Remote site to site VPN user cannot access LAN resources

Similar Messages

• VPN client cannot access Lan

  Hi,
  I can connect via VPN to my ASA 5505 but I cannot access my asa. I do not quite understand the routing,acl and nat configs I would need.
  attached is my config

  Here is the my config

• Anyconnect VPN users cannot reach LAN

  I know this topic has been beat to death, but I've beat myself to death trying to get it to work. I had this working, but didn't save, then the FW did a reboot when the breaker flipped. I can log in with the VPN client. I can't reach any of the LAN resources. I believe I need a NAT exemption and I believe that I have that configured correctly, but it's not working. From the logs I can see the VPN IP pool going to the external IP interface, which means NAT is happening, when it shouldn't be. What am I missing?
  ip local pool vpn_pool 10.0.251.10-10.0.251.254 mask 255.255.255.0
  interface Ethernet0/0
  description OUTSIDE INTERFACE
  duplex full
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/1
  description INSIDE INTERFACE
  duplex full
  nameif inside
  security-level 100
  ip address 10.0.250.1 255.255.255.0
  boot system disk0:/asa914-k8.bin
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network vpn-pool
  subnet 10.0.251.0 255.255.255.0
  object network VPN-POOL
  subnet 10.0.251.0 255.255.255.0
  object network LAN
  subnet 10.0.250.0 255.255.255.0
  object-group network PAT-SOURCE
  network-object 10.0.250.0 255.255.255.0
  network-object 10.0.251.0 255.255.255.0
  access-list OUTSIDE_IN extended deny ip any4 any4 log debugging
  access-list INSIDE_OUT extended permit ip object-group PAT-SOURCE any4 log debugging
  ip verify reverse-path interface outside
  no arp permit-nonconnected
  nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
  nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
  nat (any,outside) after-auto source dynamic PAT-SOURCE interface
  access-group OUTSIDE_IN in interface outside
  access-group INSIDE_OUT in interface inside

