[Resolu] net configuration ok but can't ping or pac

Similar Messages

• Cisco ASA 5505 can ping gateway but can't ping internet

  Good day to all!
  Sorry if I post this on the wrong group, I am having a bit of a problem on configuring an ASA 5505 firewall. And I scoured google but can't seem to find a specific link to my issues.
  It is on a routed mode, have successfully configured inside and outside vlans. Hosts inside vlan can ping each other. Hosts on outside vlan can also ping each other. Problem is, when I am pinging 8.8.8.8, I received ????? Please see config below.
  Any help greatly appreciated.
  TIA!
  : Saved
  ASA Version 8.4(3)
  hostname ciscoasan
  enable password bD3fGYMFeJJTATOJ encrypted
  passwd 2KF1w9ErdI.2KYOU encrypted
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   description INSIDE
   nameif inside
   security-level 100
   ip address 10.10.10.2 255.255.255.0
  interface Vlan2
   description OUTSIDE
   nameif outside
   security-level 0
   ip address 203.127.68.2 255.255.255.240
  ftp mode passive
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  access-list outside_access_in extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network obj_any
   nat (inside,outside) dynamic interface
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 203.127.68.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.10.10.0 255.255.255.0 inside
  http authentication-certificate inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny  
    inspect sunrpc
    inspect xdmcp
    inspect sip  
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:6b3e0ce99eda3d2563cf9f392f8001b7
  : end

  Hi badingdong,
  Remove these lines:
  no nat (inside,outside) after-auto source dynamic any interface
  no access-group outside_access_in in interface outside
  If you have more inside subnets need access to internet, please make sure that you have a static route in place as shown below.
  route inside 10.0.0.0 255.0.0.0 10.10.10.1
  Also make sure that you have a correct DNS server is assigned on your internal hosts.
  Thanks
  Rizwan Rafeek

• I can connect my cisco mobile vpn but can't ping & access internal IP

  Hi somebody,
  i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
  My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
  Your advise will be appreciate.
  here is my configuration with cisco 7200 in GNS 3,
  OfficeVPN_Router#sh run
  Building configuration...
  Current configuration : 2186 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname OfficeVPN_Router
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
  aaa new-model
  aaa authentication login userlist local
  aaa authorization network grouplist local
  aaa session-id common
  ip cef
  no ip domain lookup
  username asm privilege 15 password 0 pncsadmin
  username user privilege 15 password 0 pncsadmin
  username user1 privilege 15 password 0 pncsadmin
  username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
  crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 2
  crypto isakmp client configuration group MWG
  key cisco
  dns 165.21.83.88
  pool vpnpool
  acl 101
  netmask 255.255.0.0
  crypto ipsec transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  reverse-route
  crypto map mymap client authentication list userlist
  crypto map mymap isakmp authorization list grouplist
  crypto map mymap client configuration address initiate
  crypto map mymap client configuration address respond
  crypto map mymap 10 ipsec-isakmp dynamic dynmap
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex half
  interface FastEthernet1/0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex full
  speed 100
  interface FastEthernet1/1
  ip address 200.200.200.200 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map mymap
  ip local pool vpnpool 172.60.1.10 172.60.1.100
  no ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 200.200.200.201
  no ip http server
  no ip http secure-server
  ip nat inside source list 111 interface FastEthernet1/1 overload
  access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 permit ip any any
  control-plane
  gatekeeper
  shutdown
  line con 0
  exec-timeout 0 0
  password cisco123
  logging synchronous
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  password cisco123
  end
  OfficeVPN_Router#sh ver
  Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Tue 21-Apr-09 18:50 by prod_rel_team
  ROM: ROMMON Emulation Microcode
  BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
  OfficeVPN_Router uptime is 30 minutes
  System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
  System image file is "tftp://255.255.255.255/unknown"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
  Processor board ID 4279256517
  R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
  6 slot VXR midplane, Version 2.1
  Last reset from power-on
  PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
  Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
  This configuration is within the PCI bus capacity and is supported.
  PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
  Current configuration on bus mb2 has a total of 0 bandwidth points
  This configuration is within the PCI bus capacity and is supported.
  Please refer to the following document "Cisco 7200 Series Port Adaptor
  Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
  for c7200 bandwidth points oversubscription and usage guidelines.
  3 FastEthernet interfaces
  125K bytes of NVRAM.
  65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
  8192K bytes of Flash internal SIMM (Sector size 256K).
  Configuration register is 0x2102
  OfficeVPN_Router#

