RemoteApp with host connected to VPN

Hi,
I have a question regarding RemoteApp vs regular Remote Desktop Connection spiced with a VPN connection initiated from the host.
We're in the process of moving from PCs to thin clients and we have set up an RDS farm (all servers are Windows Server 2012 R2, they are all in the same domain and same LAN) as follows:
1 x RD Connection Broker + RD Licensing + RD Web Access
3 x RD Session Host
The users/clients will connect with regular remote desktop connection software (no Citrix or anything). Two of the RD SHs will be providing the users access to their normal applications, but some users also need to use remote resources which are only available
via VPN connection, hence the third RD SH. (Currently it is solved by every user having a virtual machine on their PCs and connecting to the VPN from there.) We can't put the VPN connection to the two "regular" RD SHs, because we'll need more VPN
connections later. The idea was to install and set up the VPN on the third host and publish the needed apps by RemoteApp to the users who use it.
The problem:
Once the host connects to the VPN the users are unable to launch the RemoteApp applications. If it's not connected then they can start them. The VPN client is a Cisco AnyConnect Secure Mobility Client that can only connect if the connection is initiated
by a local user and no other user is currenty logged on (it's a remote side policy we can't change). If the users connect to the RD host with a regular remote desktop connection after the VPN is set up then it works as expected, they can launch the apps and
work with them.
The question:
What is the difference between launching a RemoteApp and connecting to the RD host via RDP? How can I debug this RemoteApp connection problem?
Please ask if something is not clear!
Thank you!
PS: If I'm not heading into the right direction and someone has a better idea, I'd be grateful to hear (read) it!

Hello Vargabes7,
You can configure a server that allows remote users to access resources on your private network over dial-up or virtual private network (VPN) connections. This type of server is called a remote access/VPN server. Remote access/VPN servers can also provide
network address translation (NAT). With NAT, the computers on your private network can share a single connection to the Internet. With VPN and NAT, your VPN clients can determine the IP addresses of the computers on your private network, but other computers
on the Internet cannot.
Before you configure your server as a remote access/VPN server, you should verify whether or not:
The operating system is configured correctly.
Your server is correctly configured for optimal security for your network needs. Because your remote access/VPN server will connect your private network, the Internet, and your remote clients, you must make sure the server is secure. The security
of your private network depends on the security of your remote access/VPN server. For more information, see
Security information for remote access.
This computer has two network interfaces, one that connects to the Internet and one that connects to the private network. The connection to the Internet must be a dedicated connection with enough bandwidth that VPN users can connect to your private network
and users on your private network can connect to the Internet. The connection to computers on your private network must be made through a hardware device, such as a network adapter.
All needed network protocols have been installed for your network interfaces. For more information, see
Network interfaces.
Windows Firewall is disabled on the server that you want to configure for remote access/VPN. You will configure the Basic Firewall feature of Routing and Remote Access during setup, which will serve in place of Windows Firewall.
Internet Connection Sharing is disabled on the server that you want to configure for remote access/VPN.
The Security Configuration Wizard is installed and enabled.
To configure a remote access/VPN server, start the Configure Your Server Wizard by doing either of the following:
From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on.
To open the Configure Your Server Wizard, click Start, click
Control Panel, double-click Administrative Tools, and then double-click
Configure Your Server Wizard.
On the Configuration Options page, click Custom configuration and click
Next. On the Server Role page, click Remote access/VPN server, and then click
Next.
Best regards,
Sophia Sun
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Similar Messages

Changing RemoteApp Session Host connection name in 2012

I am looking for a way to change the server name you connect to (on the Session Host), like you could in 2008 R2. Pictures a worth a thousand words, so I've attached a picture of exactly what I am looking for:
The servers are setup so their names are servername.domain.local, but since they will be facing outwards (with a RD Gateway between them, of course) and non-domain members will be accessing them, we need a way to change the "server name" to servername.domain.com
(.dk actually, but you get the point), so the certificate applies to it.
Currently, connecting looks like this:
We don't want our customers getting this dialog box. Any help is appreciated.

