - i have attached
Cisco VPN client - log
Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 18:37:37.296 02/13/13 Sev=Info/4 CM/0x63100002
Begin connection process
2 18:37:37.301 02/13/13 Sev=Info/4 CM/0x63100004
Establish secure connection
3 18:37:37.302 02/13/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "1xx.xxx.xx2"
4 18:37:37.307 02/13/13 Sev=Info/6 CM/0x6310002F
Allocated local TCP port 49661 for TCP connection.
5 18:37:39.465 02/13/13 Sev=Info/4 CM/0x63100029
TCP connection established on port 21000 with server "1xx.xxx.xx2"
6 18:37:39.979 02/13/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "1xxx.xxx..2"
7 18:37:39.985 02/13/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 1.xxx.xxx.2.
8 18:37:40.000 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 1xx.xxx.xx2
9 18:37:40.234 02/13/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1xx.xxx.xx2
10 18:37:40.234 02/13/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 1xx.xxx.xx2
11 18:37:40.237 02/13/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1xx.xxx.xx2
12 18:37:40.237 02/13/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 1xx.xxx.xx2
13 18:37:40.237 02/13/13 Sev=Info/5 IKE/0x63000073
All fragments received.
14 18:37:40.237 02/13/13 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
15 18:37:40.237 02/13/13 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
16 18:37:40.237 02/13/13 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
17 18:37:45.050 02/13/13 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
18 18:37:45.050 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2
19 18:37:50.119 02/13/13 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
20 18:37:50.119 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2
21 18:37:55.189 02/13/13 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
22 18:37:55.189 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2
23 18:38:00.260 02/13/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=BC4CAF815963A8E4 R_Cookie=FBAF8068234A4675) reason = DEL_REASON_PEER_NOT_RESPONDING
24 18:38:00.777 02/13/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=BC4CAF815963A8E4 R_Cookie=FBAF8068234A4675) reason = DEL_REASON_PEER_NOT_RESPONDING
25 18:38:00.778 02/13/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "1xx.xxx.xx2" because of "DEL_REASON_PEER_NOT_RESPONDING"
26 18:38:00.778 02/13/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
27 18:38:00.779 02/13/13 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 21000
28 18:38:00.779 02/13/13 Sev=Info/6 CM/0x63100030
Removed local TCP port 49661 for TCP connection.
29 18:38:00.782 02/13/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
30 18:38:00.783 02/13/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
ASA Runing Config
interface GigabitEthernet0/0
speed 1000
duplex full
nameif Inside
security-level 100
interface GigabitEthernet0/2
nameif Outside
security-level 0
object-group service VPN-Protocols
service-object esp
service-object tcp eq 21000
service-object udp eq 4500
service-object udp eq 62515
service-object udp eq isakmp
** outside Interface Access List for allowing the VPN Traffic**
access-list Ajira_all_traffic extended permit object-group VPN-Protocols any host 1xx.xxx.xxx
access-list omsir_splitTunnelAcl standard permit Server-Segment 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip Server-Segment 255.255.255.0 1xx.xxx.xxx 255.255.255.0
ip local pool ip-pool 1xx.xxx.xx1-1xx.xxx.254 mask 255.255.255.0
nat-control
nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (DMZ) 0 access-list DMZ_nat0_outbound outside
access-group Inside_user_access_outside in interface Inside
access-group Ajira_all_traffic in interface Outside
route Outside 0.0.0.0 0.0.0.0 1xx.xxx.xx1
route Inside 10.xxx.xxx.0 255.255.255.0 1xx.xxx.xx1
no sysopt connection reclassify-vpn
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 21000
group-policy omsir internal
group-policy omsir attributes
dns-server value 1xx.xxx.xxx
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value omsir_splitTunnelAcl
default-domain value agilitylogistics.in
username omsir password DfOF7Lvb0gImB1nE encrypted
tunnel-group omsir type remote-access
tunnel-group omsir general-attributes
address-pool ip-pool
default-group-policy omsir
tunnel-group omsir ipsec-attributes
pre-shared-key omsir@123
class-map Application_Traffic
match access-list Application
class-map Application
class-map Application
match access-list Application
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map Allplication_all_traffic
class Ajira_traffic
inspect http
policy-map type inspect http application_inspect
parameters
spoof-server "private"
protocol-violation action drop-connection
match req-resp content-type mismatch
drop-connection log
service-policy global_policy global
service-policy Ajira_all_traffic interface Outside
prompt hostname context
Cryptochecksum:217e09da15ede39a7a759eca8c84268f
: endHi have solved the issue . enabling the demo 3DES & AES now my VPN is connecting
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
thx to friend "Jennifer Halim" -
Remote access anywhere - not working
I am new to servers and found the SBS/essentials 2012 very fascinated. I have been trying to configure this thing for the pass two days to get the remote anywhere access working. I am running on a virtual box using a netpro boeing 300 router.