  Dear Javier ,
  Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
  OfficeVPN_Router(config)#ip access-list resequence 111 10 10
  OfficeVPN_Router(config)#do sh run
  Building configuration...
  Current configuration : 2201 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname OfficeVPN_Router
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
  aaa new-model
  aaa authentication login userlist local
  aaa authorization network grouplist local
  aaa session-id common
  ip cef
  no ip domain lookup
  username asm privilege 15 password 0 pncsadmin
  username user privilege 15 password 0 pncsadmin
  username user1 privilege 15 password 0 pncsadmin
  username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
  crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 2
  crypto isakmp client configuration group MWG
  key cisco
  dns 165.21.83.88
  pool vpnpool
  acl 101
  netmask 255.255.0.0
  crypto ipsec transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  reverse-route
  crypto map mymap client authentication list userlist
  crypto map mymap isakmp authorization list grouplist
  crypto map mymap client configuration address initiate
  crypto map mymap client configuration address respond
  crypto map mymap 10 ipsec-isakmp dynamic dynmap
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex half
  interface FastEthernet1/0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex full
  speed 100
  interface FastEthernet1/1
  ip address 200.200.200.200 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map mymap
  ip local pool vpnpool 172.60.1.10 172.60.1.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 200.200.200.201
  no ip http server
  no ip http secure-server
  ip nat inside source list 111 interface FastEthernet1/1 overload
  access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 permit ip 192.168.1.0 0.0.0.255 any
  control-plane
  gatekeeper
  shutdown
  line con 0
  exec-timeout 0 0
  password cisco123
  logging synchronous
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  password cisco123
  end

• Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!

  Hi,
  I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
  Config
  ciscoasa# sh run
  : Saved
  ASA Version 8.0(3)
  hostname ciscoasa
  enable password 5QB4svsHoIHxXpF/ encrypted
  names
  name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
  name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
  name xxx.xxx.xxx.xxx Mail_Server
  name xxx.xxx.xxx.xxx IncomingIP
  name xxx.xxx.xxx.xxx SAP
  name xxx.xxx.xxx.xxx WebServer
  name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
  name 192.168.2.2 isa_server_outside
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address IncomingIP 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.253 255.255.255.0
  management-only
  passwd 123
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object-group service TCP_8081 tcp
  port-object eq 8081
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq 3389
  port-object eq ftp
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object eq pop3
  port-object eq 3200
  port-object eq 3300
  port-object eq 3600
  port-object eq 3299
  port-object eq 3390
  port-object eq 50000
  port-object eq 3396
  port-object eq 3397
  port-object eq 3398
  port-object eq imap4
  port-object eq 587
  port-object eq 993
  port-object eq 8000
  port-object eq 8443
  port-object eq telnet
  port-object eq 3901
  group-object TCP_8081
  port-object eq 1433
  port-object eq 3391
  port-object eq 3399
  port-object eq 8080
  port-object eq 3128
  port-object eq 3900
  port-object eq 3902
  port-object eq 7777
  port-object eq 3392
  port-object eq 3393
  port-object eq 3394
  port-object eq 3395
  port-object eq 92
  port-object eq 91
  port-object eq 3206
  port-object eq 8001
  port-object eq 8181
  port-object eq 7778
  port-object eq 8180
  port-object eq 22222
  port-object eq 11001
  port-object eq 11002
  port-object eq 1555
  port-object eq 2223
  port-object eq 2224
  object-group service RDP tcp
  port-object eq 3389
  object-group service 3901 tcp
  description 3901
  port-object eq 3901
  object-group service 50000 tcp
  description 50000
  port-object eq 50000
  object-group service Enable_Transparent_Tunneling_UDP udp
  port-object eq 4500
  access-list inside_access_in remark connection to SAP
  access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
  access-list inside_access_in remark VPN Outgoing - PPTP
  access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
  access-list inside_access_in remark VPN Outgoing - GRE
  access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
  access-list inside_access_in remark VPN - GRE
  access-list inside_access_in extended permit gre any any
  access-list inside_access_in remark VPN Outgoing - IKE Client
  access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
  access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
  access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
  access-list inside_access_in remark DNS Outgoing
  access-list inside_access_in extended permit udp any any eq domain
  access-list inside_access_in remark DNS Outgoing
  access-list inside_access_in extended permit tcp any any eq domain
  access-list inside_access_in remark Outoing Ports
  access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
  access-list outside_access_in extended permit ip any any
  access-list outside_access_in extended permit tcp any any eq pptp
  access-list outside_access_in extended permit gre any any
  access-list outside_access_in extended permit gre any host Mail_Server
  access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
  access-list outside_access_in extended permit esp any any
  access-list outside_access_in extended permit ah any any
  access-list outside_access_in extended permit udp any any eq isakmp
  access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
  access-list VPN standard permit 192.168.2.0 255.255.255.0
  access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-603.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 2 Mail_Server netmask 255.0.0.0
  global (outside) 1 interface
  global (inside) 2 interface
  nat (inside) 0 access-list corp_vpn
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
  static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
  static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
  static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
  static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
  static (inside,outside) 192.168.2.0  access-list corp_vpn
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set transet esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set pfs
  crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
  crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
  crypto map cryptomap interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  no crypto isakmp nat-traversal
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
  dhcpd domain domain.local interface inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  tftp-server management 192.168.1.123 /
  group-policy mypolicy internal
  group-policy mypolicy attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN
  username vpdn password 123
  username vpdn attributes
  vpn-group-policy mypolicy
  service-type remote-access
  tunnel-group mypolicy type remote-access
  tunnel-group mypolicy general-attributes
  address-pool POOL
  default-group-policy mypolicy
  tunnel-group mypolicy ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
  : end
  Thank you very much.