  firewall(config)# logging console 7
  Jan 07 2014 14:41:49: %ASA-5-111008: User 'jshojayi' executed the 'logging console 7' command.
  Jan 07 2014 14:41:49: %ASA-5-111010: User 'jshojayi', running 'CLI' from IP 0.0.0.0, executed 'logging console 7'
  firewall(config)# Jan 07 2014 14:41:49: %ASA-6-302016: Teardown UDP connection 2097 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:41:50: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
  Jan 07 2014 14:41:50: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/60524 to outside:99.66.187.4/60524
  Jan 07 2014 14:41:50: %ASA-6-302015: Built outbound UDP connection 2098 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
  Jan 07 2014 14:41:50: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
  Jan 07 2014 14:41:50: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
  Jan 07 2014 14:41:50: %ASA-6-302015: Built inbound UDP connection 2100 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
  Jan 07 2014 14:41:51: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
  Jan 07 2014 14:41:51: %ASA-6-302015: Built outbound UDP connection 2101 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
  Jan 07 2014 14:41:51: %ASA-6-302016: Teardown UDP connection 2100 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:41:51: %ASA-6-305012: Teardown dynamic TCP translation from any:10.0.250.34/16140 to outside:99.66.187.4/16140 duration 0:01:01
  Jan 07 2014 14:41:51: %ASA-6-302013: Built inbound TCP connection 2102 for outside:10.0.251.10/52558 (10.0.251.10/52558)(LOCAL\jshojayi) to inside:10.0.250.15/3389 (10.0.250.15/3389) (jshojayi)
  Jan 07 2014 14:41:52: %ASA-6-302015: Built inbound UDP connection 2103 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
  Jan 07 2014 14:41:52: %ASA-4-410001: Dropped UDP DNS request from inside:10.0.250.22/54745 to outside:157.56.106.189/3544; label length 128 bytes exceeds protocol limit of 63 bytes
  Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/62857 to outside:99.66.187.4/62857 duration 0:00:31
  Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/61237 to outside:99.66.187.4/61237 duration 0:00:31
  Jan 07 2014 14:41:52: %ASA-6-302016: Teardown UDP connection 2103 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:41:53: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
  Jan 07 2014 14:41:53: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
  Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/63938(LOCAL\jshojayi) to outside:99.66.187.4/63938
  Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2105 for outside:10.0.251.10/63938 (99.66.187.4/63938)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:41:53: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
  Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2060 for outside:10.0.251.10/60840(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 165 (jshojayi)
  Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2106 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
  Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2061 for outside:10.0.251.10/58388(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 335 (jshojayi)
  Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2105 for outside:10.0.251.10/63938(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 134 (jshojayi)
  Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/55378(LOCAL\jshojayi) to outside:99.66.187.4/55378
  Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2107 for outside:10.0.251.10/55378 (99.66.187.4/55378)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51560(LOCAL\jshojayi) to outside:99.66.187.4/51560
  Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2108 for outside:10.0.251.10/51560 (99.66.187.4/51560)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:41:54: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
  Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2106 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2107 for outside:10.0.251.10/55378(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 196 (jshojayi)
  Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2108 for outside:10.0.251.10/51560(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 160 (jshojayi)
  Jan 07 2014 14:41:54: %ASA-6-302015: Built inbound UDP connection 2109 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2109 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
  Jan 07 2014 14:41:55: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/54078 to outside:99.66.187.4/54078
  Jan 07 2014 14:41:55: %ASA-6-302015: Built outbound UDP connection 2110 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
  Jan 07 2014 14:41:55: %ASA-6-302015: Built inbound UDP connection 2111 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2072 for outside:10.0.251.10/58472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2080 for outside:10.0.251.10/62680(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2073 for outside:10.0.251.10/59472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2076 for outside:10.0.251.10/60425(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2096 for outside:10.0.251.10/52985(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:07 bytes 175 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2075 for outside:10.0.251.10/53507(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(59472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60425)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(53507)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2077 for outside:10.0.251.10/57569(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2078 for outside:10.0.251.10/54477(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(62680)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2079 for outside:10.0.251.10/56608(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
  Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(56608)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(54477)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(52985)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(57569)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2111 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:41:59: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
  Jan 07 2014 14:41:59: %ASA-6-302015: Built outbound UDP connection 2112 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
  Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
  Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
  Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60840)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58388)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2114 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
  Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2114 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/52140 to outside:99.66.187.4/52140 duration 0:00:31
  Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64609 to outside:99.66.187.4/64609 duration 0:02:32
  Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2092 for outside:10.0.251.10/51932(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 198 (jshojayi)
  Jan 07 2014 14:41:59: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/57116(LOCAL\jshojayi) to outside:99.66.187.4/57116
  Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2115 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
  Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
  Jan 07 2014 14:42:00: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(51932)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:42:00: %ASA-6-302016: Teardown UDP connection 2115 for outside:10.0.251.10/57116(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:01 bytes 99 (jshojayi)
  Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2117 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/58663(LOCAL\jshojayi) to outside:99.66.187.4/58663
  Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2118 for outside:10.0.251.10/58663 (99.66.187.4/58663)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/49740(LOCAL\jshojayi) to outside:99.66.187.4/49740
  Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2119 for outside:10.0.251.10/49740 (99.66.187.4/49740)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:42:00: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
  Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2098 for outside:68.94.156.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 176
  Jan 07 2014 14:42:04: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
  Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2118 for outside:10.0.251.10/58663(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 148 (jshojayi)
  Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2119 for outside:10.0.251.10/49740(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 142 (jshojayi)
  Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
  Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2101 for outside:68.94.157.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 220
  Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
  Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
  Jan 07 2014 14:42:04: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2122 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
  Jan 07 2014 14:42:04: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51200(LOCAL\jshojayi) to outside:99.66.187.4/51200
  Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2123 for outside:10.0.251.10/51200 (99.66.187.4/51200)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
  Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2122 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
  Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
  Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2123 for outside:10.0.251.10/51200(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 182 (jshojayi)
  Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/53977 to outside:99.66.187.4/53977 duration 0:00:30
  Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64875 to outside:99.66.187.4/64875 duration 0:00:43
  Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/58618 to outside:99.66.187.4/58618 duration 0:00:43
  Jan 07 2014 14:42:04: %ASA-6-302015: Built outbound UDP connection 2124 for outside:192.168.1.254/67 (192.168.1.254/67) to identity:99.66.187.4/68 (99.66.187.4/68)
  Jan 07 2014 14:42:05: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:42:05: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/60404 to outside:99.66.187.4/60404 duration 0:00:43
  Jan 07 2014 14:42:05: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
  Jan 07 2014 14:42:05: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
  Jan 07 2014 14:42:06: %ASA-6-302016: Teardown UDP connection 2110 for outside:68.94.156.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 132
  Jan 07 2014 14:42:07: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:42:07: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
  Jan 07 2014 14:42:07: %ASA-6-302016: Teardown UDP connection 2112 for outside:68.94.157.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 165
  +Jan 07 2014 14:42:08: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
  Jan 07 2014 14:42:08: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/14848 laddr 99.66.187.4/14848

• "Site System Status Summarizer still cannot access storage object" after DB Move

  After our SCCM server was up and running, the DBAs moved the SQL Site Database to a new drive which is a supported SQL Operation according to this Support document:
  https://support.microsoft.com/en-us/kb/2709082
  Using the methods described by the above document we were able to restore functionality to SCCM but I am still seeing Informational messages in the SMS_SITE_SYSTEM_STATUS_SUMMARIZER component.
  Site System Status Summarizer still cannot access storage object "\\<SQLServer>\S$\SMS_<SQLServer>" on site system "\\<SQLServer>". The operating system reported error 67: The network name cannot be found.
  Possible cause: The site system is turned off, not connected to the network, or not functioning properly.
  Solution: Verify that the site system is turned on, connected to the network, and functioning properly.
  Possible cause: Site System Status Summarizer does not have sufficient access rights to connect to the site system and access the storage object.
  Solution: Verify that the accounts are properly configured to allow the site to connect to the site system and access the storage object.
  Possible cause: Network problems are preventing Site System Status Summarizer from connecting to the site system.
  Solution: Investigate and correct any problems on your network.
  Possible cause: You took the site system out of service and do not intend on using it as a site system any more.
  Solution: Remove the site system from the list of site systems used by this site; this list appears under Site Systems in the Configuration Manager Console.
  Possible cause: You accidentally deleted the storage object or took the storage object out of service.
  Solution: The components will eventually detect that the storage object no longer exists on the site system and will either recreate it or choose a new storage object. Monitor the status messages reported by other site components to verify that this
  occurs properly.
  The storage object has been inaccessible since "14/03/2015 1:23:20 AM". When you correct the problem and Site System Status Summarizer successfully accesses the storage object, Site System Status Summarizer will set the storage object's status
  to OK, providing that the storage object has sufficient free space.
  I have run a site reset to try and fix this but the site server still seems to be trying to access files on the old drive. Is there a method to get SCCM to start looking for these files on the NEW DB drive (H$) in my case?

