Remote access VPN on ASA5520 Ping Issues.

Hi I hope someone might be able to help me. I have setup a remote access VPN on an ASA 5520. The VPN client connects ok, accepts my username and password and then I am in. I get an allocated IP address of 172.16.1.1 from the local pool. The problem is that I cannot then ping the inside LAN which is 192.168.1.1. I've got isakmp nat traversal set to default which is 20. I've been looking at this all day and I think I've gone crossed eyed, a fresh pair of eyes are definitley required, so any help would be gratefully received. My config is
Saved
ASA Version 7.0(8)
hostname Hospira-firewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 213.212.66.52 255.255.255.248
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown    
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
same-security-traffic permit intra-interface
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list Split standard permit 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool mypool 172.16.1.1-172.16.1.253 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213.212.66.49 1
route outside 172.16.1.0 255.255.255.0 213.212.66.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy hospira internal
group-policy hospira attributes
vpn-simultaneous-logins 400
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
webvpn
username user password 08S9WUsiSMr3RauN encrypted
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set hospira esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 1 set transform-set hospira
crypto dynamic-map dmap 1 set security-association lifetime seconds 28800
crypto dynamic-map dmap 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dmap
crypto map mymap 2 match address NONAT
crypto map mymap 2 set security-association lifetime seconds 28800
crypto map mymap 2 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group hospira type ipsec-ra
tunnel-group hospira general-attributes
address-pool mypool
default-group-policy hospira
tunnel-group hospira ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
service-policy global_policy global
Cryptochecksum:98f85c39a5cbffe66b0f6585d5083c7c
: end
Many thanks

Hi Richard ,
- we don't need access-list with RA connection , we have the dynamic map that acts as a template , so your crypto config :
crypto map mymap 1 ipsec-isakmp dynamic dmap
crypto map mymap 2 match address NONAT
crypto map mymap 2 set security-association lifetime seconds 28800
crypto map mymap 2 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
map with seq 1 is being binded to the dynamic map , now map 2 you are using the nonat access list as the encryption trigger for this map , so this should not be there as it encrypt traffic from the inside subnet to the pool .
please remove the second entry, then test if not working please provide a capture from the inside interface .
HTH
Mohammad.

Similar Messages

  • Remote Access VPN (ipsec) can ping LAN interface of firewall but not clients on the company network.