things i have done:
1. configure tcp port to 443, 3389 for RDP, 1723 for VPN and 80 for http. - should i configure something else on the router
2. am i missing an interface between my router and the internet, machine (server) and internet or server and router?
3. i was able to setup the domain name by creating a certificate (self-signed certified)
however, when i try to configure the application it keeps jamming/stalling/cycling at the VPN option.
i would love to have this area of my life normalized, so i seek some help...step by step process to setup the access.
when i click the configure option it takes me to a screen that allows me to manually configure as the domain was already done. however i get the option to do VPN and remote desktop. and no matter what i try the page was just keeps running.
HELP in configuring and getting this to WORKHi,
Please have a check if your server has a pending reboot. If so, could you please reboot the server and try again?
If it still happens, would you mind upload the logs (c:\programdata\microsoft\windows server\logs) to somewhere and let's have an investigation? -
Remote Access Media Not Working correctly
I just installed the newly released Media Plugin for Essentials Server 2012 R2. I was really hoping this would solve the problems I had with first version of Essentials 2012. The media worked fine on Windows Home Server 2011, but I've never been able to
access the folders successfully since installing the new version last year.
I get the above error when I try and access my pictures folder and an empty video folder. This was the same error I had in the previous version. There are raw formatted pictures in this folder that I'm just archiving, but I'm not sure if that would cause
the issue or not.
This is the error I receive when I try to access my Music. I only put in four folders with music and I can see the folders if I access them via the shared folders interface, but I was hoping to stream the music and not download the files. I then simply put
some mp3 files in the folder, but those were not seen either.
I know others had issues with the last version and at one time the "marked answer" was weird files in the folders, but no clarification was given. Are there any ideas out there on how to set this up properly? I'd really love to have this feature
work. It's probably the feature I miss most from Windows Home Server 2011.I didn't notice any errors in the log. I will post it below. I restarted the service and it is running.
I'd love to get this working:
Setup.exe Information: 0 : Launching GUI...
ThreadId=1
DateTime=2013-10-23T02:03:16.8596601Z
Setup.exe Information: 0 : GetVersionEx returns 6.3.9600 (SP 0.0).
ThreadId=3
DateTime=2013-10-23T02:03:19.4417397Z
Setup.exe Information: 0 : RtlGetVersion returns 6.3.9600 (SP 0.0).
ThreadId=3
DateTime=2013-10-23T02:03:19.4447410Z
Setup.exe Information: 0 : GetProductInfo returns 50(0x32).
ThreadId=3
DateTime=2013-10-23T02:03:19.4457406Z
Setup.exe Information: 0 : The operating system is Windows Server 2012 R2 Essentials.
ThreadId=3
DateTime=2013-10-23T02:03:19.4467401Z
Setup.exe Information: 0 : PS> Get-WindowsFeature -Name:ServerEssentialsRole | Select-Object -ExpandProperty:Installed
ThreadId=3
DateTime=2013-10-23T02:03:19.9957563Z
Setup.exe Information: 0 : Windows Server Essentials Experience role is installed.