  Here is the output:
  ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 2
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.2.0  access-list corp_vpn
  nat-control
    match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
      static translation to 192.168.2.0
      translate_hits = 0, untranslate_hits = 139
  Additional Information:
  NAT divert to egress interface inside
  Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit ip any any
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: CP-PUNT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.2.0  access-list corp_vpn
  nat-control
    match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
      static translation to 192.168.2.0
      translate_hits = 0, untranslate_hits = 140
  Additional Information:
  Phase: 11
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule

• VPN client connected to VPN but can't ping or access to server

  HI ,
  i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
  Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
  This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
  VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
  Software itself shown connected but request time out when ping.
  Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
  aaa new-model
  aaa authentication login userauthen local
  aaa authorization network adminmap group VPNClient
  aaa authorization network groupauthor local
  aaa authorization network map-singapore local
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key emptyspace address 203.142.83.218 no-xauth
  crypto isakmp keepalive 15 periodic
  crypto isakmp client configuration address-pool local ippool
  crypto isakmp client configuration group map-singapore
  key cisco123
  dns 192.168.6.3
  domain cisco.com
  pool ippool
  acl 102
  crypto isakmp profile VPNclient
     match identity address 27.54.43.210 255.255.255.255
     match identity group vpnclient
     client authentication list userauthen
     client configuration address respond
  crypto ipsec security-association idle-time 86400
  crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
  crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
  crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set DYNSET
  set isakmp-profile VPNclient
  reverse-route
  crypto map VPNMAP client authentication list userauthen
  crypto map VPNMAP isakmp authorization list map-singapore
  crypto map VPNMAP client configuration address respond
  crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
  crypto map VPNMAP 11 ipsec-isakmp
  description VPN to ASA5520
  set peer 203.142.83.218
  set security-association lifetime kilobytes 14608000
  set security-association lifetime seconds 86400
  set transform-set REMSET
  match address 100
  interface GigabitEthernet0/0
  ip address 27.54.43.210 255.255.255.240
  ip nat outside
  no ip virtual-reassembly
  duplex full
  speed 100
  crypto map VPNMAP
  interface GigabitEthernet0/1
  ip address 192.168.6.1 255.255.255.0
  ip nat inside
  no ip virtual-reassembly
  duplex full
  speed 100
  interface GigabitEthernet0/2
  description $ES_LAN$
  no ip address
  shutdown
  duplex auto
  speed auto
  ip local pool ippool 10.20.1.0 10.20.1.100
  ip forward-protocol nd
  ip pim bidir-enable
  no ip http server
  ip http authentication local
  no ip http secure-server
  ip nat inside source list 1 interface GigabitEthernet0/0 overload
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
  ip nat inside source static 192.168.6.3 27.54.43.212
  ip route 0.0.0.0 0.0.0.0 27.54.43.209
  ip route 192.168.1.0 255.255.255.0 27.54.43.209
  ip route 192.168.151.0 255.255.255.0 192.168.6.151
  ip route 192.168.208.0 255.255.255.0 27.54.43.209
  ip access-list extended RA_SING
  permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
  permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
  permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny   ip any any log
  access-list 1 remark Local Network
  access-list 1 permit 192.168.6.0 0.0.0.255
  access-list 1 permit 192.168.102.0 0.0.0.255
  access-list 1 permit 192.168.151.0 0.0.0.255
  access-list 2 remark VPNClient-range
  access-list 2 permit 10.0.0.0 0.255.255.255
  access-list 10 permit 192.168.6.0 0.0.0.255
  access-list 10 permit 192.168.102.0 0.0.0.255
  access-list 10 permit 192.168.151.0 0.0.0.255
  access-list 10 permit 10.0.0.0 0.255.255.255
  access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
  access-list 101 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 101 permit ip 10.0.0.0 0.255.255.255 any
  access-list 101 permit ip 192.168.6.0 0.0.0.255 any
  access-list 102 permit ip 10.0.0.0 0.255.255.255 any
  access-list 120 deny   ip any any log
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  no cdp run
  route-map nonat permit 10
  match ip address 120
  control-plane
  alias isakmp-profile sh crypto isakmp sa
  alias exec ipsec sh crypto ipsec sa
  banner motd ^CC^C

  I did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.

• 802.1X Athentication Successful but can't ping Default Router. PSK works fine

  Got an interesting scenario. I am labbing out 802.1X authentication for wireless with a Cisco 2504 WLC along with a Windows Server 2012 r2 with AD, DHCP Server, DNS Server, Certificate Services, and NPS. I was able to make the different parts communicate and was able to successfully authenticate with an account I created on AD. Under my windows server event viewer, I received confirmation message: "Network Policy Server granted access to user." I received a valid IP address from the DHCP server. Computer is on the domain. Everything looks like it is working perfectly. I even checked the debug on my WLC looking for the mac address of my device but I received the "Processing Access-Accept mobile <MAC-ADDRESS>" message. 
  Here comes the problem. I created 2 WLAN’s to test. One was PSK while the other was 802.1X. They share the same interface on the WLC, so they have the exact same configurations. On my PSK everything works fine, I can browse Internet and ping devices within the network. On the 802.1X, I am able to ping the controller, but nothing else. Can’t ping gateway nor my dhcp server. Any thoughts?
  Best Regards,
  Sean

  In your testing the device that connected with psk is the same device that connected to TLS? 