Hi,
The architecture is changed.We don't use the DNS RR or NLB to redirect the initial connection any more.We just need the RDCB database to redirect the connection.The process is simplified.In short, there is no need to change the server name like the above.All
the changeable settings are on the RDCB.To get dialog box disappeared,you need to change the cert name to match the destination computer.
Regards,
Clarence
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

VM cannot access Internet when host is connected to VPN

Hello everyone,
I have a little problem with my Hyper-V network. I use internal switch (external seems to have problems when I want to access the host via RDP and host has Wifi only).
Now attached is my configuration as a wonderful picture. ;) My problem is this: I have a internal switch in Hyper-V which is used by the VMs. They can access the Internet because the host WiFi Adapter has Internet Sharing enabled. However, when I connect
the host to the VPN, the VMs cannot access the internet anymore. I know it is not possible to share the VPN-Connection itself, but without any Internet I cannot connect the VMs to the VPN at all. So is there any way to connect the host to VPN and also the
VMs?
Thanks! :)
Best,
Chris

Hi CBuntrock,
Please try the following setps :
Open network connection --> right click the vpn connection --> properties --> click tab Networking --> click the proper internet protocol version --> properties --> advanced --> tab ipsettings --> uncheck "use defult gateway
on remote network " --> ok
Please try to access internet again from your VMs .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Hosts on corporate network unable to connect to VPN client

I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.
This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.
Can anyone explain what's wrong or where I should look?

Thanks for the feedback.
The client is a Mac running OS-X. Firewalling is turned off; there's no trouble connecting to the client when it is plugged directly into the corporate network.
The "no-nat" rules on the 5505 look like this:
access-list inside_nat0_outbound extended permit ip any 10.170.30.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Here 10.170.30.0/24 is the IP pool dedicated to the VPN. There are no other NAT-related lines in the 5505's configuration.

Can I connect to server with Server Admin over vpn?

I succeed to connect with the server over vpn, allowing me to connect to disks e.g. but I seem not to be able to connect to the server to administer it with Server Admin. Is it a matter of openingen a port?

Thanks,
But, Iam facing another problem.
When I am trying to connect to Oracle 9i server database with Oracle 10g client, Iam facing the following problem.
On my 10g client machine for the tnsnames.org file, I added configuration of Oracle 9i service. When Iam trying to connect with username, password and host string of oracle 9i server, I am getting the following error:
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
Waiting for Reply,
Satish.

How can I Create a Client Configuration File for RemoteApp and Desktop Connection with Server 2012?

I have a working RDS RemoteApp site and looking to test out the feature in Windows 7 Control Panel\All Control Panel Items\RemoteApp and Desktop Connections
I came across this link: Create a Client Configuration File for RemoteApp and Desktop Connection and I believe this is what I need to do first, but these instructions are for
Server 2008, and I'm running 2012.
Any suggestions or tips on how I can begin testing this with Server 2012?

Hi,
You can manually enter the path to the 2012 feed and it will connect and download the RemoteApps and Desktop connections.
If you need a sample .wcx file I have posted one here a couple of times. If you want I will look for it and post a link.
-TP
I tried adding my URL's below, these are sample links that work for me right now for when I log into the web page, but neither of these work. And I'm not sure what I would need to do with or how to create a .wcx file.
When I type in my URL of: https://connect.mydomain.org/RDWeb, I get redirected to:
https://connect.mydomain.org/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx

Cannot connect to the Internet with browser when using VPN

I am experiencing an odd network problem and am hoping that someone on this list has seen something similar and can help me isolate the cause.
I have a Mac Pro running Mac OS X (10.5.8) and use Cisco's VPNClient to connect to my employer's network. Some time in the last year I started getting this odd behavior wherein that while connected via VPN, I cannot open external web pages in Safari (Version 5.0 (5533.16)). When this happens I get the following message:
+Safari can't open the page "http://www.google.com/" because your computer isn't connected to the Internet.+
Web pages on the company's internal network work fine. Firefox exhibits the same problem. However, the very odd thing (to me), is that I can get to the Internet using the browser in NetNewsWire. Other services (like twitter) also seem to work fine.
The problem is intermittent and occurs between restarts. After some restarts the problem is not there. Also, connecting and re-connecting via VPNClient does not affect the behavior. If access to the Internet is working then it will continue working, at least until the next restart. If I restart for whatever reason (software update, etc.) the next time it may or may not work.
This has been going on over several updates to Mac OS X and Safari.
Another clue is that my MacBook, also running 10.5.8 works fine when connected from the same home network so I am pretty sure the problem is with my Mac Pro.
Anyone out there have any idea what could be causing this and how to go about fixing the problem?
Thanks in advance,
KP

Earthlink can be challenging. Have a look at this
very helpful post from Eme.
This may lead you in the right direction.
World leaks relates to memory issues with Safari that
are on-going and being addressed in the developer's
community. More information can be found
here.. To
stop the warning message, go to your Debug menu and
deselect "always check for world leaks".
iMac G5 Rev C 20" 2.5gb RAM 250 gb
HD/iBook G4 1.33 ghz 1.5gb RAM 40 gb HD Mac
OS X (10.4.8) LaCie 160gb d2 HD Canon i960
printer
I couldn't fix it, and the Earthlink technician couldn't fix it...until she checked and found that the starting address: "www.my.earthlink.net" is down. In fact, it's still down, so I'll just continue using Foxfire for awhile. I can connect by typing "www.earthlink.net" in the addres bar, but it's so much easier to just click on Foxfire in my dock. This shows the value of having a spare browser.
I'm going to mark it "solved. Thanks for your help, It was a bit technical for me, but I tried. I had to, having just sent an article about the value of persistence to a friend, how could I fail to persevere?