ThreadId=3
DateTime=2013-10-23T02:03:29.6280511Z
Setup.exe Information: 0 : PS> Import-Module -Name:WssSetupCmdlets -Cmdlet:Get-WssConfigurationStatus
ThreadId=3
DateTime=2013-10-23T02:03:29.6440517Z
Setup.exe Information: 0 : PS> Get-WssConfigurationStatus | Select-Object -ExpandProperty:Status
ThreadId=3
DateTime=2013-10-23T02:03:29.8080570Z
Setup.exe Information: 0 : Get-WssConfigurationStatus returns 'Finished'
ThreadId=3
DateTime=2013-10-23T02:03:29.9290592Z
Setup.exe Information: 0 : Windows Server Essentials Experience role is configured.
ThreadId=3
DateTime=2013-10-23T02:03:29.9290592Z
Setup.exe Information: 0 : Pausing automatic updating...
ThreadId=3
DateTime=2013-10-23T02:03:43.5934789Z
Setup.exe Information: 0 : Installing C:\Users\Steve\AppData\Local\Temp\2\IXP000.TMP\Windows8.1-KB2877939-x64.msu...
ThreadId=3
DateTime=2013-10-23T02:03:44.4985065Z
Setup.exe Information: 0 : wusa.exe exits with code 0.
ThreadId=3
DateTime=2013-10-23T02:07:29.2593836Z
Setup.exe Information: 0 : Resuming automatic updating...
ThreadId=3
DateTime=2013-10-23T02:07:29.2593836Z
Setup.exe Information: 0 : Starting to search update...
ThreadId=3
DateTime=2013-10-23T02:07:29.3043848Z
Setup.exe Information: 0 : PS> Install-WindowsFeature -Name:Desktop-Experience -Confirm:False | Select-Object -ExpandProperty:Success
ThreadId=3
DateTime=2013-10-23T02:07:29.3343851Z
Setup.exe Warning: 0 : PS: You must restart this server to finish the installation process.
ThreadId=9
DateTime=2013-10-23T02:13:33.9205387Z
Setup.exe Information: 0 : Windows Desktop Experience role is installed.
ThreadId=3
DateTime=2013-10-23T02:13:33.9215395Z
Setup.exe Information: 0 : PS> Enable-WindowsOptionalFeature -Online:True -FeatureName:SearchEngine-Server-Package -NoRestart:True | Select-Object -ExpandProperty:Online
ThreadId=3
DateTime=2013-10-23T02:13:33.9275389Z
Setup.exe Warning: 0 : PS: Restart is suppressed because NoRestart is specified.
ThreadId=5
DateTime=2013-10-23T02:13:39.3497048Z
Setup.exe Information: 0 : Windows Search optional feature is enabled.
ThreadId=3
DateTime=2013-10-23T02:13:39.3507050Z
Setup.exe Information: 0 : Turning on media feature auto-enabler...
ThreadId=3
DateTime=2013-10-23T02:13:39.3617041Z
Setup.exe Information: 0 : Setting registry [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] '{61A7F297-9438-4920-9026-893ABD18F741}' = '"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NonInteractive -Command "C:\Windows\system32\Microsoft.Windows.ServerEssentials.MediaStreamingEnabler.exe"'...
ThreadId=3
DateTime=2013-10-23T02:13:39.3617041Z
Setup.exe Information: 0 : Media feature auto-enabler is turned on/off.
ThreadId=3
DateTime=2013-10-23T02:13:39.3627043Z
Setup.exe Information: 0 : PS> Restart-Computer -Force:True -Confirm:False
ThreadId=1
DateTime=2013-10-23T02:13:48.5809850Z -
Remote Access VPN, how to specify on which interface clients will be placed on?
Hi,
I have a general understanding problem with remote access VPN and Cisco ASA.
If I have an ASA with multiple interfaces and I want to make sure that a Remote Access VPN Client is placed onto a specific interface, how do I do this?
example:
ASA has 4 interfaces: outside, inside-clients, inside-workers, inside-lab.
I want to allow multiple Remote Access VPN configurations that put clients coming from "outside" to "inside-lab" and "inside-clients", with two different profiles and two different IP pools, as the IP addresses for each of the interfaces is different.
How do I do that?
If possible be as explanatory as possible for me to really grasp the concept.
Many thanks
PatHi,
The ASA will view the hosts in its routing table behind the ASA interface which forms the VPN connection with the VPN Client. This is most of the time the interface called "outside".