  Was a site reset performed at all yet? This has to be done. 
  Torsten Meringer | http://www.mssccmfaq.de
  Yes, I tried a site reset prior to making this post. I was sure I had read that this should resolve the issue but unfortunately it seems a site reset did not resolve the issue.
  Since we are running a virtualized environment, is it possible the old drive has to still exist prior to running the site reset? If we add a small "S" drive back to the server and run the site reset again, might that help?

• VPN Client cannot access Internet

  I am currently using PIX 501 and VPN 3000. Everything is running fine except that VPN Client cannot access internet after they logged in via Cisco System VPN CLient. I can't any solution to this problem and is really lost. This is a very important task assign to me.
  Hope someone can help me asap.
  Thanks You

  You need to enable split tunneling. This link is for VPN client to router. The same equivalent config may apply to a PIX as well.
  http://www.cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bf8.pdf

• User cannot access

  hi,
  i  am new to this forum,i have one doubt,
  user cannot access one authorization field , how can i analysis this issue, i know su 53 for find the authorization field...but user have 100 roles... how can i find the which role and object...plz help me..

  Hi Hassan,
  This is not the correct category. This message should be opened under security item. However, you can find the whole required authorization objects list, by using ST01 trace.
  Best regards,
  Orkun Gedik

• User cannot access redirected Documents folder, but can connect to share in Windows Explorer and access folder on server

  I am in the final stages of a cross-forest migration.  Users have Windows 7 workstations with redirected folders on a Windows Server 2012 box running in the old forest.  User accounts were not migrated.  The accounts in use have always
  been in the "new" forest.  One of our challenges was the large volume of data in redirected folders.  I made sure users in the target forest had continued to have access to their redirected folders in the old forest and robocopied
  the entire users share, copying the permissions with the files.  By doing incremental robocopies, we can get a final copy done now in about six hours.  The plan was simple: copy the files, do an incremental copy every night, on the night of the cutover
  change the folder redirection policy Documents path from
  \\oldserver\users\%USERNAME% to
  \\newserver\users\%USERNAME%. The policy is configured to NOT copy user files from the existing folder to the new redirected folder.  Everything was going well until I tested the policy change.  After the folder redirection policy is updated
  and applied, the user cannot access the private Documents folder.  For example, user Chester Tester logs on as ctester.  I open Windows Explorer and click the Documents shortcut.  I see one subfolder, which is subfolder of Public Documents. 
  So I can look at Public Documents but when I click on the Documents folder (Under the Documents library link) I get an access denied error.  Now for the kicker, if I open another Windows Explorer window and edit the address bar to
  \\newserver\users\ctester, I can navigate the Documents folder tree and see my thousands of documents. What the ....?
  I'm hoping this is something really simple to fix!
  TIA

  HI Vivian,
  Thank you for your reply.  Yes, the path in Group Policy Folder Redirection Root Path was updated to
  \\NEWSERVER\users.  I had planned to point this to the distributed file system, so the first used was actually
  \\domain\dfs\users.  To simplify things I have backed off to copying to just a normal share
  \\newserver\users. 
  We are using BASIC folder redirection and we create a folder for each user under the root path. 
  We did not want the policy to move content, as we were seeing users requiring 15-20 minute logon times  (or higher) after the policy is changed.
  Grant the User exclusive right to Documents - Disabled
  Move the contents of Documents to the new location - Disabled
  Related folder settings
  Video - Follow Documents
  Music - Follow Documents
  Pictures - Follow Documents
  Now when I change the folder redirection from old server to new server I now have TWO My Documents folders in the user's redirection folder on the server.  The redirected Documents points to an empty folder set.  The copied folders with all user
  data are there, but folder redirection refuses to recognize the original folder.
  I am looking at the full view of the folder, nothing hidden, so I'm wondering how a folder can have two subfolders with the exact same name.  For now, I just want the redirection to move from the old server to the new server properly.  I deleted
  the new My Documents folder, rebooted the user's workstation and tried again.  The behavior repeats itself, i.e., a new My Documents folder is always created when the redirection policy is changed from the old server to the new server.  The environment
  has about 1500 users with approximately 1.3TB of data in the redirected Documents folders.  OUCH!

• Non-admin user cannot access Essbase server level variables

  Version 11.1.1.3
  Essbase Substitution variables are created at server level. Users are getting error in FR report that uses the Subsitution Variable -- Essbase Error(1051085): You do not have sufficient access to get this substitution variable. Also, users cannot access Substitution variable in SmartView. However, users can access variables created at database level. Users are provisioned as "Server Access" to Essbase and filter access to ASO application "MGTRPTG", where MGTRPTG is an ASO essbase application for reporting. We tried the same provisioning in two other environments and it seems to be working fine.
  User is type "Essbase and Planning" provisioned with essbase "server access", application mgtrptg "filter", Reporting and Analysis "analyst", "dynamic viewer" and "Explorer". In addition, it is given a filter "REP_DME_GALB" which restricts 2 dimensions (Division and Geography).
  Steps taken to resolve:
  1. Existing users were deprovisioned and reprovisioned with no effect.
  2. Created brand new identically provisioned users in Prod and QA. QA user can access the server level var and Prod user cannot
  3. Created a brand new server level variable in Prod and this cannot be accessed.
  4. All services have already been restarted several times.
  5. SR has been opened.
  Temporary workaround:
  By creating a duplicate of the same set of variables at the database level, the reports work. This can only be a temporary workaround as the client cannot be expected to maintain two sets of substitution variables since there are 3 applications using these server level variables.
  Thank you for any ideas!
  Jennifer