• No errors with NAT or DHCP, but can't ping server or access internet

  2 weeks ago my Xserve was positioned directly behind a modem and acted as the router to my small office - supplying DHCP, NAT, etc. Then, the Xserve lost it's connection to the internet. The Xserve was unable to pull an address from the modem (via DHCP) and troubleshooting the issue with my ISP resulted in getting my modem swapped.
  My Xserve is still unable to pull an address via DHCP directly from the modem. So, I called apple support. The tech I spoke to was extremely helpful and instructed me to place the Xserve behind a router so it could use a static ip - without having to pay my ISP for one. So, I did as he instructed.
  Regardless, since my Xserve originally lost connection to the internet I have been unable to get my Xserve to supply NAT to my internal network successfully. DHCP is working fine, the firewall isn't logging any refusals, NAT isn't returning errors. All internal network functions work, I just can't access the internet from any machine other than the server.
  Here is the network port breakdown:
  Ethernet 1 (wan)
  ip: 192.168.1.2
  sub: 255.255.255.0
  router: 192.168.1.1 (router supplying static ip)
  dns: 208.67.222.222,208.67.220.220 (opendns)
  Ethernet 2 (lan)
  ip: 192.168.1.3
  sub: 255.255.255.0
  router: 192.168.1.3
  DHCP settings:
  start ip: 192.168.1.4
  end ip: 192.168.1.254
  sub: 255.255.255.0
  interface: en1
  router: 192.168.1.3
  Firewall:
  Allow all traffic from "any"
  NAT:
  IP Forwarding and Network Address Translation
  External network interface: Ethernet 1
  NAT Port Mapping Protocol enabled.
  Other notes: I can see the Xserve from any device on the network (in Finder running OS X) but I cannot ping it via the router's ip. (example: ping 192.168.1.3) 100% packet loss.
  The Xserve does have access to the internet.
  The Xserve leases an ip to the devices on the network, but cannot ping them using their leased ip address.
  Initially, I was receiving the following error:
  "xserve subnets: create failed, Invalid/missing 'net_address' property
  So I modified bootpd.plist by adding:
  <key>net_address</key>
  <string>192.168.1.0</string>
  I no longer receive the error and DHCP works properly.
  Any help is thoroughly appreciated as this issue has set me back over a week in troubleshooting.

  Thanks again.
  I'll try to be more clear about my current setup:
  Modem
  ->
  Router
  DHCP enabled but supplying server with static ip of: 192.168.1.2 - hence my Ethernet 1 settings on my Xserve. The DHCP address the router supplies to other devices range between 192.168.1.101 - 192.168.1.150 (this is temporary). I'm using the Router as a temporary network connection for devices as I continue to setup the server. Once the server is completed, I will hook everyone up through the switch.
  ->
  Xserve
  The Xserve receives a static IP from the router above (192.168.1.2) even though the router gives DHCP addresses to other devices. The Xserve then goes out Ethernet 2 to (which has also been assigned a static internal address: 192.168.1.3) a switch.
  ->
  Switch
  The Switch definitely has DHCP disabled, and merely extends the network connection.
  Right now, the Xserve is doing nothing other than attempting to supply an internet connection to devices attached to it. I performed a clean install after a day or two of troubleshooting.
  I really want to be able to control content access as well as give certain devices priority over others using the Xserve. I want it to control... the network, in all aspects: DNS, Open Directory (Master), Firewall etc. Am I still able to control the network with the Xserve if it is hooked up side by side to the clients without reconfiguring my router to hop through the Xserve before going to the internet? If not, why not just use the Xserve as a middle man as I currently do?
  What are the benefits of using it side by side to the clients? What are the drawbacks of my current setup? (Other than it not functioning)

• ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp

  Hello all,
  I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
  MafSecASA# show run
  : Saved
  ASA Version 8.2(1)
  hostname MafSecASA
  domain-name mafsec.com
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.4.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 7.3.3.2 255.255.255.248
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.20.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  speed 100
  duplex full
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 3
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name mafsec.com
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object tcp
  protocol-object udp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object icmp
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any
  access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
  access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
  ip verify reverse-path interface outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.4.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.4.0.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd option 6 ip 8.8.8.8 8.8.4.4
  dhcpd address 10.4.0.15-10.4.0.245 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd lease 86400 interface inside
  dhcpd option 3 ip 10.4.0.1 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLVPN internal
  group-policy SSLVPN attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol svc
  group-lock none
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value inside_split_tunnel
  vlan none
  address-pools value SSLVPNPool2
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  username user1 password
  username user1 attributes
  service-type remote-access
  username user2 password
  tunnel-group SSLVPNGROUP type remote-access
  tunnel-group SSLVPNGROUP general-attributes
  address-pool SSLVPNPool2
  default-group-policy SSLVPN
  tunnel-group SSLVPNGROUP webvpn-attributes
  group-alias SSLVPN enable
  prompt hostname context
  Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
  : end
  Thank in advance for any help!

  Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs?  I'd try pinging a router or switch just to make sure.
  --Jason

• Connected to WRT54GsV4 but can't ping or browse

  I have a very interesting problem I am working on for a friend. They have 3 computers in the house they are a vaio laptop with Vista, a macbook, and a HP desktop with Vista. The vaio laptop connects and surfs the internet fine, so does the macbook. The desktop which is wireless like the others will connect to the router, show it has local and internet connection but can not browse the internet or ping. I also can not access the router by going to the default gateway shown by IPCONFIG. IPCONFIG also shows it connected to the DNS and has an IP but it still can't get on the internet. I have tried just about everything. We have used a USB wireless adapter and 2 different wireless NICs all to no avail. One thing that I noticed is that on the vaio laptop it shows it connected to Linksys. On the desktop it shows Linksys as the SSID but when it connects it adds _SES_### which I thought was very odd. I have ran through and reset the tcpip and flushed the DNS all to no luck. We ran a system restore back to a week before when it was working, no luck someone please help!!!!!

  I did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.

• Windows 7 desktop networking ok, but can't ping on local network

  Hi all,
  One minute, networking is working fine on my Windows 7 machine named "oscar".  Next, I have to switch oscar's ethernet cable directly to the cable modem for an unrelated test.  Switch cable back, let oscar reacquire IP address, now I
  notice I can't reach my wireless printer.
  I try to ping it by IP address, get "Request timed out".  Tried to ping my MacBook Pro, named "newt", by name.  DNS resolves name ok to 192.168.99.150, then I get same "Request timed out".
  I can ping oscar from itself just fine via 127.0.0.1 and 192.168.99.137 (its assigned IP address).
  I ping the printer, 192.168.99.232, from my MacBook Pro, works fine (as does printing from newt).  Try to ping oscar from newt, get "Request timeout for icmp_seq" messages.
  I've tried resetting networking via netsh as described at http://support.microsoft.com/kb/299357 & rebooting, no change.  Firewall is completely off.
  Oscar gets IP from DHCP on my router, 192.168.99.1, & I can still ping external IP addresses successfully by name & IP (like google.com, etc).  Web browsing from oscar works fine.  It's only on my internal network that this machine can't
  see other IP addresses.  Again, other machines can see each other just fine via ping.
  Retried all fix steps found on Internet (short of reinstalling Windows) and rebooted oscar after each one.  Still no go.
  Also reset arp cache (arp -d *) & retried, including reboot.  Still no go.
  Here's the output of ipconfig /all:
  C:\Users\Adams>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : Oscar
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
     Physical Address. . . . . . . . . : 48-5B-39-CA-E1-DD
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::99c8:2fa6:f7f6:39c9%15(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.99.137(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 11:33:01 PM
     Lease Expires . . . . . . . . . . : Wednesday, March 26, 2014 8:01:49 AM
     Default Gateway . . . . . . . . . : 192.168.99.1
     DHCP Server . . . . . . . . . . . : 192.168.99.1
     DHCPv6 IAID . . . . . . . . . . . : 340286265
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-92-02-82-48-5B-39-CA-E1-DD
     DNS Servers . . . . . . . . . . . : 8.8.8.8
                                         192.168.99.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{92171F05-3028-4029-9D9B-A3A9097680EF}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2495:2047:5253:979d(Preferred)
     Link-local IPv6 Address . . . . . : fe80::2495:2047:5253:979d%21(Preferred)
     Default Gateway . . . . . . . . . : ::
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Any ideas?
  -matthew

  Hi,
  Glad to hear that you resolved this issue.
  Alex Zhao
  TechNet Community Support

• Wireless nearly working, but can't ping

  I've been trying to get wireless to work on my laptop using wpa_supplicant. I seem I be connected to the network, but I'm unable to ping google. Here's some info:
  bash-3.2# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf
  Trying to associate with 00:1a:1e:8d:1d:20 (SSID='Northwestern' freq=2462 MHz)
  Associated with 00:1a:1e:8d:1d:20
  CTRL-EVENT-EAP-STARTED EAP authentication started
  CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
  OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
  EAP-MSCHAPV2: Authentication succeeded
  EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
  CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
  WPA: Key negotiation completed with 00:1a:1e:8d:1d:20 [PTK=CCMP GTK=CCMP]
  CTRL-EVENT-CONNECTED - Connection to 00:1a:1e:8d:1d:20 completed (auth) [id=0 id_str=]
  bash-3.2# dhcpcd wlan0
  wlan0: dhcpcd 4.0.12 starting
  wlan0: broadcasting for a lease
  wlan0: offered 165.124.136.34 from 129.105.49.10
  wlan0: acknowledged 165.124.136.34 from 129.105.49.10
  wlan0: checking 165.124.136.34 is available on attached networks
  wlan0: leased 165.124.136.34 for 1800 seconds
  bash-3.2# ifconfig wlan0
  wlan0 Link encap:Ethernet HWaddr 00:1F:3B:27:C4:15
  inet addr:165.124.136.34 Bcast:165.124.136.255 Mask:255.255.255.0
  inet6 addr: fe80::21f:3bff:fe27:c415/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:21 errors:0 dropped:0 overruns:0 frame:0
  TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:3977 (3.8 Kb) TX bytes:2952 (2.8 Kb)