    The VPN will connect.
    I can ping and connect to the ASA 5510 on it's LAN interface.
    My problem is that I cannot ping or access anything on the LAN past the firewall. What am I doing wrong?
    Here is my config.
    Result of the command: "show config"
    : Saved
    : Written by enable_15 at 22:55:02.299 UTC Tue Jan 10 2012
    ASA Version 8.2(5)
    hostname ********
    enable password UbBnTPKwu27ohfYB encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.x x.x.x.x
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.0.4.1 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network BC
    network-object 10.0.3.0 255.255.255.0
    network-object 10.0.4.0 255.255.255.0
    access-list outside_access_in extended permit tcp any any eq ssh
    access-list outside_access_in extended permit tcp any any eq 50000
    access-list outside_access_in extended permit tcp any any eq 3390
    access-list outside_access_in extended permit tcp any any eq 8066
    access-list outside_access_in extended permit tcp any any eq 22225
    access-list outside_access_in extended permit tcp any any eq 1600
    access-list outside_access_in extended permit tcp any any eq 37260
    access-list outside_access_in extended permit tcp any any eq 37261
    access-list outside_access_in extended permit tcp any any eq 37262
    access-list outside_access_in extended permit tcp any any eq 37263
    access-list outside_access_in extended permit tcp any any eq 37264
    access-list outside_access_in extended permit tcp any any eq 1435
    access-list outside_access_in extended permit tcp any any eq 250
    access-list outside_access_in extended permit tcp any any eq citrix-ica
    access-list outside_access_in extended permit tcp any any eq 8080
    access-list outside_access_in extended permit tcp any any eq www
    access-list outside_access_in extended permit tcp any any eq 85
    access-list outside_access_in extended permit tcp any any eq 8069
    access-list outside_access_in extended permit tcp any any eq 3389
    access-list outside_access_in extended permit tcp any any eq 23032
    access-list outside_access_in extended permit tcp any any eq 32023
    access-list outside_access_in extended permit tcp any any eq 3399
    access-list outside_access_in extended permit udp any any eq 250
    access-list outside_access_in extended permit udp any any eq 5008
    access-list outside_access_in extended permit icmp any any
    access-list splittunn-ppso extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list splittunn-ppso extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list nonat extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpn-pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 101 interface
    nat (inside) 0 access-list nonat
    nat (inside) 101 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 50000 10.0.4.58 50000 netmask 255.255.255.255
    static (inside,outside) tcp interface ssh 10.0.4.7 ssh netmask 255.255.255.255
    static (inside,outside) tcp interface 3390 10.0.3.249 3390 netmask 255.255.255.255
    static (inside,outside) tcp interface 8066 10.0.3.249 8066 netmask 255.255.255.255
    static (inside,outside) tcp interface 22225 10.0.4.58 22225 netmask 255.255.255.255
    static (inside,outside) tcp interface 1600 10.0.4.58 1600 netmask 255.255.255.255
    static (inside,outside) tcp interface 37260 10.0.4.58 37260 netmask 255.255.255.255
    static (inside,outside) tcp interface 37261 10.0.4.58 37261 netmask 255.255.255.255
    static (inside,outside) tcp interface 37262 10.0.4.58 37262 netmask 255.255.255.255
    static (inside,outside) tcp interface 37263 10.0.4.58 37263 netmask 255.255.255.255
    static (inside,outside) tcp interface 37264 10.0.4.58 37264 netmask 255.255.255.255
    static (inside,outside) tcp interface 1433 10.0.4.240 1433 netmask 255.255.255.255
    static (inside,outside) udp interface 5008 10.0.4.240 5008 netmask 255.255.255.255
    static (inside,outside) udp interface 249 10.0.4.240 249 netmask 255.255.255.255
    static (inside,outside) tcp interface 250 10.0.4.240 250 netmask 255.255.255.255
    static (inside,outside) tcp interface www 10.0.4.15 www netmask 255.255.255.255
    static (inside,outside) tcp interface citrix-ica 10.0.4.15 citrix-ica netmask 255.255.255.255
    static (inside,outside) tcp interface 8080 10.0.4.15 8080 netmask 255.255.255.255
    static (inside,outside) tcp interface 85 10.0.4.15 85 netmask 255.255.255.255
    static (inside,outside) tcp interface 8069 10.0.4.236 8069 netmask 255.255.255.255
    static (inside,outside) tcp interface 3399 10.0.4.236 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 23032 10.0.4.244 23032 netmask 255.255.255.255
    static (inside,outside) tcp interface 32023 10.0.4.244 32023 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    route inside 10.0.3.0 255.255.255.0 10.0.4.205 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    http 0.0.0.0 0.0.0.0 management
    http x.x.x.x x.x.x.x outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
        308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
        0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
        30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
        13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
        0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
        20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
        65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
        65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
        30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
        30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
        496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
        74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
        68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
        3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
        63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
        0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
        a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
        9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
        7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
        15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
        63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
        18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
        4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
        81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
        db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
        7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
        ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
        45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
        2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
        1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
        03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
        69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
        02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
        6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
        c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
        69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
        1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
        551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
        1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
        2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
        4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
        b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
        6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
        481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
        b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
        5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
        6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
        6c2527b9 deb78458 c61f381e a4c4cb66
      quit
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet x.x.x.x 255.255.255.255 outside
    telnet 0.0.0.0 0.0.0.0 inside
    telnet 0.0.0.0 0.0.0.0 management
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 management
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    group-policy ppso internal
    group-policy ppso attributes
    dns-server value 10.0.4.241 10.0.4.14
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value splittunn-ppso
    default-domain value ppso.local
    split-dns value ppso.local
    address-pools value vpn-pool
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    address-pool vpn-pool
    default-group-policy VPN
    tunnel-group VPN ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:88a9b69fc3d718c3badfa99db2c7ce4f

    Yeah, I figured out where my problem was.
    My IP Local Pool range was the problem.
    I was using 10.10.10.0 which conflicted with a point-to-point connection where the serial interfaces were numbered and using 10.10.10.1 and 10.10.10.2.
    Traffic would leave the firewall, hit the intended host, go back through my core router, then off to the other network.
    I changed my ip local pool to a different range (192.168.100.0) and my problem was solved.