Do we need to create two zones for Two HBA for a host connected with SAN ?

Hi,While creating Zone , Do we need to create two zones for Two HBA for a host connected with SAN ? Or a zone is enough for
a host which having Two HBAs...We have two 9124s for our SAN fabric...
As I found like one zone below, I little bit confused that , if a host having two HBA connected with SAN, should I expect two zones for every Host?
from the zone set, I gave the command show zoneset
zone name SQLSVR-X-NNN_CX4 vsan 1
    pwwn 50:06:NN:NN:NN:NN:NN:NN
    pwwn 50:06:NN:NN:NN:NN:NN:NN
          pwwn 10:00:NN:NN:NN:NN:NN:NN
But I found only one zone for the server's HBA2:by the same time in the fabric I found switches A & B showing the WWNs of those HBAs on its
connected N port...Its not only for this server alone, but for all hosts..Can you help me to clarify on this please..that should we need to create one zone for
one HBA?

if u have two independent fabrics between hosts and storage, i think the below confs are recommended.
Scenario 1: 2 HBAs single port each ( redundancy across HBA / Storage port )
HBA1 - port 0 ---------> Fabric A ----------> Storage port ( FAx/CLx )
HBA2 - port 0 ---------> Fabirc B ----------> Storage port ( FAy/CLy )
Scenario 2: 2 HBAs of dual port each
HBA1 - port 0 -------> Fabric A ---------> Storage port ( FAx/CLx )
HBA2 - port0 ---------> Fabric A ---------> Storage port ( FAs/CLs )
HBA1 - port 1 --------> Fabric A --------> Storage port ( FAy/CLy )
HBA2 - port 1 ---------> Fabric B --------> Storage port ( FAt/CLt )
the zone which is in your output is VSAN 1. if its a production VSAN, Cisco doesn't recomends to use VSAN 1 ( default vsan ) for production.

Help with 10.4.5 VPN connection using PPTP to Windows 2003 Server

Hi,
I've looked on the discussions for an answer to this but have had no luck so far, can anyone help?
I'm trying to connect my 10.4.5 PB to my Wn2k3 server (with RRAS) using PPTP VPN, however I keep getting stuck at the Negotiating phase of the connection and finally get this error in OSX Internet Connect:
Could not negotiate a connection with the remote PPP server. Please verify your settings and try again.
I can connect from my Win XP laptop so no issues with the router etc, do I need to make any changes to the server config?
Thanks,
Sahajesh.
12" PB (G4) Mac OS X (10.4.5)

Resolved elsewhere.

I am having trouble with exchange account connection .the vpn connects fine but the exchange account is still showing the yellow light .can anyone help?

i am having trouble with exchange account connection .the vpn connects fine but the exchange account is still showing the yellow light .can anyone help?

I had a similar problem. Here is how I resolved the issue.
1. Remove Network Connect
2. Run Terminal and remove /usr/local/juniper and everything within the juniper directory.
3. Reboot the machine and reinstall Network Connect
4. Test if you can now connect.
During removal, you may encounter permission denied error, you will need to change the permission to 777. For example "sudo chmod 777 nc".

Automatic update of RemoteApp and Desktop Connections does not work (while manual updates with "update now" is working)

Hello,
on several Windows 7 Clients the update/refresh of the RemoteApp and Desktop Connections stopped not working automatically. There is a Update failed error. When we do an "Update Now" manually, it gets synchronized without problems.
I am asking me if there is an issue with a stored Password as we Need to Change the Passwords regularily. The error is occuring for Connections to all RDS Servers (we have severals).
Does Windows store the user Password in the Task Scheduler? If yes, does the schedule Task Password Change automatically after the Domain Password Change?
Or what else could be the issue? The RDS Server and the certificate (Name the same as the URL) seems to be fine as not all Clients have this issue.
Thank you for your help

Hi,
Thank you for posting in Windows Server Forum.
By default it will automatically update the RemoteApp and Desktop Connections but if in any particular case it’s not happening then for a try you can restart the server and check the result again. In addition you can try running below command and check
the result.
Start-Process rundll32 -ArgumentList "tsworkspace,TaskUpdateWorkspaces2
More information:
Powershell to update "RemoteApp and Desktop Connections"
If a task is registered using the Administrators group for the security context of the task, then you must also make sure the Run with highest privileges check box is checked if you want to run the task. Please check “Task
Security Context” for more details.
Hope it helps!
Thanks,
Dharmesh

