Shrew soft vpn client

I am trying to get the shrew soft vpn client to work with a cisco ipsec vpn on windows server 2012. Has anyone done this with it or similar generic vpn clients?

I don't want to push this thread, but I've finally managed to make a PKGBUILD for it. It's now on AUR (entry 28548) and my first packet there It's necessary to add 'iked' to the DAEMONS list in /etc/rc.conf, start it up once by hand and use ikea-qt to set up and connect to your networks.
Last edited by Basic-Master (2009-07-19 04:23:10)

Similar Messages

RV320 and Shrew Soft vpn client - cannot get it to connect

Hi,
I have been trying to configure Shrew vpn client 2.2.2 to connect to the RV320 but i cant even get phase1 to work. I would be very grateful is someone has managed this and could post the configuration (tunnel, groupvpn or easyvpn). I use:
RV320 with fw 1.1.1.19
Windows 8.1 Pro x64
Shrew Soft vpn-client 2.2.2

Okay here you go please see attached images.
Please note the following:
In this example NAT Traversal is enabled if you're RV320 isn't setup behind another router i think you can disable it.
Under "Local Group Setup" enter the IP Address and Subnet Mask of the LAN you're RV320 is part of.
The preshared key you enter under IPSec setup is entered in Shrew in the "Authentication" --> "Credentials" tab.
We use Extended Authetication (Xauth+PSK in Shrew Soft) you need to have a user + password setup under "User Management" tab on the RV320. Once you connect with Shrew Soft it will prompt for a username + password that is setup on the RV320 under the User Management Tab
We're using "Mode Config" the IPSEC cliënt will be assigned a address from the Virtual IP Address range.
In this example DNS nor WINS Server have been configured.

Vpn config for shrew soft vpn client

I wonder whether I am the only one having these problems.
I can't connect with my windows 7 home premium to Lion server vpn.
I can connect with it through my iphone, so the server works.
Since I am unable to change any security policy stuff I downloaded shrew soft vpn client.
But I can't find any documentation which settings the mac vpn system uses for the connection.
Hope someone can help me

Here is a sample configuration for Remote access VPN using Cisco IPSec VPN Client:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Shrew Soft VPN won't connect through 4G LTE - using Pantech UML290

Hey everyone,
I'm using Shrew Soft VPN to connect to my companies network and can't seem to connect when using the 4G broadband. I have no issues using Ethernet/wifi but for some reason I can't establish a connection with using 4G.
I'm currently using the Pantech UML290 to connect to the 4G network. I tried to switch to 3G to see if there was some type of encryption causing the issue. That doesn't resolve it.
Has anyone else experienced this and found a solution?

I opened a case with Verizon and it seems the problem is on their end. To get access to VPN again, you have to downgrade the VZAccess, downgrade the Firmware (that is "required") to an older version, and uninstall Verizon firmware updates in Add/Remove programs. This is the email that VZ sent me:
Thank you for contacting the Verizon Wireless Data Technical Support department through our website. We are sorry to learn that you are unable to connect to your company's VPN when using your UML290 Modem. We are pleased to assist you.
We can certainly understand your frustration when your device does not work as expected. You should be able to connect to your company's VPN service when using the UML290. We will be providing you with steps to check your VZAccess Manager Software version.
After updating to MR2 (Maintenance Release 2) software, the UML290 may not be able to connect to some VPNs. The MR2 software was included in the VZAccess Manager build 7.6.3 (2642j). To check the current version that you are currently running on your computer, please complete the steps provided below:
1. Launch VZAccess Manager
2. Click Help
3. Select About VZAccess Manager
If you are running VZAccess Manager 7.6.3 (2642j), please downgrade the software. To do so, please complete the steps provided below:
1. Browse to http://www.vzam.net/download/download.aspx
2. Select your Operating System
3. Select the device you are using
4. Select your hardware i.e. Pantech UML290
5. Click Continue
6. Click the Downgrade Utility link located under the Installation Instructions and/or Device Drivers
You should be able to use the steps provided above to downgrade the VZAccess Manager Software. Once this has been completed, you should be able to connect to your company's VPN when using the Pantech UML290.
Make sure you read the read_me.pdf doc packaged with the firmware downgrade utility. There are some steps that are left out of this procedure that are in that doc. Good luck to everyone.
-daddy

Help with rv180w and shrew soft vpn

Hi, I'm trying to establish a vpn connection using shrew soft to the router cisco rv180w.
I look and read all I could find but the connection drops when opening the tunel.
There was some tuttorial here in the forum but the links are down.
What I want to acomplish is to establish a communication and be able to access my domain on the network.
Any help with the settings would be greatly apeciated. I'm new to vpn.
Thanks in advance.