  • Remote Access VPN and NAT inside interface

    Hi everyone,
    I have configured Remote VPN access.
    Inside interface and vpn pool is 10.0.0.0 subnet.
    ASA inside interface has NAT exempt as per config below
    nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
    object network NETWORK_OBJ_10.0.0.0_24
    subnet 10.0.0.0 255.255.255.0
    object network NETWORK_OBJ_10.0.0.0_25
    subnet 10.0.0.0 255.255.255.128
    Also i have ASA inside interface connected to R1 as below
    R1 ---10.0.0.2------------inside int  IP 10.0.0.1--------ASA
    R1 has loopback int 192.168.50.1 and ASA has static route to it.
    When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
    This ping works fine.
    Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
    Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
    Need to understand how this ping works without exempting 192.168.50.0 from natiing
    or
    how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
    Regards
    Mahesh

    Hi Jouni,
    IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
    Leting you  know that i have removed the NAT below config from inside to outside interface 
    ASA inside interface has NAT exempt as per config below
    nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
    object network NETWORK_OBJ_10.0.0.0_24
    subnet 10.0.0.0 255.255.255.0
    object network NETWORK_OBJ_10.0.0.0_25
    subnet 10.0.0.0 255.255.255.128
    Still ping works fine from VPN client PC to IP 192.168.50.1
    Packet tracer output
    ASA1# packet-tracer input outside  icmp 10.0.0.52 8 0 192.168.50.1
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.50.1    255.255.255.255 inside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_in in interface outside
    access-list outside_access_in extended permit ip any host 192.168.50.1 log
    access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: DROP
    Config:
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    I can ping from PC command prompt to IP 192.168.50.1 fine.
    Here is second packet tracer
    ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 11
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 18033, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    So question is how ping from outside is working without nat exempt from inside to outside?
    So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
    Regards
    Mahesh
    Message was edited by: mahesh parmar

  • Remote access vpn issues

    Hi all, I have been having issues with my remote access vpn, I can connect but cannot ping anywhere, I have enabled ipsec over nat-t, but still does not work, I noticed that when I did an ipconfig on my machine, I get the ip address assigned by my asa, 10.120.50.2 /32
    but the default gateway is showing as 10.112.50.3, is this correct, I thought it should be the same as the interface address ?

    Hi Carl,
    Can you make sure you have the following in your config:
    isakmp nat-traversal
    Can you also ensure your internal network has routing in place to cover your VPN client pool.

  • Remote access VPN issues using Pix 501

    We have taken over a network where there was little to no documentation. I have a remote access VPN terminated on a Pix 501 that is having a connectivity issue. I can connect using Cisco VPN Client. There is a server on the inside network that is used for mail etc. It has an IP of 192.168.0.4. I cannot ping it from my VPN session but from the Pix itself, I can ping it. There are different source IP's as the IP pool for the VPN session is 172.16.x.x and the inside network is 192.168.x.x. I can ping other hosts on the same inside network that are in the ARP table of the Pix. I have attached the configuration of the Pix 501. After researching, I cannot figure out what the issue is. I was assuming it was the route inside 172.16.x.x was set incorrectly but I can ping some hosts on the 192.168.x.x network. Thanks

    Aru,
    Hi. Thanks for responding. I did try and remove that route inside command and I still could not ping the server. I also tried removing those static translations and did a clear xlate but still no luck. This one has me puzzled. Especially since I can ping other hosts on that network and also ping the server but only from the Pix. The source on the Pix would be different 192.168.0.x than when I am connected using the VPN 172.16.1.x. That is the biggest difference. If it was routing, I would assume I could not ping any host on the 192.168.0.x network from the VPN session. I did remove that route inside as all of the other config examples did not have a specific route statement for the local pool even though it is not on the inside network. I have limited knowledge of their network as we just were told to manage it. Thanks again.