  Hi, the wireless link seems to be done successfully because you can obtain an IP on the network.
  What error message does the ping google.com command give ?
  Also can you ping 129.105.49.10, the dhcp server which gives you an ip ?
  After the dhcp setup, what default gateway shows the route command ?

• Podcast removed by iTunes, but can still ping it so can't add a new one

  Hi all,
  I submitted 3 requests for 3 podcasts to be removed, all 3 were done, but i can still ping 2 of them.
  This is one of them:
  http://www.elmwoodchurch.org.uk/rss/podcast/sundayreplaypm
  (Ping: https://phobos.apple.com/WebObjects/MZFinance.woa/wa/pingPodcast?id=367457524)
  This it seems that I cannot now add a similar podcast as it keeps telling me that it has already been submitted. I am using feedburner and have changed as much of the detail as possible, including title, description etc in feedburner and in my rss feed, but i still get the error.
  I have created a test podcast and run it through feedburner before trying to add it to iTunes and it seems fine
  Thanks for your help!

  Although the ping receives a response, the podcast with that ID number has definitely been removed. The feed you link to is empty, containing only the channel tags without content.
  If you are submitting a new version you should make sure that the feed URL is changed - just changing the filename would do - as well as making a change to the title; there seems to be a bug in the Store whereby resubmitting a feed for a podcast which has been removed (or rejected) gets this unhelpful response.

• Connect to VPN but can't ping past inside interface

  Hello,
  I've been working on this issue for a few days with no success. We're setting  up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec  VPN setup on it for remote access. After some initial problems, we've gotten it  to where the VPN tunnel authenticates the user and connects as it should,  however we cannot ping into our LAN. We are able to ping as far as the  firewall's inside interface. I've tried other types of traffic too and nothing  gets through. I've checked the routes listed on the VPN client while we're  connected and they look correct - the client also shows both sent and received  bytes when we connect using TCP port 10000, but no Received bytes when we  connect using UDP 4500. We are trying to do split tunneling, and that seems to  be setup correctly because I can still surf while the VPN is connected.
  Below is our running config. Please excuse any messyness in the config as  there are a couple of us working on it and we've been trying a whole bunch of  different settings throughout the troubleshooting process. I will also note that  we're using ASDM as our primary method of configuring the unit, so any  suggestions that could be made with that in mind would be most helpful.  Thanks!
  ASA-01# sh run
  : Saved
  ASA Version 8.6(1)2
  hostname ASA-01
  domain-name domain.org
  enable password **** encrypted
  passwd **** encrypted
  names
  interface GigabitEthernet0/0
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 10.2.0.1 255.255.0.0
  interface GigabitEthernet0/1
  description Primary WAN Interface
  nameif outside
  security-level 0
  ip address 76.232.211.169 255.255.255.192
  interface GigabitEthernet0/2
  shutdown
  <--- More --->
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  <--- More --->
  duplex full
  shutdown
  nameif management
  security-level 100
  ip address 10.4.0.1 255.255.0.0
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.2.11.6
  domain-name domain.org
  dns server-group sub
  name-server 10.2.11.121
  name-server 10.2.11.138
  domain-name sub.domain.net
  same-security-traffic permit intra-interface
  object network 76.232.211.132
  host 76.232.211.132
  object network 10.2.11.138
  host 10.2.11.138
  object network 10.2.11.11
  host 10.2.11.11
  <--- More --->
  object service DB91955443
  service tcp destination eq 55443
  object service 113309
  service tcp destination range 3309 8088
  object service 11443
  service tcp destination eq https
  object service 1160001
  service tcp destination range 60001 60008
  object network LAN
  subnet 10.2.0.0 255.255.0.0
  object network WAN_PAT
  host 76.232.211.170
  object network Test
  host 76.232.211.169
  description test
  object network NETWORK_OBJ_10.2.0.0_16
  subnet 10.2.0.0 255.255.0.0
  object network NETWORK_OBJ_10.2.250.0_24
  subnet 10.2.250.0 255.255.255.0
  object network VPN_In
  subnet 10.3.0.0 255.255.0.0
  description VPN User Network
  object-group service 11
  service-object object 113309
  <--- More --->
  service-object object 11443
  service-object object 1160001
  object-group service IPSEC_VPN udp
  port-object eq 4500
  port-object eq isakmp
  access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
  access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
  access-list outside_access_in extended permit object DB91955443 any interface outside
  access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any
  access-list inside_access_in extended permit ip any any log disable
  access-list inside_access_in extended permit icmp any any echo-reply log disable
  access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
  access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
  access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
  access-list vpn_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
  <--- More --->
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any management
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source dynamic any WAN_PAT inactive
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
  nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
  nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ActiveDirectory protocol nt
  aaa-server ActiveDirectory (inside) host 10.2.11.121
  nt-auth-domain-controller sub.domain.net
  aaa-server ActiveDirectory (inside) host 10.2.11.138
  nt-auth-domain-controller sub.domain.net
  user-identity default-domain LOCAL
  eou allow none
  http server enable
  http 10.4.0.0 255.255.255.0 management
  http 10.2.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  no sysopt connection permit-vpn
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  <--- More --->
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  <--- More --->
  subject-name CN=ASA-01
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate a6c98751
      308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
      0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
      092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
      67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
      5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
      2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
      acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
      fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
      140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
      61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
      0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
      acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
      288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
      92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
      1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
    quit
  crypto isakmp identity address
  crypto isakmp nat-traversal 30
  crypto ikev2 policy 1
  <--- More --->
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  <--- More --->
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  <--- More --->
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  <--- More --->
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  <--- More --->
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  <--- More --->
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd dns 10.2.11.121 10.2.11.138
  dhcpd lease 36000
  dhcpd ping_timeout 30
  dhcpd domain sub.domain.net
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  <--- More --->
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy domain internal
  group-policy domain attributes
  banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
  wins-server value 10.2.11.121 10.2.11.138
  dns-server value 10.2.11.121 10.2.11.138
  vpn-idle-timeout none
  vpn-filter value vpn_access_in
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  group-policy DfltGrpPolicy attributes
  dns-server value 10.2.11.121 10.2.11.138
  vpn-filter value outside_access_in
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  address-pools value VPNUsers
  username **** password **** encrypted privilege 15
  <--- More --->
  username **** password **** encrypted privilege 15
  username **** attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect dtls compression lzs
    anyconnect ssl dtls enable
    anyconnect profiles value VPN_client_profile type user
  tunnel-group DefaultL2LGroup general-attributes
  default-group-policy domain
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNUsers
  authentication-server-group ActiveDirectory
  default-group-policy domain
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  ikev1 trust-point ASDM_TrustPoint0
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy domain
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool (inside) VPNUsers
  address-pool VPNUsers
  authentication-server-group ActiveDirectory LOCAL
  authentication-server-group (inside) ActiveDirectory LOCAL
  <--- More --->
  default-group-policy domain
  dhcp-server link-selection 10.2.11.121
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
  <--- More --->
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 21
    subscribe-to-alert-group configuration periodic monthly 21
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
  : end