Federico,
Try to access the following link. It has good instructions for a similar model. The main difference is that the SA500 has Dual-WAN and the RV180W does not.
https://supportforums.cisco.com/docs/DOC-9378#comment-7216
Here is another tutorial for the RVS4000 that may help:
https://supportforums.cisco.com/docs/DOC-18443
Check out the last post in the following thread as well, which has instructions for the RV220W (Should be exactly the same as RV180W)
https://supportforums.cisco.com/message/4165652#4165652
- Marty

RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode?
This is mostly a question, and partly "in use" observations.
Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel" mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode?
If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
Summary of VPN modes I've gotten to work with an RV220W:
Client
Split Tunnel Works?
Full Tunnel Works?
OS?
Notes
SSL VPN
Yes
Yes
Win7/64
IE10 or IE11
QuickVPN
Yes
No
Win7/64
IPSec VPN
Yes
No
Win7/64
Shrew Soft VPN Client

I have to mark this as not a correct answer.
Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
To Michal Bruncko who posted this:
1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

I cannot establish VPN connection with rv120w to shrew soft client

1. I bought 2 rv120w router and install one direct to WAN and one behind router-hub.
2. one behind router is set DMZ, and each are conneted Site to Site vpn
3. I need to connect each site with my mobile devices(1 notebook, 2 Win8 tablets, 2 android devices )
4. i use wibro mobile router, win8 devices're behind router, and their fort is fowarded(DMZ)
5. I'll take care of Android devices later, here now, my trouble is Win8 devices
6. i installed cisco QuickVPN software. frankly,that software is shit. i don't know why but it even cannot reach router, no log generated on rv120w. and i dont want PPTP connection. sorry for criticism but I'm sure many of QuickVPN users(and people who fail to be a user) agree with me. it's 2014. not 1998.
Cisco should be shamed for that software. it looks like a second grade collage student's 2nd semester project(Many of them're batter nowadays.) and doesn't work.
more amazing fact is that's only software that RV series provides officialy. What the...so in conclusion, Cisco does not provide any IPSec client connection tool at all. does that makes any sense?
7. i tried 10 or more hours to make IPSec client connection with many vpn client soft ware, this is my closest shot.
RV120W log :
2014-10-02 15:03:05: [rv120w][IKE] INFO: Configuration found for 175.xxx.xxx.xxx[500].
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received request for new phase 1 negotiation: 11x.xxx.xxx.xxx[500]<=>175.xxx.xxx.xxx[500]
2014-10-02 15:03:05: [rv120w][IKE] INFO: Beginning Aggressive mode.
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: RFC 3947
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: DPD
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: DPD
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2014-10-02 15:03:05: [rv120w][IKE] INFO: Received unknown Vendor ID
2014-10-02 15:03:05: [rv120w][IKE] INFO: For 175.xxx.xxx.xxx[500], Selected NAT-T version: RFC 39472014-10-02 15:03:06: [rv120w][IKE] INFO: Floating ports for NAT-T with peer 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: NAT-D payload does not match for 11x.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: NAT-D payload does not match for 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device
2014-10-02 15:03:06: [rv120w][IKE] INFO: Sending Xauth request to 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: ISAKMP-SA established for 11x.xxx.xxx.xxx[4500]-175.xxx.xxx.xxx[4500] with spi:90dd9f6bf4d51d95:70f7c62456edef9e
2014-10-02 15:03:06: [rv120w][IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] INFO: Login succeeded for user "fxxxxxxxxX1"
2014-10-02 15:03:06: [rv120w][IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 175.xxx.xxx.xxx[4500]
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] WARNING: Ignored attribute 5
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] WARNING: Ignored attribute 28678
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] ERROR: Local configuration for 175.xxx.xxx.xxx[4500] does not have mode config
2014-10-02 15:03:06: [rv120w][IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=90dd9f6bf4d51d95:70f7c62456edef9e.
2014-10-02 15:03:07: [rv120w][IKE] INFO: ISAKMP-SA deleted for 11x.xxx.xxx.xxx[4500]-175.xxx.xxx.xxx[4500] with spi:90dd9f6bf4d51d95:70f7c62456edef9e
Phase 1 Setting
Selected IKE Policy View
General
Policy Name
FDCStD
Direction / Type
Responder
Exchange Mode
Aggresive
Enable XAUTH Client
Local Identification
Identifier Type
Local Wan IP
FQDN
112.167.xxx.xxx
Peer IKE Identification
Identifier Type
Remote Wan IP
FQDN
175.xxx.xxx.xxx
IKE SA Parameters
Encryption Algorithm
3DES
Authentication Algorithm
SHA-1
Authentication Method
Pre-Shared Key
Pre-Shared Key
qpwoeiruty
Diffie-Hellman (DH) Group
Group 2 (1024bit )
SA-Lifetime
28800 Seconds
Phase2 setting
Add / Edit VPN Policy Configuration
Policy Name