  You have stumbled on a defect which is resolved in the Hyperion Planning 9.3.1 patch 6 and above. If you have your planning preferences set to indent members it will cause forms which have page selections to show as invalid in SmartView.
  You can either patch Planning or turn off the preference. The patches are available from http://metalink3.oracle.com and require account which has been associated with your client ID.
  P.S. Usually it's not a good practice to use the admin id.
  Regards,
  -John
  Edited by: Jbooth on Nov 3, 2008 2:12 PM

• Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows 7 64 Bit

  Users cannot access removable devices after you enable and then disable a Group Policy setting on Windows 7 64 bit machines.
  on the 32 bit machines I was able to apply this hotfix
  http://support2.microsoft.com/kb/2738898
  But it will not install on 64 bit machines. 
  Is there a hotfix for 64 bit?  If not, what is the work around?
  Thanks!
  Robert

  Select "Show hotfixes for all platforms and languages", then download x64 hotfix:
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• PIX Users Cannot Access Other Websites & Email Servers on Same-Shared T1 Co

  We are sharing a T1 connection with another business in our building. They have their own separate network environment from mine. I have a Windows 2003 Small Business Server behind a PIX-501 and the users in my network connect to the Internet via Windows Server?s DHCP and Internet sharing (NAT) services.
  All Internet and email traffic is accessible except for those hosted by the other company who we're sharing a connection with. My users cannot access that company?s web server or send email to their email server (we all get 4.4.7 SMTP errors? days later after sending the message).
  They have no firewall on their end; which is why I think there may be something wrong with my PIX configuration (see attached config file). I'm sort of a newbie with the PIX CLI, so any help I can get could be great. Thanks in advanced!

  The problem is not with PIX. This is a common problem when sharing a T1 link as it creates a routing problem since routing cannot be done based on shared T1 channels. Your PIX config is fine and has nothing to do with this issue.

• BOX31 - Users cannot access InfoView

  After upgrading BOXIR2 to BOX31 the users cannot access InfoView. The following message is shown:
  Account Information Not Recognized: Enterprise authentication could not log you on ...
  As administrator I can access OK.
  What has changed between BOXIR2 and BOX31 in terms of user authentication?
  Thank you in advance.

  The structure of the users is as follow:
  Management (at the top)
  - Accounting
  - Marketing
  - Sales, etc
  Users can then access one of the above, only one.
  Universe restrictions has been applied to allow users to see information related to their department only.
  We do not use any Windows AD authentication, it is just Business Objects.
  Thank you.

• Computer clock that user cannot access

  I have made a game that i published on Kongregate using C# language with Unity.
  I have a serious issue though. If the player stays offline, he gets some bonus in game when he returns. The more he is offline the bigger bonus. The issue is that if someone while he is offline changes the clock of his computer to 1 day or 10 years in the
  future he gets so much bonus that he ruins the game.
  Is there any way to avoid that without having a server to get time?
  In the webplayer i cannot use NTP due to security limitations, so i am trying to find a clock that the user cannot access.
  Thanks in advance for any possible answers!

  The software house where I'm working as a phone app which uses a timestamp on data it sends to a server.
  There are frequent issues with users messing with the time on their devices for games like candy crush.
  This causes no end of problems since you get data which is sent as if it happened like yesterday or some such and bad stuff happens.
  You definitely don't want to rely on the time on the users computer.
  Get the time when you start up or support bonus for save to server only and apply it retrospectively.
  Use a timer to see how long they play between saves if necessary.
  Or change the game and ditch the bonus mechanism.
  Hope that helps.
  Technet articles: Uneventful MVVM;
  All my Technet Articles