  Hello,
  I've been working on this issue for a few days with no success. We're setting  up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec  VPN setup on it for remote access. After some initial problems, we've gotten it  to where the VPN tunnel authenticates the user and connects as it should,  however we cannot ping into our LAN. We are able to ping as far as the  firewall's inside interface. I've tried other types of traffic too and nothing  gets through. I've checked the routes listed on the VPN client while we're  connected and they look correct - the client also shows both sent and received  bytes when we connect using TCP port 10000, but no Received bytes when we  connect using UDP 4500. We are trying to do split tunneling, and that seems to  be setup correctly because I can still surf while the VPN is connected.
  Below is our running config. Please excuse any messyness in the config as  there are a couple of us working on it and we've been trying a whole bunch of  different settings throughout the troubleshooting process. I will also note that  we're using ASDM as our primary method of configuring the unit, so any  suggestions that could be made with that in mind would be most helpful.  Thanks!
  ASA-01# sh run
  : Saved
  ASA Version 8.6(1)2
  hostname ASA-01
  domain-name domain.org
  enable password **** encrypted
  passwd **** encrypted
  names
  interface GigabitEthernet0/0
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 10.2.0.1 255.255.0.0
  interface GigabitEthernet0/1
  description Primary WAN Interface
  nameif outside
  security-level 0
  ip address 76.232.211.169 255.255.255.192
  interface GigabitEthernet0/2
  shutdown
  <--- More --->
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  <--- More --->
  duplex full
  shutdown
  nameif management
  security-level 100
  ip address 10.4.0.1 255.255.0.0
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.2.11.6
  domain-name domain.org
  dns server-group sub
  name-server 10.2.11.121
  name-server 10.2.11.138
  domain-name sub.domain.net
  same-security-traffic permit intra-interface
  object network 76.232.211.132
  host 76.232.211.132
  object network 10.2.11.138
  host 10.2.11.138
  object network 10.2.11.11
  host 10.2.11.11
  <--- More --->
  object service DB91955443
  service tcp destination eq 55443
  object service 113309
  service tcp destination range 3309 8088
  object service 11443
  service tcp destination eq https
  object service 1160001
  service tcp destination range 60001 60008
  object network LAN
  subnet 10.2.0.0 255.255.0.0
  object network WAN_PAT
  host 76.232.211.170
  object network Test
  host 76.232.211.169
  description test
  object network NETWORK_OBJ_10.2.0.0_16
  subnet 10.2.0.0 255.255.0.0
  object network NETWORK_OBJ_10.2.250.0_24
  subnet 10.2.250.0 255.255.255.0
  object network VPN_In
  subnet 10.3.0.0 255.255.0.0
  description VPN User Network
  object-group service 11
  service-object object 113309
  <--- More --->
  service-object object 11443
  service-object object 1160001
  object-group service IPSEC_VPN udp
  port-object eq 4500
  port-object eq isakmp
  access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
  access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
  access-list outside_access_in extended permit object DB91955443 any interface outside
  access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any
  access-list inside_access_in extended permit ip any any log disable
  access-list inside_access_in extended permit icmp any any echo-reply log disable
  access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
  access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
  access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
  access-list vpn_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
  <--- More --->
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any management
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source dynamic any WAN_PAT inactive
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
  nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
  nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ActiveDirectory protocol nt
  aaa-server ActiveDirectory (inside) host 10.2.11.121
  nt-auth-domain-controller sub.domain.net
  aaa-server ActiveDirectory (inside) host 10.2.11.138
  nt-auth-domain-controller sub.domain.net
  user-identity default-domain LOCAL
  eou allow none
  http server enable
  http 10.4.0.0 255.255.255.0 management
  http 10.2.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  no sysopt connection permit-vpn
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  <--- More --->
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  <--- More --->
  subject-name CN=ASA-01
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate a6c98751
      308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
      0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
      092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
      67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
      5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
      2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
      acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
      fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
      140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
      61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
      0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
      acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
      288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
      92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
      1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
    quit
  crypto isakmp identity address
  crypto isakmp nat-traversal 30
  crypto ikev2 policy 1
  <--- More --->
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  <--- More --->
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  <--- More --->
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  <--- More --->
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  <--- More --->
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  <--- More --->
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd dns 10.2.11.121 10.2.11.138
  dhcpd lease 36000
  dhcpd ping_timeout 30
  dhcpd domain sub.domain.net
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  <--- More --->
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy domain internal
  group-policy domain attributes
  banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
  wins-server value 10.2.11.121 10.2.11.138
  dns-server value 10.2.11.121 10.2.11.138
  vpn-idle-timeout none
  vpn-filter value vpn_access_in
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  group-policy DfltGrpPolicy attributes
  dns-server value 10.2.11.121 10.2.11.138
  vpn-filter value outside_access_in
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  address-pools value VPNUsers
  username **** password **** encrypted privilege 15
  <--- More --->
  username **** password **** encrypted privilege 15
  username **** attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect dtls compression lzs
    anyconnect ssl dtls enable
    anyconnect profiles value VPN_client_profile type user
  tunnel-group DefaultL2LGroup general-attributes
  default-group-policy domain
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNUsers
  authentication-server-group ActiveDirectory
  default-group-policy domain
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  ikev1 trust-point ASDM_TrustPoint0
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy domain
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool (inside) VPNUsers
  address-pool VPNUsers
  authentication-server-group ActiveDirectory LOCAL
  authentication-server-group (inside) ActiveDirectory LOCAL
  <--- More --->
  default-group-policy domain
  dhcp-server link-selection 10.2.11.121
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
  <--- More --->
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 21
    subscribe-to-alert-group configuration periodic monthly 21
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
  : end