Storage 3320 single raid controller connecting with 02 Host Connection

Dear ALL,
I have 3320 with single raid controller, 5x HDD. I started to install it in a single-bus configuration to meet up with Host & External tape due to the following diagram:
1) using a correct SCSI jumper cable to connect between the SCSI port "CH0" and the SNGL BUS CONF together
2) Connecting the SCSI port labeled "CH1" with SCSI LVD Sun Server running Solaris 9 by SCSI cable
3) Connecting the SCSI port labeled "CH3" with the external tape device by the SCSI cable.
As a result, the Host Server can see the only Logical Drives and i could make the approciate partitions.
But the problem is that the Server could not see the SCSI Tape device on this case (Tape device & cable are fine, tested ok before). I am wondering that if all connection above with connecting to Server & Tape device are ok here, then why is the tape device not being recongised under the Solaris ?? and even it's not being known under the OK prompt when i tried to run probe-scsi...
regards
Scott

Please bypass all questions above, i would like to brief what i need to get helps as the below.
Pls advice me how to get the external SCSI LVD tape device connected with SE 3320 raid Controller WHILE the Array 3320 was connected with Sun Server through the SCSI Port labeled "CH 1", the SCSI jumper cable connected between "CH 0" and the SNGL BUS CONF port in a single-bus configuration (By the way, Se 3320 raid is working well with Server).
Thanks for any comments
Scott

Connection to VPN doesn't work with exclamation mark on Network symbol

Hello everyone,
I'm new to this forum and not really professional in VPN stuff, though I'm an experienced computer user and programmer. I'm using Cisco VPN
5.0.07.0440-k9-x64 from the Paul Scherrer Institute on Windows 8 64-bit. The program was working previously fine, but at some point, whenever I connect to VPN and login, I lose connection to the internet, and nothing related to my internet connection work, and I see an exclamation mark on the wireless network symbol. And when I disconnect the VPN, I get everything back to normal.
I got almost the same problem when I installed Kaspersky Internet Security due to some suspicion on security, but then I removed it and everything was back to normal. After that, the VPN worked for some time, and again didn't work anymore at some point. First thing I tried is disabling the Windows Firewall, and it didn't help.
My network adapter is: Qualcomm Atheros AR9002WB-1NG Wireless Network Adapter
In my network adapter, I can't change the TCP/IP v4 Configuration. When I double click, it says something like: "For the configuration of TCP/IP, there must be a network device installed and activated" (The sentence is translated from German, my Windows is German).
Is there like a "global reset" that would get the VPN to work again? What should I do?
Please advise, and if you require any piece of information, let me know.
Thank you.

I'm using now VPNC on linux. No more cisco! Crappy program and crappy support!

Cant ping inside hosts from client vpn. Think its a NAT issue

Hello all, I am running into what I think is a NAT/nat exclusion issue with an IOS IPSEC VPN. I can connect to the VPN with the cisco IPSEC VPN client, and I am able to authenticate. Once I authenticate, I am not able to reach any of the inside hosts. My relevant config is below. Any help would be greatly appreciated.
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization exec default local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group businessVPN
key xxxxxx
dns 192.168.10.2
domain business.local
pool vpnpool
acl 108
crypto isakmp profile VPNclient
match identity group businessVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.1.10.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
interface Null0
no ip unreachables
interface FastEthernet0/0
ip address 111.111.111.138 255.255.255.252
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface BVI1
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
ip nat inside source route-map nat interface FastEthernet0/0 overload
ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended nonat
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
ip access-list extended outside_in
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit tcp any any eq 443
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
permit esp any host 111.111.111.138
permit udp any host 111.111.111.138 eq isakmp
permit udp any host 111.111.111.138 eq non500-isakmp
permit ahp any host 111.111.111.138
permit gre any host 111.111.111.138
access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
route-map nat permit 10
match ip address nat
bridge 1 route ip

I believe the acl applied to the client group is backwards. It should permit traffic from the internal network to the clients pool.
To confirm you can open the Cisco VPN client statistics(after connecting) then go to the route details tab. You should see there the networks that you should be able to reach from the client. Make sure the correct ones are in there.
Regards,

Connect to VPN but can't ping past inside interface

Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
    308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
    0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
    092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
    67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
    5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
    2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
    acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
    fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
    140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
    61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
    0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
    acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
    288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
    92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
    1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end

Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
    308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
    0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
    092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
    67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
    5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
    2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
    acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
    fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
    140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
    61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
    0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
    acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
    288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
    92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
    1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end

RemoteApp with host connected to VPN

Similar Messages

Maybe you are looking for