Policy Type
                        Auto Policy                         Manual Policy
Remote Endpoint
                        IP Address                         FQDN
NETBIOS
Enable
Local Traffic Selection
Local IP
                        Any                         Single                         Range                         Subnet
Start Address
End Address
Subnet Mask
Remote Traffic Selection
Remote IP
                              Any                               Single                                  Range                               Subnet
This field is not editable, because netbios is selected.
Start Address
End Address
Subnet Mask
Split DNS
Split DNS
Enable
Domain Name Server 1
Domain Name Server 2
(Optional)
Domain Name 1
Domain Name 2
(Optional)
Manual Policy Parameters
SPI-Incoming
SPI-Outgoing
Encryption Algorithm
                        3DES                         None                         DES                         AES-128                         AES-192                         AES-256                         AES-CCM                         AES-GCM
Key-In
Key-Out
Integrity Algorithm
                        SHA-1                         SHA2-256                         SHA2-384                         SHA2-512                         MD5
Key-In
Key-Out
Auto Policy Parameters
SA-Lifetime
                        Seconds                         KBytes
Encryption Algorithm
                        3DES                         None                         DES                         AES-128                         AES-192                         AES-256                         AES-CCM                         AES-GCM
Integrity Algorithm
                        SHA-1                         SHA2-256                         SHA2-384                         SHA2-512                         MD5
PFS Key Group
Enable
                        DH-Group 1 (768 bit)                         DH-Group 2 (1024 bit)                         DH-Group 5 (1536 bit)
Select IKE Policy
                                                         FDCStSFKS                                                                                  FDCStD
Shres client setting
Phase 1 Setting
Selected IKE Policy View
General
Policy Name
FDCStD
Direction / Type
Responder
Exchange Mode
Aggresive
Enable XAUTH Client
Local Identification
Identifier Type
Local Wan IP
FQDN
112.167.xxx.xxx
Peer IKE Identification
Identifier Type
Remote Wan IP
FQDN
175.xxx.xxx.xxx
IKE SA Parameters
Encryption Algorithm
3DES
Authentication Algorithm
SHA-1
Authentication Method
Pre-Shared Key
Pre-Shared Key
qpwoeiruty
Diffie-Hellman (DH) Group
Group 2 (1024bit )
SA-Lifetime
28800 Seconds
Phase2 setting
Add / Edit VPN Policy Configuration
Policy Name
Policy Type
                        Auto Policy                         Manual Policy
Remote Endpoint
                        IP Address                         FQDN
NETBIOS
Enable
Local Traffic Selection
Local IP
                        Any                         Single                         Range                         Subnet
Start Address
End Address
Subnet Mask
Remote Traffic Selection
Remote IP
                              Any                               Single                                  Range                               Subnet
This field is not editable, because netbios is selected.
Start Address
End Address
Subnet Mask
Split DNS
Split DNS
Enable
Domain Name Server 1
Domain Name Server 2
(Optional)
Domain Name 1
Domain Name 2
(Optional)
Manual Policy Parameters
SPI-Incoming
SPI-Outgoing
Encryption Algorithm
                        3DES                         None                         DES                         AES-128                         AES-192                         AES-256                         AES-CCM                         AES-GCM
Key-In
Key-Out
Integrity Algorithm
                        SHA-1                         SHA2-256                         SHA2-384                         SHA2-512                         MD5
Key-In
Key-Out
Auto Policy Parameters
SA-Lifetime
                        Seconds                         KBytes
Encryption Algorithm
                        3DES                         None                         DES                         AES-128                         AES-192                         AES-256                         AES-CCM                         AES-GCM
Integrity Algorithm
                        SHA-1                         SHA2-256                         SHA2-384                         SHA2-512                         MD5
PFS Key Group
Enable
                        DH-Group 1 (768 bit)                         DH-Group 2 (1024 bit)                         DH-Group 5 (1536 bit)
Select IKE Policy
                                                         FDCStSFKS                                                                                  FDCStD
Shres client setting
8. in rv120w setting for advanced seup> Policy Type>
there's two option FQDN and IP Adress
when I'm in none static IP Adress environment, how should I set that field?
RV120w do not support none static IP Adress?