• Cannot access local resource file

  When I run my application on browser these error comes, I have found to change right click on project>properties>flex build path>libary path> framework linkage to "Merge into code"not working,
  I have also changed right click on project> properties>Flex compiler> Additional compiler arguments - -locale en_US to some -network false still its not working
  and undid whatever change i made,
  Help!
  SecurityError: Error #2148: SWF file http://localhost/aamshare-debug/aamshare.swf cannot access local resource file:///C|/wamp/www/aamshare-debug/media/bse.png. Only local-with-filesystem and trusted local SWF files may access local resources.
      at flash.display::Loader/_load()
      at flash.display::Loader/load()
      at mx.controls::SWFLoader/loadContent()[C:\autobuild\3.2.0\frameworks\projects\framework\src \mx\controls\SWFLoader.as:1611]
      at mx.controls::SWFLoader/load()[C:\autobuild\3.2.0\frameworks\projects\framework\src\mx\con trols\SWFLoader.as:1380]
      at mx.controls::SWFLoader/initializeHandler()[C:\autobuild\3.2.0\frameworks\projects\framewo rk\src\mx\controls\SWFLoader.as:1971]
      at flash.events::EventDispatcher/dispatchEventFunction()
      at flash.events::EventDispatcher/dispatchEvent()
      at mx.core::UIComponent/dispatchEvent()[C:\autobuild\3.2.0\frameworks\projects\framework\src \mx\core\UIComponent.as:9298]
      at mx.core::UIComponent/set processedDescriptors()[C:\autobuild\3.2.0\frameworks\projects\framework\src\mx\core\UICom ponent.as:1217]
      at mx.core::UIComponent/initializationComplete()[C:\autobuild\3.2.0\frameworks\projects\fram ework\src\mx\core\UIComponent.as:5395]
      at mx.core::UIComponent/initialize()[C:\autobuild\3.2.0\frameworks\projects\framework\src\mx \core\UIComponent.as:5379]
      at mx.core::UIComponent/http://www.adobe.com/2006/flex/mx/internal::childAdded()[C:\autobuild\3.2.0\frameworks\pro jects\framework\src\mx\core\UIComponent.as:5267]
      at mx.core::Container/http://www.adobe.com/2006/flex/mx/internal::childAdded()[C:\autobuild\3.2.0\frameworks\pro jects\framework\src\mx\core\Container.as:3305]
      at mx.core::Container/addChildAt()[C:\autobuild\3.2.0\frameworks\projects\framework\src\mx\c ore\Container.as:2217]
      at mx.core::Container/addChild()[C:\autobuild\3.2.0\frameworks\projects\framework\src\mx\cor e\Container.as:2140]
      at mx.core::Container/createComponentFromDescriptor()[C:\autobuild\3.2.0\frameworks\projects \framework\src\mx\core\Container.as:3681]
      at mx.core::Container/createComponentsFromDescriptors()[C:\autobuild\3.2.0\frameworks\projec ts\framework\src\mx\core\Container.as:3493]
      at mx.containers::ViewStack/instantiateSelectedChild()[C:\autobuild\3.2.0\frameworks\project s\framework\src\mx\containers\ViewStack.as:1140]
      at mx.containers::ViewStack/commitProperties()[C:\autobuild\3.2.0\frameworks\projects\framew ork\src\mx\containers\ViewStack.as:664]
      at mx.core::UIComponent/validateProperties()[C:\autobuild\3.2.0\frameworks\projects\framewor k\src\mx\core\UIComponent.as:5807]
      at mx.managers::LayoutManager/validateProperties()[C:\autobuild\3.2.0\frameworks\projects\fr amework\src\mx\managers\LayoutManager.as:539]
      at mx.managers::LayoutManager/doPhasedInstantiation()[C:\autobuild\3.2.0\frameworks\projects \framework\src\mx\managers\LayoutManager.as:659]
      at Function/http://adobe.com/AS3/2006/builtin::apply()
      at mx.core::UIComponent/callLaterDispatcher2()[C:\autobuild\3.2.0\frameworks\projects\framew ork\src\mx\core\UIComponent.as:8628]
      at mx.core::UIComponent/callLaterDispatcher()[C:\autobuild\3.2.0\frameworks\projects\framewo rk\src\mx\core\UIComponent.as:8568]

  Since you are loading your swf over http, it will be placed in a remote sandbox and will not be able to access the local filesystem. You should load your png in the same way as your swf (ie. over http), or embed it into your application.