  • Remote access VPN on PIX525 issues.

    Hi I was wondering if anybody had any ideas about my remote access VPN. Its configured on a Cisco PIX525 running ver 6.3(5) (old I know!) and I am running Cisco VPN client ver 5.06.0160 on the client end. Ok so here's the thing. The client connects ok, and it gets an IP address no problem. But I cannot ping anything on the remote LAN. So the client is coming across the internet, the VPN adapter has a 192.168.1.1 address assigned by the PIX and I am trying to ping the 192.168.0.4 address assigned to a switch on the inside of the firewall but with no joy. I've attached the config, any help is gratefully appreciated!
    Many thanks
    Richard.
    show run
    : Saved
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    interface ethernet2 auto shutdown
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    nameif ethernet3 intf3 security6
    nameif ethernet4 intf4 security8
    nameif ethernet5 intf5 security10
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname Coeliac-firewall
    domain-name sungard.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    ip address outside 213.212.66.36 255.255.255.248
    ip address inside 192.168.0.1 255.255.255.0
    no ip address intf2
    no ip address intf3
    no ip address intf4
    no ip address intf5
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool MYPOOL 192.168.1.1-192.168.1.254
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address intf2
    no failover ip address intf3
    no failover ip address intf4
    no failover ip address intf5
    pdm history enable
    arp timeout 14400
    nat (inside) 0 access-list 101
    router ospf 1
      network 192.168.0.0 255.255.255.0 area 0
      network 192.168.1.0 255.255.255.0 area 0
      log-adj-changes
    route outside 0.0.0.0 0.0.0.0 213.212.66.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local MYPOOL outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup coeliacvpn address-pool MYPOOL
    vpngroup coeliacvpn dns-server 62.73.136.246
    vpngroup coeliacvpn wins-server 62.73.136.246
    vpngroup coeliacvpn default-domain password
    vpngroup coeliacvpn split-tunnel 101
    vpngroup coeliacvpn idle-time 1800
    vpngroup coeliacvpn password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn group 1 client configuration address local MYPOOL
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username user password *********
    vpdn enable outside
    terminal width 80
    Cryptochecksum:b18e9c6df0917108ff35f720f0230073
    : end

    Managed to solve the issue. Needed a isakmp nat-traversal 20 to get it to work.

  • Remote access Vpn issue

    Dear All,
    I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
    I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
    I have below acess-list for acl-in.
    access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
    object-group network vpnclients
    network-object host 10.110.100.26
    network-object host 10.106.100.15
    network-object host 10.10.10.6
    network-object host 10.10.20.82
    network-object host 10.110.100.48
    network-object host 10.10.20.53
    network-object host 10.10.20.54
    network-object host 10.60.100.1
    network-object host 10.10.10.75
    network-object host 10.10.20.100
    network-object host 10.10.130.136
    network-object host 10.106.100.16
    network-object host 10.106.100.9
    network-object host 10.170.100.1
    network-object host 10.170.100.2
    network-object host 10.170.100.21
    network-object host 10.101.100.20
    network-object host 10.170.100.25
    So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
    Regards
    -Danesh Ahammad

    Hi,
    If i read correctly you made the RA vpn "without"  split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
    try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
    ~Harry

  • Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

    Hii frnds,
    here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
    Below is the out put from the router
    r1#sh run
    Building configuration...
    Current configuration : 3488 bytes
    ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
    ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
    version 15.1
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname r1
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
    aaa new-model
    aaa authentication login local-console local
    aaa authentication login userauth local
    aaa authorization network groupauth local
    aaa session-id common
    dot11 syslog
    ip source-route
    ip cef
    ip domain name r1.com
    multilink bundle-name authenticated
    license udi pid CISCO1841 sn FHK145171DM
    username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
    username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group ra-vpn
    key xxxxxx
    domain r1.com
    pool vpn-pool
    acl 150
    save-password
      include-local-lan
    max-users 10
    crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
    crypto dynamic-map RA 1
    set transform-set my-vpn
    reverse-route
    crypto map ra-vpn client authentication list userauth
    crypto map ra-vpn isakmp authorization list groupauth
    crypto map ra-vpn client configuration address respond
    crypto map ra-vpn 1 ipsec-isakmp dynamic RA
    interface Loopback0
    ip address 10.2.2.2 255.255.255.255
    interface FastEthernet0/0
    bandwidth 8000000
    ip address 117.239.xx.xx 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map ra-vpn
    interface FastEthernet0/1
    description $ES_LAN$
    ip address 192.168.10.252 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.252.0 secondary
    ip address 172.16.0.1 255.255.252.0 secondary
    ip address 10.10.7.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpn-pool 172.18.1.1   172.18.1.100
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    ip dns server
    ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
    ip nat inside source list 100 pool INTERNETPOOL overload
    ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
    access-list 100 permit ip 10.10.7.0 0.0.0.255 any
    access-list 100 permit ip 10.10.10.0 0.0.1.255 any
    access-list 100 permit ip 172.16.0.0 0.0.3.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
    access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
    access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
    control-plane
    line con 0
    login authentication local-console
    line aux 0
    line vty 0 4
    login authentication local-console
    transport input telnet ssh
    scheduler allocate 20000 1000
    end
    r1>sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
          10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
    C        10.2.2.2/32 is directly connected, Loopback0
    C        10.10.7.0/24 is directly connected, FastEthernet0/1
    L        10.10.7.1/32 is directly connected, FastEthernet0/1
    C        10.10.8.0/22 is directly connected, FastEthernet0/1
    L        10.10.10.1/32 is directly connected, FastEthernet0/1
          117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
    L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
          172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.16.0.0/22 is directly connected, FastEthernet0/1
    L        172.16.0.1/32 is directly connected, FastEthernet0/1
          172.18.0.0/32 is subnetted, 1 subnets
    S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
          192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.10.0/24 is directly connected, FastEthernet0/1
    L        192.168.10.252/32 is directly connected, FastEthernet0/1
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1 #sh crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: giet-vpn, local addr 117.239.xx.xx
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
       current_peer 49.206.59.86 port 50083
         PERMIT, flags={}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x550E70F9(1427009785)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x5668C75(90606709)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550169/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x550E70F9(1427009785)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550170/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:

    hi  Maximilian Schojohann..
    First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
    In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
    so plz give me an alternate solution ....thanks in advance....

  • Remote Access VPN - Unable to Access LAN / Inside Network

    Hi,
    I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
    I have attached running configuration for your reference. Please let me know I miss any configuartion.
    FW : ASA5510
    Version : 8.0
    Note : Site to Site VPN is working without any issues
    Thanks
    Jamal

    Hi,
    Very nice network diagram
    Are you saying that originally the VPN Client user is behind the Jeddah ASA?
    If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
    In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
    Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
    Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
    isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
    isakmp nat-traversal natkeepalive
    no isakmp nat-traversal natkeepalive
    Syntax Description
    natkeepalive
    Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
    Defaults
    By default, NAT traversal (isakmp nat-traversal) is disabled.
    Command Modes
    The following table shows the modes in which you can enter the command:
    Command Mode
    Firewall Mode
    Security Context
    Routed
    Transparent
    Single
    Multiple
    Context
    System
    Global configuration
    Command History
    Release
    Modification
    Preexisting
    This command was preexisting.
    7.2(1)
    This command was deprecated. The crypto isakmp nat-traversal command replaces it.
    Usage Guidelines Network Address Translation (NAT), including Port Address Translation  (PAT), is used in many networks where IPSec is also used, but there are a  number of incompatibilities that prevent IPSec packets from  successfully traversing NAT devices. NAT traversal enables ESP packets  to pass through one or more NAT devices.
    The security appliance supports NAT traversal as described by Version 2  and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft,  available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
    This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
    Examples
    The following example, entered in global configuration mode, enables  ISAKMP and then enables NAT traversal with an interval of 30 seconds:
    hostname(config)# isakmp enable
    hostname(config)# isakmp nat-traversal 30
    - Jouni

  • Remote access VPN-unable to connect inside-URGENT

    Hi,
    I have configured Remote access VPN in cisco ASA 5520.Whenever I am trying to connect from outside it's connecting fine.It aslo getting IP from pool but prob is i am unable to connect/ping inside nw.
    Pls help me...how to resolve this issue.