By default the ASA allows all traffic coming from a VPN connection to bypass the interface ACL of the ASA. The thought process behind this is I guess the fact that the VPN devices/clients have already proven they have right to connect to the network to all traffic is allowed.
The configuration that controls this setting globally on the ASA is
sysopt connection permit-vpn
The above is the default setting of the command and it WONT show up in the CLI format configurations because its a default setting.
If you were to issue the following command
no sysopt connection permit-vpn
Then this would mean that the ASA would require an ACL statement on its VPN terminating interface (outside) to permit the traffic from the VPN Pool to the LAN networks.
Naturally you would have to take into consideration also that if you have existing VPNs and insert the above global command they would also need ACL statements on the "outside" interface ACL or the inbound traffic from the VPN will start to get blocked.
Other option (wihtout touching the above setting) would be to configure VPN Filter ACL that is a separate ACL that is only attached to a certain user or group of users.
I personally prefer the method of using the above global setting and using the "outside" interface ACL to control traffic.
Naturally it still leaves the question of how you are going to configure the Tunnel Groups, Group Policys and Usernames. To be honest, I have gotten a bit distracted from VPN client setups and have forgotten a lot of stuff since I dont work with them on a day to day basis. I mostly handle L2L VPN nowadays among normal firewall configurations.
If I had to suggest something simple at this point it would be this
Configure separate Tunnel Groups
Configure separate VPN Pools for the above Tunnel Groups
Configure separate Group Policys for the above Tunnel Groups
Configure the above mentioned Global setting to limit inbound traffic from VPN
Configure the "outside" interface ACL so that you only permit traffic from a certain VPN Tunnel Group users only to certain LAN networks
Configure the required NAT0 configurations for traffic between these networks
As Marcin said, there are multiple different ways to achieve the same thing as above.
And as I said I have gotten a bit rusty with the VPN Client side on the ASA so I am not sure if at the moment I can even consider all the possible options but surely the simple ones.
PS. The link that Marcin posted seems to point to a Group Policy setting that would let you lock the that VPN connection to use only a certain local Vlan (subinterface) on the ASA and therefore limit traffic from going to networks behind other interfacec
Hope this helps
- Jouni -
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
Remote Access VPN Clients Cannot Access inside LAN
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: endHi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni -
ASA Remote Access VPN Clients - Multiple DNS Suffixes?
Hi community!
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
Full marks for helpful posts!
Kind regards, Ash.Hi
I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
I have a remote access requirement for users from separate AD's to authenticate through an ASA.
I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
Regards -
ASA Remote Access VPN: internal LAN cannot connect to connected VPN clients
Hi community,
I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:
object-group network RemoteVPN_LocalNet
network-object 172.29.168.0 255.255.255.0
network-object 172.29.169.0 255.255.255.0
network-object 172.29.173.0 255.255.255.128
network-object 172.29.172.0 255.255.255.0
access-list Split_Tunnel remark The Corporation network behind ASA
access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0
ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0
nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set myset
crypto map mymap 65000 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
tunnel-group remotevpngroup type remote-access
tunnel-group remotevpngroup general-attributes
address-pool remotevpnpool
authentication-server-group MS_LDAP LOCAL
default-group-policy Split_Tunnel_Policy
I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.
Thanks in advanced.Hi tranminhc,
Step 1: Create an object.
object network vpn_clients
subnet 10.88.61.0 mask 255.255.255.0
Step 2: Create a standard ACL.
access-list my-split standard permit ip object RemoteVPN_LocalNet
Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.
no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool
Step 4: Create new nat exemption.
nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients
Step 5: Apply ACL on the tunnel.
group-policy Split_Tunnel_Policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value my-split
Step 6:
I assume you have a default route on your inside L3 switch point back to ASA's inside address. If you don't have one.
Please add a default or add static route as shown below.
route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx = equal to ASA's inside interface address.
Hope this helps.