• VPN Clients cannot access remote site

  Hey there,
  I am pretty new in configuring Cisco devices and now I need some help.
  I have 2 site here:
  site A
  Cisco 891
  external IP: 195.xxx.yyy.zzz
  VPN Gateway for Remote users
  local IP: VLAN10 10.133.10.0 /23
  site B
  Cisco 891
  external IP: 62.xxx.yyy.zzz
  local IP VLAN10 10.133.34.0 /23
  Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.
  I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.
  What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.
  Here is the config of site A
  Building configuration...
  Current configuration : 24257 bytes
  version 15.2
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Englerstrasse
  boot-start-marker
  boot config usbflash0:CVO-BOOT.CFG
  boot-end-marker
  aaa new-model
  aaa group server radius Radius-AD
  server 10.133.10.5 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  clock timezone Berlin 1 0
  clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
  crypto pki trustpoint TP-self-signed-27361994
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-27361994
  revocation-check none
  rsakeypair TP-self-signed-27361994
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki certificate chain TP-self-signed-27361994
  certificate self-signed 01
    30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238
    5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
    2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939
    3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709
    64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53
    BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234
    2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615
    9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203
    010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
    18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E
    04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886
    F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC
    20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB
    14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895
    C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF
    AF3EF676 26AD3F31 D368F5
        quit
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  no ip source-route
  ip auth-proxy max-login-attempts 5
  ip admission max-login-attempts 5
  no ip bootp server
  no ip domain lookup
  ip domain name yourdomain.com
  ip inspect log drop-pkt
  ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
  ip inspect name CCP_MEDIUM ftp
  ip inspect name CCP_MEDIUM h323
  ip inspect name CCP_MEDIUM sip
  ip inspect name CCP_MEDIUM https
  ip inspect name CCP_MEDIUM icmp
  ip inspect name CCP_MEDIUM netshow
  ip inspect name CCP_MEDIUM rcmd
  ip inspect name CCP_MEDIUM realaudio
  ip inspect name CCP_MEDIUM rtsp
  ip inspect name CCP_MEDIUM sqlnet
  ip inspect name CCP_MEDIUM streamworks
  ip inspect name CCP_MEDIUM tftp
  ip inspect name CCP_MEDIUM udp
  ip inspect name CCP_MEDIUM vdolive
  ip inspect name CCP_MEDIUM imap reset
  ip inspect name CCP_MEDIUM smtp
  ip cef
  no ipv6 cef
  appfw policy-name CCP_MEDIUM
    application im aol
      service default action allow alarm
      service text-chat action allow alarm
      server permit name login.oscar.aol.com
      server permit name toc.oscar.aol.com
      server permit name oam-d09a.blue.aol.com
      audit-trail on
    application im msn
      service default action allow alarm
      service text-chat action allow alarm
      server permit name messenger.hotmail.com
      server permit name gateway.messenger.hotmail.com
      server permit name webmessenger.msn.com
      audit-trail on
    application http
      strict-http action allow alarm
      port-misuse im action reset alarm
      port-misuse p2p action reset alarm
      port-misuse tunneling action allow alarm
    application im yahoo
      service default action allow alarm
      service text-chat action allow alarm
      server permit name scs.msg.yahoo.com
      server permit name scsa.msg.yahoo.com
      server permit name scsb.msg.yahoo.com
      server permit name scsc.msg.yahoo.com
      server permit name scsd.msg.yahoo.com
      server permit name cs16.msg.dcn.yahoo.com
      server permit name cs19.msg.dcn.yahoo.com
      server permit name cs42.msg.dcn.yahoo.com
      server permit name cs53.msg.dcn.yahoo.com
      server permit name cs54.msg.dcn.yahoo.com
      server permit name ads1.vip.scd.yahoo.com
      server permit name radio1.launch.vip.dal.yahoo.com
      server permit name in1.msg.vip.re2.yahoo.com
      server permit name data1.my.vip.sc5.yahoo.com
      server permit name address1.pim.vip.mud.yahoo.com
      server permit name edit.messenger.yahoo.com
      server permit name messenger.yahoo.com
      server permit name http.pager.yahoo.com
      server permit name privacy.yahoo.com
      server permit name csa.yahoo.com
      server permit name csb.yahoo.com
      server permit name csc.yahoo.com
      audit-trail on
  parameter-map type inspect global
  log dropped-packets enable
  multilink bundle-name authenticated
  redundancy
  ip tcp synwait-time 10
  class-map match-any CCP-Transactional-1
  match dscp af21
  match dscp af22
  match dscp af23
  class-map match-any CCP-Voice-1
  match dscp ef
  class-map match-any sdm_p2p_kazaa
  match protocol fasttrack
  match protocol kazaa2
  class-map match-any CCP-Routing-1
  match dscp cs6
  class-map match-any sdm_p2p_edonkey
  match protocol edonkey
  class-map match-any CCP-Signaling-1
  match dscp cs3
  match dscp af31
  class-map match-any sdm_p2p_gnutella
  match protocol gnutella
  class-map match-any CCP-Management-1
  match dscp cs2
  class-map match-any sdm_p2p_bittorrent
  match protocol bittorrent
  policy-map sdm-qos-test-123
  class class-default
  policy-map sdmappfwp2p_CCP_MEDIUM
  class sdm_p2p_edonkey
  class sdm_p2p_gnutella
  class sdm_p2p_kazaa
  class sdm_p2p_bittorrent
  policy-map CCP-QoS-Policy-1
  class sdm_p2p_edonkey
  class sdm_p2p_gnutella
  class sdm_p2p_kazaa
  class sdm_p2p_bittorrent
  class CCP-Voice-1
    priority percent 33
  class CCP-Signaling-1
    bandwidth percent 5
  class CCP-Routing-1
    bandwidth percent 5
  class CCP-Management-1
    bandwidth percent 5
  class CCP-Transactional-1
    bandwidth percent 5
  class class-default
    fair-queue
    random-detect
  crypto ctcp port 10000
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key REMOVED address 62.20.xxx.yyy 
  crypto isakmp key REMOVED address 195.243.xxx.yyy
  crypto isakmp key REMOVED address 195.243.xxx.yyy
  crypto isakmp key REMOVED address 83.140.xxx.yyy  
  crypto isakmp client configuration group VPN_local
  key REMOVED
  dns 10.133.10.5 10.133.10.7
  wins 10.133.10.7
  domain domain.de
  pool SDM_POOL_2
  acl 115
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group VPN_local
     client authentication list ciscocp_vpn_xauth_ml_2
     isakmp authorization list ciscocp_vpn_group_ml_2
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA11
  set isakmp-profile ciscocp-ike-profile-1
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to62.20.xxx.xxx
  set peer 62.20.xxx.xxx
  set transform-set ESP-3DES-SHA
  match address 105
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to195.243.xxx.xxx
  set peer 195.243.xxx.xxx
  set transform-set ESP-3DES-SHA4
  match address 107
  crypto map SDM_CMAP_1 3 ipsec-isakmp
  description Tunnel to83.140.xxx.xxx
  set peer 83.140.xxx.xxx
  set transform-set ESP-DES-SHA1
  match address 118
  interface Loopback2
  ip address 192.168.10.1 255.255.254.0
  interface Null0
  no ip unreachables
  interface FastEthernet0
  switchport mode trunk
  no ip address
  spanning-tree portfast
  interface FastEthernet1
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  no ip address
  spanning-tree portfast
  interface FastEthernet4
  description Internal LAN
  switchport access vlan 10
  switchport trunk native vlan 10
  no ip address
  spanning-tree portfast
  interface FastEthernet5
  no ip address
  spanning-tree portfast
  interface FastEthernet6
  no ip address
  spanning-tree portfast
  interface FastEthernet7
  no ip address
  spanning-tree portfast
  interface FastEthernet8
  description $FW_OUTSIDE$$ETH-WAN$
  ip address 62.153.xxx.xxx 255.255.255.248
  ip access-group 113 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip inspect CCP_MEDIUM out
  no ip virtual-reassembly in
  ip verify unicast reverse-path
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  service-policy input sdmappfwp2p_CCP_MEDIUM
  service-policy output CCP-QoS-Policy-1
  interface Virtual-Template1 type tunnel
  ip unnumbered FastEthernet8
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface GigabitEthernet0
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Vlan1
  no ip address
  interface Vlan10
  description $FW_INSIDE$
  ip address 10.133.10.1 255.255.254.0
  ip access-group 112 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  interface Async1
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  encapsulation slip
  ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200
  ip local pool VPN_Pool 192.168.20.2 192.168.20.100
  ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip forward-protocol nd