    I had the same problem on an IOS router (871). My solution was one of two things. I downloaded the most up-to-date version of the VPN client (5.0.02.90) as opposed to the version I had or it was a software firewall (Norton 360). I have two different computers. One works just fine...the other connects but no traffic passes through. Here is what I have:
    Computer 1 (working)- VPN Client v5.0.02.0090 and Network Associates Enterprise VirusScan.
    Computer 2 (not working) - VPN Client v5.0.00.0340 and Norton 360.
    I highly doubt it is the VPN Client, but sometimes you never know. Check your software firewall and try disabling it. Let me know how this works.

  • Remote access VPN with Cisco Router - Can not get the Internal Lan .

    Dear Sir ,
    I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
    I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
    Below is the IP address of the device.
    Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
    IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
    IP address:10.10.10.1
    Mask:255.255.255.0 F0/0
    IP Address :20.20.20.1
    Mask :255.255.255.0
    F0/1
    IP address :192.168.1.3
    Mask:255.255.255.0
    F0/0
    IP address :20.20.20.2
    Mask :255.255.255.0
    F0/1
    IP address :192.168.1.1
    Mask:255.255.255.0
    I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
    Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
    Need your help to fix the problem.
    Router R2 Configuration :!
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R2
    boot-start-marker
    boot-end-marker
    no aaa new-model
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip tcp synwait-time 5
    interface FastEthernet0/0
    ip address 20.20.20.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 10.10.10.1 255.255.255.0
    duplex auto
    speed auto
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    control-plane
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    login
    end
    Router R1 Configuration :
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R1
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication login USERAUTH local
    aaa authorization network NETAUTHORIZE local
    aaa session-id common
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    username vpnuser password 0 strongpassword
    ip tcp synwait-time 5
    crypto keyring vpnclientskey
    pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp client configuration group remotevpn
    key cisco123
    dns 192.168.1.2
    wins 192.168.1.2
    domain mycompany.com
    pool vpnpool
    acl VPN-ACL
    crypto isakmp profile remoteclients
    description remote access vpn clients
    keyring vpnclientskey
    match identity group remotevpn
    client authentication list USERAUTH
    isakmp authorization list NETAUTHORIZE
    client configuration address respond
    crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
    crypto dynamic-map DYNMAP 10
    set transform-set TRSET
    set isakmp-profile remoteclients
    crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
    interface FastEthernet0/0
    ip address 20.20.20.1 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPNMAP
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpnpool 192.168.50.1 192.168.50.10
    ip forward-protocol nd
    ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
    no ip http server
    no ip http secure-server
    ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
    ip access-list extended NAT-ACL
    deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 any
    ip access-list extended VPN-ACL
    permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    control-plane
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    end

    Dear All,
    I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
    Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
    Waiting for your responce .
    --Milon

  • Remote access VPN client gets connected fails on hosts in LAN

    Hi,
    VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)

    Hi Mashal,
    Thanks for your time,
    VPN Pool(Client) 192.168.100.0/24
    Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
    =============
    On the Switch
    =============
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.2.5 to network 0.0.0.0
         172.32.0.0/24 is subnetted, 1 subnets
    C       172.32.0.0 is directly connected, Vlan101
    C    192.168.200.0/24 is directly connected, Vlan2000
    C    192.9.200.0/24 is directly connected, Vlan4000
    S    192.168.250.0/24 [1/0] via 192.9.200.125
    S    192.168.1.0/24 [1/0] via 192.9.200.125
    C    192.168.2.0/24 is directly connected, Vlan1000
    S    192.168.252.0/24 [1/0] via 192.9.200.125
    S*   0.0.0.0/0 [1/0] via 192.168.2.5
    ===============
    On ASA
    ===============
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    Gateway of last resort is 172.32.0.2 to network 0.0.0.0
    C    172.32.0.0 255.255.255.0 is directly connected, outside
    C    192.9.200.0 255.255.255.0 is directly connected, inside
    C    192.168.168.0 255.255.255.0 is directly connected, failover
    C    192.168.2.0 255.255.255.0 is directly connected, MGMT
    S    192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
    S    192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
    S*   0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
    We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route  on the being pointing to on the switch.
    So we are left to do with how to on the switch with default route.