Thanks
Rizwan Rafeek -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
Remote access VPN client gets connected fails on hosts in LAN
Hi,
VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)Hi Mashal,
Thanks for your time,
VPN Pool(Client) 192.168.100.0/24
Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
=============
On the Switch
=============
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.5 to network 0.0.0.0
172.32.0.0/24 is subnetted, 1 subnets
C 172.32.0.0 is directly connected, Vlan101
C 192.168.200.0/24 is directly connected, Vlan2000
C 192.9.200.0/24 is directly connected, Vlan4000
S 192.168.250.0/24 [1/0] via 192.9.200.125
S 192.168.1.0/24 [1/0] via 192.9.200.125
C 192.168.2.0/24 is directly connected, Vlan1000
S 192.168.252.0/24 [1/0] via 192.9.200.125
S* 0.0.0.0/0 [1/0] via 192.168.2.5
===============
On ASA
===============
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.32.0.2 to network 0.0.0.0
C 172.32.0.0 255.255.255.0 is directly connected, outside
C 192.9.200.0 255.255.255.0 is directly connected, inside
C 192.168.168.0 255.255.255.0 is directly connected, failover
C 192.168.2.0 255.255.255.0 is directly connected, MGMT
S 192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
S 192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route on the being pointing to on the switch.
So we are left to do with how to on the switch with default route. -
NAT for remote access VPN clients
Hello,
I have a simple remote access VPN setup on a 2811 router. The remote subnet of the clients connecting have access to the local LAN subnet, but I am wondering if it is possible to somehow NAT those remote access users, so that they can go beyond the local LAN, and through the VPN routers outside connection, giving them access to other resources.
The remote subnet would need to be added to the NAT overload pool that the local LAN is on somehow, but since no interface is created, I am unsure where I would need to put "ip nat inside" if it even needs to be done, or if I am just missing something.
I guess really what I want to do is tunnel all traffic, and have that remote client IP translate to the NAT pool on the router for internet access.
Thanks.Have a look here for solution
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
Regards -
Can ASA5505 forward remote-access-VPN clients to LAN
I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
Are these two cases possible?:
(1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
(2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
Thanks.I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA. -
Remote access vpn clients, access to Internet resources
Hello, we currently have a remote access vpn set up terminating on an ASA 5520. Remote access users connect into this ASA and are able to access resources inside of the firewall- the public IP of the ASA is 1.1.1.135. We need these users to be able to access resources natted behind another ASA firewall on the same public IP segment, at IP address 1.1.1.165.
I have gotten to the point where I believe I have all of my Nat/global statements in place, along with my ACLs on both firewalls, but I am not able to make the connection to the server behind the second ASA.
running packet tracer on the second ASA (hosting the 1.1.1.165 server) shows that the packet will be allowed. RUnning packet tracer on the Remote access VPN ASA is showing that the packet is dropped due to :
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
To me, this should be a simple setup, very similar to a company that tunnels all traffic (including Internet traffic) for remote access VPN users. It just doesn't seem like my traffic is getting to the second ASA wioth the remote host.
Anyone have any ideas?I figured out the answer- I had to add a nat statement form my VPN user subnet to be natted to the outside global IP:
nat (outside) 1 10.2.2.0 255.255.255.0 (this is my vpn subnet)
global (outside) 1 interface -
Remote Access VPN connecting but not passing traffic
I have a remote access VPN configured on a device here. I'm able to connect a device and it assigns me an IP address out of the pool, and injects the routes to its local network, but I'm not able to pass any traffic through the VPN and none of the IPSec SA counters increment for the dial-in connection. I've compared the config here to the samples from documentation and I don't know what I'm missing. Config is below.
3118-FWL001(config)# sho run
: Saved
ASA Version 7.2(3)
hostname 3118-FWL001
domain-name rr-rentals.com
enable password hEgvNHfNHV8zypPu encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 199.X.X.162 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec
banner exec
banner exec
banner exec Any attempted or unauthorized access, use, or modification is prohibited.
banner exec Unauthorized users may face criminal and/or civil penalties.
banner exec The use of this system may be monitored and recorded.
banner exec If the monitoring reveals possible evidence of criminal activity, Adhost can
banner exec provide the records to law enforcement.
banner exec Be safe! Do not share your access information with anyone!
banner exec
banner exec
banner exec
banner asdm
banner asdm
banner asdm
banner asdm Any attempted or unauthorized access, use, or modification is prohibited.
banner asdm Unauthorized users may face criminal and/or civil penalties.