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload
  ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx
  ip access-list extended VPN1
  remark VPN_Haberstrasse
  remark CCP_ACL Category=4
  permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  ip radius source-interface Vlan10
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.10.10.0 0.0.0.7
  access-list 23 remark CCP_ACL Category=17
  access-list 23 permit 195.243.xxx.xxx
  access-list 23 permit 10.133.10.0 0.0.1.255
  access-list 23 permit 10.10.10.0 0.0.0.7
  access-list 100 remark CCP_ACL Category=4
  access-list 100 permit ip 10.133.10.0 0.0.1.255 any
  access-list 101 remark CCP_ACL Category=16
  access-list 101 permit udp any eq bootps any eq bootpc
  access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
  access-list 101 permit icmp any any echo-reply
  access-list 101 permit icmp any any time-exceeded
  access-list 101 permit icmp any any unreachable
  access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 101 deny   ip host 255.255.255.255 any
  access-list 101 deny   ip any any
  access-list 102 remark auto generated by CCP firewall configuration
  access-list 102 remark CCP_ACL Category=1
  access-list 102 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply
  access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded
  access-list 102 permit icmp any host 62.153.xxx.xxx unreachable
  access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 102 deny   ip host 255.255.255.255 any
  access-list 102 deny   ip host 0.0.0.0 any
  access-list 102 deny   ip any any log
  access-list 103 remark auto generated by CCP firewall configuration
  access-list 103 remark CCP_ACL Category=1
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
  access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp
  access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp
  access-list 103 permit esp any host 62.153.xxx.xxx
  access-list 103 permit ahp any host 62.153.xxx.xxx
  access-list 103 permit udp host 194.25.0.60 eq domain any
  access-list 103 permit udp host 194.25.0.68 eq domain any
  access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
  access-list 103 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply
  access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded
  access-list 103 permit icmp any host 62.153.xxx.xxx unreachable
  access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 103 deny   ip host 255.255.255.255 any
  access-list 103 deny   ip host 0.0.0.0 any
  access-list 103 deny   ip any any log
  access-list 104 remark CCP_ACL Category=4
  access-list 104 permit ip 10.133.10.0 0.0.1.255 any
  access-list 105 remark CCP_ACL Category=4
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
  access-list 106 remark CCP_ACL Category=2
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
  access-list 106 permit ip 10.10.10.0 0.0.0.7 any
  access-list 106 permit ip 10.133.10.0 0.0.1.255 any
  access-list 107 remark CCP_ACL Category=4
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  access-list 108 remark Auto generated by SDM Management Access feature
  access-list 108 remark CCP_ACL Category=1
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443
  access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd
  access-list 108 deny   tcp any host 10.133.10.1 eq telnet
  access-list 108 deny   tcp any host 10.133.10.1 eq 22
  access-list 108 deny   tcp any host 10.133.10.1 eq www
  access-list 108 deny   tcp any host 10.133.10.1 eq 443
  access-list 108 deny   tcp any host 10.133.10.1 eq cmd
  access-list 108 deny   udp any host 10.133.10.1 eq snmp
  access-list 108 permit ip any any
  access-list 109 remark CCP_ACL Category=1
  access-list 109 permit ip 10.133.10.0 0.0.1.255 any
  access-list 109 permit ip 10.10.10.0 0.0.0.7 any
  access-list 109 permit ip 192.168.10.0 0.0.1.255 any
  access-list 110 remark CCP_ACL Category=1
  access-list 110 permit ip host 195.243.xxx.xxx any
  access-list 110 permit ip host 84.44.xxx.xxx any
  access-list 110 permit ip 10.133.10.0 0.0.1.255 any
  access-list 110 permit ip 10.10.10.0 0.0.0.7 any
  access-list 110 permit ip 192.168.10.0 0.0.1.255 any
  access-list 111 remark CCP_ACL Category=4
  access-list 111 permit ip 10.133.10.0 0.0.1.255 any
  access-list 112 remark CCP_ACL Category=1
  access-list 112 permit udp host 10.133.10.5 eq 1812 any
  access-list 112 permit udp host 10.133.10.5 eq 1813 any
  access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp
  access-list 112 permit udp any host 10.133.10.1 eq isakmp
  access-list 112 permit esp any host 10.133.10.1
  access-list 112 permit ahp any host 10.133.10.1
  access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1
  access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1
  access-list 112 remark auto generated by CCP firewall configuration
  access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1
  access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1
  access-list 112 permit udp host 10.133.10.7 eq domain any
  access-list 112 permit udp host 10.133.10.5 eq domain any
  access-list 112 deny   ip 62.153.xxx.xxx 0.0.0.7 any
  access-list 112 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 112 deny   ip host 255.255.255.255 any
  access-list 112 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 112 permit ip any any
  access-list 113 remark CCP_ACL Category=1
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255
  access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp
  access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx
  access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx
  access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx
  access-list 113 remark auto generated by CCP firewall configuration
  access-list 113 permit udp host 194.25.0.60 eq domain any
  access-list 113 permit udp host 194.25.0.68 eq domain any
  access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
  access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx
  access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp
  access-list 113 permit esp any host 62.153.xxx.xxx
  access-list 113 permit ahp any host 62.153.xxx.xxx
  access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
  access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
  access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
  access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
  access-list 113 remark IPSec Rule
  access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
  access-list 113 remark Pop3
  access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx
  access-list 113 remark Pop3
  access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx
  access-list 113 remark SMTP
  access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx
  access-list 113 remark IMAP
  access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx
  access-list 113 deny   ip 10.133.10.0 0.0.1.255 any
  access-list 113 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply
  access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded
  access-list 113 permit icmp any host 62.153.xxx.xxx unreachable
  access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 113 deny   ip host 255.255.255.255 any
  access-list 113 deny   ip host 0.0.0.0 any
  access-list 113 deny   ip any any log
  access-list 114 remark auto generated by CCP firewall configuration
  access-list 114 remark CCP_ACL Category=1
  access-list 114 deny   ip 10.133.10.0 0.0.1.255 any
  access-list 114 deny   ip 10.10.10.0 0.0.0.7 any
  access-list 114 permit icmp any any echo-reply
  access-list 114 permit icmp any any time-exceeded
  access-list 114 permit icmp any any unreachable
  access-list 114 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 114 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 114 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 114 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 114 deny   ip host 255.255.255.255 any
  access-list 114 deny   ip host 0.0.0.0 any
  access-list 114 deny   ip any any log
  access-list 115 remark VPN_Sub
  access-list 115 remark CCP_ACL Category=5
  access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255
  access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255
  access-list 115 permit ip 10.133.20.0 0.0.0.255 any
  access-list 116 remark CCP_ACL Category=4
  access-list 116 remark IPSec Rule
  access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 117 remark CCP_ACL Category=4
  access-list 117 remark IPSec Rule
  access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 118 remark CCP_ACL Category=4
  access-list 118 remark IPSec Rule
  access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  access-list 118 remark IPSec Rule
  access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
  no cdp run
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  control-plane
  mgcp profile default
  line con 0
  transport output telnet
  line 1
  modem InOut
  speed 115200
  flowcontrol hardware
  line aux 0
  transport output telnet
  line vty 0 4
  session-timeout 45
  access-class 110 in
  transport input telnet ssh
  line vty 5 15
  access-class 109 in
  transport input telnet ssh
  scheduler interval 500
  end