Hi kastwf001,
My name is Mehdi from Cisco Technical Support, just want to inform you regarding QuickVPN is an light software using IPsec service of windows, so here it depend of windows and firewall ... IPsec setting on windows, encryption ...
anyhow for RV120W it's open for 3rd party software as ShrewVPN , TheGreenBow ... and working as expected since those software are using their ip sec services ..
Please follow configuration steps on RV120W and ShrewVPN (screenshots taken from you post) :
Please let me know if you have any question
Please rate the post or mark as answered to help other Cisco Customers
Regards
Mehdi

RV042 Shrew soft client NAT-t new mapping

Hi everyone,
Since I had Quick VPN issue, so I tried the Shrew soft client hoping to get the IPSec tunnel with router RV042 in Client2gateway mode.
On Shrew client, I got "Tunnel is activated" but got establised failed errors.
On RV042 IPSec log, it ended with : NAT-T: x.x.x.x new mapping.
What does it mean?
Thanks for your answers.

Hi Hdam,
That's good :)
- Yes you can change the FQDN from remote.com to other domain name.
- Why I don't select IP address as remote ? because from the router first when you select Group VPN automatically the VPN will be responder and waiting for a connection, also in that case we don't need to specify the Public or LAN network of the client because they can connect from anywhere.
Now from the client the local ID should be the same as remote ID in the router (remember when you configure VPN tunnel between two router the local address from site B should be the remote local on Site A is the same here with shrewVPN but using FQDN)
- Just I want to clarify for RV0xx doesn't support VLAN's it's Port based Vlan and multiple Subnet BUT you can achieve what you need :)
Please follow this steps :
Step 1 : I assume that you have already add additional subnet if not just add it under Setup --> Network and then add additional subnet and for better implementation for the subnet better to have like this example if you have the default network 192.168.1.1/24 add second subnet 192.168.2.1/24 in this case in the VPN setup we can do subnet summarization and will be 192.168.0.0/16 class B and all the PC connected to the router should have gateway 192.168.1.1 or 192.168.2.1 in my example of course
Step 2 : Under VPN -- > summary --> edit the old configuration for VPN client and change the local network to 192.168.0.0 mask 255.255.0.0
Step 3 : on shrew VPN also under policy --> Remote Network Resource change to 192.168.0.0 255.255.0.0
and should work :)
Please rate this post to help other Cisco Customer
Greetings
Mehdi

Unable to install Cisco VPN Client on Windows 7

Hello,
After a successfull uninstallation of Cisco VPN version 4. I try to install Cisco VPN Client version 5.0.07.0290.
But after launching vpnclient_setup.msi, the wizard is starting. When I click on Next button, I have the following message: "installation ended prematurely because of an error".
In attachment, I add the details of the error find in the windows logs (logError.txt) and the logs generated from MSI installer in verbose mode (log2.txt).
My computer is a lenovo W500 with Windows 7 64 bits and 4 GB of memory (compliant with the Cisco VPN Client requirements).
I have administrator privileges on this computer.
Please help me !
I need to use it to connect to my company network.
Thanks in advance.
BR
Jerome

You should be able to install the 64 bit version of the Cisco VPN software
Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
Using Shrew VPN is a workaround more than a solution / answer to this issue.
You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
MicrosoftFixit50842.msi