banner asdm The use of this system may be monitored and recorded.
banner asdm If the monitoring reveals possible evidence of criminal activity, Adhost can
banner asdm provide the records to law enforcement.
banner asdm Be safe! Do not share your access information with anyone!
banner asdm
banner asdm
banner asdm
ftp mode passive
dns server-group DefaultDNS
domain-name rr-rentals.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_acl extended permit ip any host 199.X.X.163
access-list outside_acl extended permit icmp any any echo
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit tcp 216.X.X.64 255.255.255.192 any
access-list outside_acl extended permit tcp host 76.X.X.166 any eq 3389
access-list outside_acl extended permit tcp 67.X.X.192 255.255.255.224 any eq 3389
access-list outside_acl extended permit tcp any any eq ftp
access-list outside_acl extended permit tcp any any eq ftp-data
access-list outside_acl extended permit tcp host 72.X.X.71 any eq 3389
access-list outside_acl extended permit tcp host 26.X.X.155 any eq 3389
access-list outside_acl extended permit tcp host 24.X.X.155 any eq 3389
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit tcp host 71.X.X.170 any eq 3389
access-list outside_acl extended permit tcp host 24.X.X.200 any eq 3389
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list rr-vpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list rr-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.20.1-192.168.20.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 199.X.X.163 192.168.10.2 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 199.X.X.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 216.X.X.64 255.255.255.192 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 50.X.X.58
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 75.X.X.253
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 173.X.X.69
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 70.X.X.194
crypto map outside_map 4 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.2 255.255.255.255 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh 216.X.X.64 255.255.255.192 outside
ssh 50.X.X.58 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
service-policy global_policy global
tftp-server outside 216.X.X.116 3118-FWL001.config
group-policy rr-vpn internal
group-policy rr-vpn attributes
dns-server value 216.X.X.12 66.X.X.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value rr-vpn_splitTunnelAcl
username rrlee password B6rKS8LmKC50oIXK encrypted privilege 0
username rrlee attributes
vpn-group-policy rr-vpn
username cschirado password QYICGrOFAZ9iPWpp encrypted privilege 0
username cschirado attributes
vpn-group-policy rr-vpn
username daniel password SZsXZCSuVXcFn9NB encrypted privilege 15
username adhostadm password 7P2Y2Ow1o0.VSjvh encrypted privilege 15
username troy password amZKsxVU.8N9kKPb encrypted privilege 0
username troy attributes
vpn-group-policy rr-vpn
username troyr password Hek9zbMrM6wEDSfi encrypted privilege 15
username druiz password 33oau7XOcvhJ3DMv encrypted privilege 0
username druiz attributes
vpn-group-policy rr-vpn
username theresa password qWsPnR.vfjXzlunC encrypted privilege 0
username theresa attributes
vpn-group-policy rr-vpn
username kevin password R5DPfUVhzGCEg6pu encrypted privilege 0
username kevin attributes
vpn-group-policy rr-vpn
username andrea password MyhIPdH6UJQDon77 encrypted privilege 0
username andrea attributes
vpn-group-policy rr-vpn
tunnel-group 50.X.X.58 type ipsec-l2l
tunnel-group 50.X.X.58 ipsec-attributes
pre-shared-key *
tunnel-group 75.X.X.253 type ipsec-l2l
tunnel-group 75.X.X.253 ipsec-attributes
pre-shared-key *
tunnel-group 72.X.X.71 type ipsec-l2l
tunnel-group 72.X.X.71 ipsec-attributes
pre-shared-key *
tunnel-group 173.X.X.69 type ipsec-l2l
tunnel-group 173.X.X.69 ipsec-attributes
pre-shared-key *
tunnel-group rr-vpn type ipsec-ra
tunnel-group rr-vpn general-attributes
address-pool vpnpool
default-group-policy rr-vpn
tunnel-group rr-vpn ipsec-attributes
pre-shared-key *
tunnel-group 70.X.X.194 type ipsec-l2l
tunnel-group 70.X.X.194 ipsec-attributes
pre-shared-key *
prompt hostname contextHere are the results of the commands you requested. I'm not able to ping either direction.