  The crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.
  On Site A:
  should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"
  You should also remove the following line as the pool is incorrect:
  access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
  On Site B:
  should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"
  NAT exemption on site B should also be configured with deny on the above ACL.

• VPN Client Cannot Access Anything at Main Site

  I am sure this problem has been solved a million times over but I can't get this to work.  Can someone take a look at this config quick and tell me what is wrong?
  The Cisco VPN client connects no problem but I can't access anything.
  ASA Version 8.4(4)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 15
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.43.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address a.a.a.a 255.255.255.248
  interface Vlan15
  no forward interface Vlan1
  nameif IPOffice
  security-level 100
  ip address 192.168.42.254 255.255.255.0
  boot system disk0:/asa844-k8.bin
  ftp mode passive
  object network obj-192.168.43.0
  subnet 192.168.43.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.11.12.0_24
  subnet 10.11.12.0 255.255.255.0
  object network NETWORK_OBJ_192.168.43.160_28
  subnet 192.168.43.160 255.255.255.240
  object network IPOffice
  subnet 0.0.0.0 0.0.0.0
  access-list outside_access_in extended permit icmp any 192.168.42.0 255.255.255.0
  access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
  access-list vpn_SplitTunnel standard permit 192.168.43.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu IPOffice 1500
  ip local pool newvpnpool 10.11.12.100-10.11.12.150 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup
  nat (IPOffice,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network IPOffice
  nat (IPOffice,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication http console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http 192.168.43.0 255.255.255.0 inside
  http 192.168.42.0 255.255.255.0 IPOffice
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set encrypt-method-1 esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dynmap 30 set pfs group1
  crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map rpVPN 65535 ipsec-isakmp dynamic dynmap
  crypto map rpVPN interface outside
  crypto isakmp identity address
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 2
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.43.5-192.168.43.36 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy RPVPN internal
  group-policy RPVPN attributes
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ikev1
  username admin password gP3lHsTOEfvj7Z3g encrypted privilege 15
  username mark password blPoPZBKFYhjYewF encrypted privilege 0
  tunnel-group RPVPN type remote-access
  tunnel-group RPVPN general-attributes
  address-pool newvpnpool
  default-group-policy RPVPN
  tunnel-group RPVPN ipsec-attributes
  ikev1 pre-shared-key *****
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2
  : end

  Yup, you are totally correct, spot on!!
  Asymmetric routing is not supported on the firewall, as traffic in and out must be through the same interfaces, otherwise, it thinks it is an attack and drop the packet.
  Default gateway on the devices in IPOffice subnet should be the ASA IPOffice interface (192.168.42.254), not the switch if it is a shared switch with your inside network. And likewise for devices in the inside subnet, the default gateway should be the ASA 192.168.43.254.
  With regards to the switch, you can pick a default gateway either the ASA inside or the ASA IPOffice interface IP, and the return traffic needs to route via the same path