Cisco VPN client install fails with Error 1722 on Windows 7

Hi,
I am having issues with laptops upgraded from Vista to Windows 7.
Prior to the upgrade they are running Cisco VPN Client 5.0.05.0290. These laptops also have Juniper Network Connect 6.5 and Citrix web client installed. The windows upgrade advisor made no recommendations regarding uninstalling / reinstalling these apps.
I have done an inplace upgade to Windows 7 (Windows Vista Enterprise 32bit to Windows 7 Enterprise 32 bit) and after the install the Cisco client is not working. Uninstalled the client (the uninstall was successful) then reinstalled and the installation fails at Installing Cisco Systems Virtual Adapter - error 1722 there was a problem with the windows installer package.
I have followed the steps for a manual uninstall of the Cisco client and then tried the install again - still not successful. Interestingly (or not) the Juniper Network Connect also fails with the error The Network Connect Virtual adapter driver is not installed properly. This also fails to reinstall after being removed.
I tried removing the VPN clients on another laptop and then running the upgrade but the same errors occured when reinstalling the VPN Client. I have tried the Winfix and DNE patch from Citrix but these fail saying there is a corruption in the application.
On another laptop where only the Cisco VPN client was installed a reinstall was required after the upgrade, but it did install successfully.
On a clean image these applications all install fine, however I have a large number of laptops do upgrade and don't want to do a fresh install and settings migration on all of them.
What files / registry entrys are involved with the DNE adapter so I can manually clear it all out before reinstalling?
Anything else I can do to troubleshoot this issue?
Cheers,
James

You should be able to install the 64 bit version of the Cisco VPN software
Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
MicrosoftFixit50842.msi
(Using Shrew VPN is a possible workaround.)

Auto install VPn client via Cisco concentrator, anyone done this before?

This is beginning to frustrate me, I must be missing something.
I have downloaded update-5.0.01.0600-major-K9.zip and unzipped the 3 files to an internal website the VPN users can access. The 3 files are:
binary_config.ini
sig.dat
vpnclient-win-msi-5.0.01.0600-k9.exe
On the concentrator I have added http://webserver/vpn/5.0/
user only get a manual method to update when they connect, I have also tried
http://vogbs010/vpn/5.0/vpnclient-win-msi-5.0.01.0600-k9.exe
Which doesn't work
All want to try and get the Auto-install screen pop which tells the user the update has been downloaded. I'm testing this on VPN client version 4.8.
Hope you can advise.

You should be able to install the 64 bit version of the Cisco VPN software
Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
MicrosoftFixit50842.msi
(Using Shrew VPN is a possible workaround.)

Remote Access VPN Clients Cannot Access inside LAN

I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: end

Hi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni

ASA 5505 VPN client LAN access problem

Hello,
I'm not expert in ASA and routing so I ask some support the following case.
There is a Cisco VPN client (running on Windows 7) and an ASA5505.
The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
The Skype works well but I cannot access devices in the interface inside via VPN connection.
Can you please check my following config and give me advice to correct NAT or VPN settings?
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password wDnglsHo3Tm87.tM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 10.0.0.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns xx.xx.xx.xx interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 84.2.44.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy XXXXXX internal
group-policy XXXXXX attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list none
username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
username XXXXXX attributes
vpn-group-policy XXXXXX
username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXX general-attributes
address-pool VPNPOOL
default-group-policy XXXXXX
tunnel-group XXXXXX ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
: end
ciscoasa#
Thanks in advance!
fbela

config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
Need to add - config#same-security-traffic permit intra-interface
#access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
#nat (inside) 0 access-list nonat
Please add and test it.
Thanks
Ajay

VPN client and radius or CAR

Hello:
I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.
the vpn client user needs to be authenticated by group id and password, and user id and password.
How should I setup CAR, could someone provides me an example?
I saw this sample, but there is no relationship between user and group.
Any suggestions?
thx
[ //localhost/RADIUS/UserLists/Default/joe-coke ]
Name = joe-coke
Description =
Password = <encrypted>
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ =
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
[ //localhost/RADIUS/UserLists/Default/group1 ]
Name = group1
Description =
Password = <encrypted> (would be "cisco")
AllowNullPassword = FALSE
Enabled = TRUE
Group~ =
BaseProfile~ = group1profile
AuthenticationScript~ =
AuthorizationScript~ =
UserDefined1 =
Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco
AV-pairs:
[ //localhost/RADIUS/Profiles/group1profile/Attributes ]
cisco-avpair = ipsec:key-exchange=ike
cisco-avpair = ipsec:tunnel-password=cisco123
cisco-avpair = ipsec:addr-pool=pool1
Service-Type = Outbound

you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.
The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

ASA 5505 VPN clients can't ping router or other clients on network

I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
: end
Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
Thanks.

I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
here is the runnign config again:
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location Server 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:78864f4099f215f4ebdd710051bdb493

Shrew soft vpn client

Similar Messages

Maybe you are looking for