  • Remote Access VPN Clients Cannot Access inside LAN

    I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
    : Saved
    ASA Version 8.2(1)
    hostname ASA5505
    domain-name default.domain.invalid
    enable password eelnBRz68aYSzHyz encrypted
    passwd eelnBRz68aYSzHyz encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.100.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group dataDSL
    ip address 76.244.75.57 255.255.255.255 pppoe
    interface Vlan3
    nameif dmz
    security-level 50
    ip address 192.168.9.1 255.255.255.0
    interface Vlan10
    nameif outside_cable
    security-level 0
    ip address 50.84.96.178 255.255.255.240
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 10
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit intra-interface
    object-group service Netbios udp
    port-object eq 139
    port-object eq 445
    port-object eq netbios-ns
    object-group service Netbios_TCP tcp
    port-object eq 445
    port-object eq netbios-ssn
    object-group network DM_INLINE_NETWORK_1
    network-object host 192.168.100.177
    network-object host 192.168.100.249
    object-group service Web_Services tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq https
    object-group network DM_INLINE_NETWORK_10
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_11
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_2
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_3
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_4
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_5
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_6
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_7
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_8
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network DM_INLINE_NETWORK_9
    network-object host 192.168.9.10
    network-object host 192.168.9.4
    object-group network VPN
    network-object 192.168.255.0 255.255.255.0
    access-list outside_access_in extended permit icmp any host 76.244.75.61
    access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
    access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
    access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
    access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
    access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
    access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
    access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
    access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
    access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
    access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
    access-list dmz_access_in remark Quickbooks
    access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
    access-list dmz_access_in remark Quickbooks range
    access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
    access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
    access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
    access-list dmz_access_in remark QB
    access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
    access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
    access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
    access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
    access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
    access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
    access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
    access-list dmz_access_in remark Printer
    access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
    access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
    access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
    access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
    access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
    access-list dmz_access_in remark QB probably does not need any udp
    access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
    access-list dmz_access_in remark QB included in other rule range
    access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
    access-list dmz_access_in remark May be required for Quickbooks
    access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
    access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
    access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
    access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
    access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
    access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
    access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
    access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
    access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
    access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
    access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
    access-list Local_LAN_Access standard permit host 0.0.0.0
    access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
    access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500 
    mtu outside_cable 1500
    ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
    ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 10 interface
    global (outside_cable) 10 interface
    nat (inside) 0 access-list nonat-in
    nat (inside) 10 0.0.0.0 0.0.0.0
    nat (dmz) 0 access-list dmz_nat0_outbound
    nat (dmz) 10 0.0.0.0 0.0.0.0
    static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
    static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
    static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
    static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
    static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
    static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
    static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
    static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
    static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
    static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
    static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
    access-group outside_access_in in interface outside
    access-group dmz_access_in in interface dmz
    access-group outside_cable_access_in in interface outside_cable
    route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.100.0 255.255.255.0 inside
    http 204.107.173.0 255.255.255.0 outside
    http 204.107.173.0 255.255.255.0 outside_cable
    http 0.0.0.0 0.0.0.0 outside_cable
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_cable_map interface outside_cable
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp enable outside_cable
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet 192.168.100.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.100.0 255.255.255.0 inside
    ssh 204.107.173.0 255.255.255.0 outside
    ssh 204.107.173.0 255.255.255.0 outside_cable
    ssh 0.0.0.0 0.0.0.0 outside_cable
    ssh timeout 15
    console timeout 0
    vpdn group dataDSL request dialout pppoe
    vpdn group dataDSL localname [email protected]
    vpdn group dataDSL ppp authentication pap
    vpdn username [email protected] password *********
    dhcpd address 192.168.100.30-192.168.100.99 inside
    dhcpd dns 192.168.100.5 68.94.156.1 interface inside
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.100.5
    vpn-tunnel-protocol IPSec l2tp-ipsec
    group-policy cad_supplies_RAVPN internal
    group-policy cad_supplies_RAVPN attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
    group-policy VPNPHONE internal
    group-policy VPNPHONE attributes
    dns-server value 192.168.100.5
    vpn-tunnel-protocol IPSec
    split-tunnel-policy excludespecified
    split-tunnel-network-list value Local_LAN_Access
    client-firewall none
    client-access-rule none
    username swinc password BlhBNWfh7XoeHcQC encrypted
    username swinc attributes
    vpn-group-policy cad_supplies_RAVPN
    username meredithp password L3lRjzwb7TnwOyZ1 encrypted
    username meredithp attributes
    vpn-group-policy cad_supplies_RAVPN
    service-type remote-access
    username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
    username ipphone1 attributes
    vpn-group-policy VPNPHONE
    username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
    username ipphone2 attributes
    vpn-group-policy VPNPHONE
    username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
    username ipphone3 attributes
    vpn-group-policy VPNPHONE
    username oethera password WKJxJq7L6wmktFNt encrypted
    username oethera attributes
    vpn-group-policy cad_supplies_RAVPN
    service-type remote-access
    username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
    username markh attributes
    vpn-group-policy cad_supplies_RAVPN
    tunnel-group DefaultRAGroup general-attributes
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    tunnel-group cad_supplies_RAVPN type remote-access
    tunnel-group cad_supplies_RAVPN general-attributes
    address-pool VPN_IP_range
    default-group-policy cad_supplies_RAVPN
    tunnel-group cad_supplies_RAVPN ipsec-attributes
    pre-shared-key *
    tunnel-group VPNPHONE type remote-access
    tunnel-group VPNPHONE general-attributes
    address-pool VPN_Phone
    default-group-policy VPNPHONE
    tunnel-group VPNPHONE ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 1500
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
    : end