Thanks,
James
3118-FWL001# sho cry isa sa
Active SA: 5
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5
1 IKE Peer: 50.34.254.58
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 173.10.71.69
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
3 IKE Peer: 75.151.109.253
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
4 IKE Peer: 70.99.88.194
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
5 IKE Peer: 216.211.143.85
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3118-FWL001# sho cry ips sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0)
current_peer: 216.211.143.85, username: kevin
dynamic allocated peer ip: 192.168.20.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: CBF94621
inbound esp sas:
spi: 0x8D8279CA (2374138314)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 200, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28715
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xCBF94621 (3422111265)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 200, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28715
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: 199.21.66.162
access-list outside_1_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 50.34.254.58
#pkts encaps: 15356573, #pkts encrypt: 15356573, #pkts digest: 15356573
#pkts decaps: 9021115, #pkts decrypt: 9021114, #pkts verify: 9021114
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 15356573, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 50.34.254.58
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: FE16571B
inbound esp sas:
spi: 0x78BD7E4F (2025684559)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 86, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4263158/5788)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xFE16571B (4262876955)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 86, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4064653/5788)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 4, local addr: 199.21.66.162
access-list outside_4_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 70.99.88.194
#pkts encaps: 491814, #pkts encrypt: 491814, #pkts digest: 491814
#pkts decaps: 416810, #pkts decrypt: 416810, #pkts verify: 416810
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 491814, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 70.99.88.194
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 533F55E1
inbound esp sas:
spi: 0xE2F461AD (3807666605)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 194, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4273818/27167)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x533F55E1 (1396659681)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 194, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4266133/27167)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 2, local addr: 199.21.66.162
access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 75.151.109.253
#pkts encaps: 207718, #pkts encrypt: 207718, #pkts digest: 207718
#pkts decaps: 142739, #pkts decrypt: 142739, #pkts verify: 142739
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 207722, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 75.151.109.253
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 8D74AC18
inbound esp sas:
spi: 0x0CF7F70B (217577227)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 195, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274490/23242)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8D74AC18 (2373233688)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 195, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4270718/23242)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 3, local addr: 199.21.66.162
access-list outside_3_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 173.10.71.69
#pkts encaps: 3427935, #pkts encrypt: 3427935, #pkts digest: 3427935
#pkts decaps: 2006044, #pkts decrypt: 2006044, #pkts verify: 2006044
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3427935, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 199.21.66.162, remote crypto endpt.: 173.10.71.69
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 2E8A6147
inbound esp sas:
spi: 0x467968AB (1182361771)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 154, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4270213/18597)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x2E8A6147 (780820807)
transform: esp-aes esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 154, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4162093/18597)
IV size: 16 bytes
replay detection support: Y
3118-FWL001# sho run route
route outside 0.0.0.0 0.0.0.0 199.21.66.161 1
Maybe you are looking for
-
Can't select plain paper on HP Officejet Pro L7600
Hi, I have an HP Officejet Pro L7600, and when I try to select the paper type/quality, I can only select photo papers. All the other selections are greyed out. I don't have photo paper, I just want to print on regular paper. Anyone know how to fix th
-
Office 365 Pro Plus - Fail to update Build version when user clicks 'Cancel'
I'm planning to deliver Office 365 Pro Plus updates via SCCM 2007 where i can control the build versions and use the already available SCCM to do so. My issue is around the user clicking "Cancel" when they are prompted with the notification window to
-
APD read data from Web Analyzer or BEx Analyzer?
Dears, We are on SAP BI7.0, recently we upgraded to enhancement package1. SInce then, "suppress zeros (all values=0)" setting in the query is not working properly in Web Analyzer while it's working correctly in BEx Analyzer. We are transfering data
-
Is it possible to turn off ability of user to add Attachments in Acrobat9
We have an application written in C# that has an embedded Acrobat control for the user to view and edit PDF files. There is an optional requirement that the user not be allowed to add attachments to PDFs. Is it possible to do this using javascrip
-
Sorry I didn't realize the above was just a subject line. I have been trying to download java for my macbook pro, but for some reason the function is not recognizing the internet. I am on and have checked several times .... I have checked through bo