• VPN connection works, but can't ping or access any other device on remote network

  I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
  The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
  My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
  Both routers are using subnet mask of 255.255.255.0
  The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
  Example:
  At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
  In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
  I'm not sure how to fix this, or whether I need to change settings on either router or the server.
  Would greatly appreciate any insight or help on this. Thanks.

  danimalapple wrote:
  I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
  The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
  My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
  Both routers are using subnet mask of 255.255.255.0
  The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
  Example:
  At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
  In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
  I'm not sure how to fix this, or whether I need to change settings on either router or the server.
  Would greatly appreciate any insight or help on this. Thanks.
  Check the DNS settings on the server (see my earlier post in this thread).

• Compliant user provisioning configuration done but can't create new request

  Hi All,
  We have upgraded our system from GRC 5.2 to GRC 5.3.
  Then we have done all the configuration for Risk analysis (CC) and then we have completed the configuration for Compliant user provisioning(Access enforcer) but now when we are going to create the request it is saying the request canniot be created.
  THe request passes through all the steps it is successful at Risk anlysis step also.
  But at the last step when we go to submit the Request this error comes.
  I have looked at the logs present in : Monitoring :--> System log.    I could not find anything.
  Am i looking at wrong place for logs. ?
  Is there any issue with the configuration.. Because the requests was successfully created when in GRC 5.2.
  Can anybody help me. ?

  Rajesh-
  Since 5.3 is in the ramp-up phase, you can contact SAP directly and they will resolve your problem very quickly, since they will be releasing it to all clients in October.
  And I am assuming you are working with SAP directly right now, since you have upgraded to 5.3, right?...
  Ankur
  GRC Consultant