    Hi,
    You have your "group-policy" set so that you have excluding some networks from being tunneled.
    In this access-list named Local_LAN_Access you specify "0.0.0.0"
    Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
    This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
    - Jouni

  • Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

    I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
    Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
    I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

    Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
    Share the configuration if you want help with the NAT exemption part.

  • ASA Remote Access VPN Clients - Multiple DNS Suffixes?

    Hi community!
    I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
    We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
    I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
    Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
    Full marks for helpful posts!
    Kind regards, Ash.

    Hi
    I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
    I have a remote access requirement for users from separate AD's to authenticate through an ASA.
    I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
    Regards

Maybe you are looking for

  • How do I transfer all notes from iPad to my macbook

    How could I transfer all notes from iPad 4th generation to my MacBook?

  • Screensaver in Apple DVD Player - what does this mean?

    Hello, I am building a dvd based kiosk using a MacPro and Apple DVD player running to a large plasma monitor. The setup works great except for the fact that when the kiosk is not being used, the menu screen will cause a burn-in on the monitor (this m

  • SAPUI5 : How to set the date value format for DateTimeInput?

    Hi SAPUI5 experts: I'd like ask 2 things regarding the control: sap.m.DateTimeInput 1: Here is I want to do: show the current date (May 1, 2014) in the control in format as "01-05-2014". But by default the following code shows "May 1 2014". How can I

  • USB Drive and new Macbook Pro Retina

    I have an early 2006 MBP.  When I use my optical drive, I have to pump my smcFanControl up to 6000 plus point a table fan at the computer so I can load cd software without the computer overheating and shutting off.  I've had both fans replaced, but i

  • Email bounce back - HELP

    I require some help if possible as i am going round in circles: My client has two email addresses, address1 @domainname.com and address2 @domainname.com - There is a rule on address1 which when an email is sent it automatically is forwarded onto addr