Traffic bypasses VPN client

Similar Messages

• How to enable traffic between VPN clients in Windows Server 2012 R2?

  Hello, 
  I installed Remote Access role with VPN.
  IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
  VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
  One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
  VPN server uses Windows Authentication and Windows Accounting.
  With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
  For example, VPN server has ip 192.168.99.5
  VPN Client 1 - 192.168.99.6
  VPN Client 2 - 192.168.99.7
  I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
  If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
  What else should I configure to allow network traffic between VPN clients?

  Hi,
  To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SBS2008 VPN Clients can't Remote Desktop to PCs

  Hello,
     I have a network running SBS2008, it has RRAS configured on it and clients connect to it fine.  However, while connected to the VPN, I can't connect to PC Clients via RDP.  I connect to server via RDP no problem.  And I can connect
  to PCs via RDP from the server or other PCs on the network.  I just can't connect through a VPN connection.  RRAS uses DHCP from the server to assign IPs so VPN clients are on the same subnet as the domain PCs. 
  RWW also works fine for connecting to PCs, but we would like to be able to connect via VPN as well.  And it should work, I can ping a PC I'm trying to connect to over the VPN connection, no problem.  I researched and saw something about the group
  policy, but this is a very small network and doesn't really use that.  I made the changes described in the Windows Firewall settings but it made no difference.  I also went and turned off the Windows firewall on the PC I was trying to connect to,
  but it still didn't make a difference.  Is there any other reason this wouldn't work?
  Thanks

  I found out that the issue was caused by the Symantec Endpoint Protection client installed on the server.  It was blocking traffic between VPN clients and PCs on the network.  I just reconfigured it to allow that traffic and it worked
  fine afterward.
  Hi Rayminette,
  Glad to hear that you have solved this issue and thanks for sharing your solution in the forum. Your time and efforts are highly appreciated.
  Best regards,
  Justin Gu
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Remote Access VPN Clients Cannot Access inside LAN

  I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
  : Saved
  ASA Version 8.2(1)
  hostname ASA5505
  domain-name default.domain.invalid
  enable password eelnBRz68aYSzHyz encrypted
  passwd eelnBRz68aYSzHyz encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group dataDSL
  ip address 76.244.75.57 255.255.255.255 pppoe
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.9.1 255.255.255.0
  interface Vlan10
  nameif outside_cable
  security-level 0
  ip address 50.84.96.178 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Netbios udp
  port-object eq 139
  port-object eq 445
  port-object eq netbios-ns
  object-group service Netbios_TCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.100.177
  network-object host 192.168.100.249
  object-group service Web_Services tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_10
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_11
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_3
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_4
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_5
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_6
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_7
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_8
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_9
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network VPN
  network-object 192.168.255.0 255.255.255.0
  access-list outside_access_in extended permit icmp any host 76.244.75.61
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
  access-list dmz_access_in remark Quickbooks
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
  access-list dmz_access_in remark Quickbooks range
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
  access-list dmz_access_in remark QB
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
  access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
  access-list dmz_access_in remark Printer
  access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
  access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
  access-list dmz_access_in remark QB probably does not need any udp
  access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark QB included in other rule range
  access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark May be required for Quickbooks
  access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
  access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500 
  mtu outside_cable 1500
  ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
  ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside_cable) 10 interface
  nat (inside) 0 access-list nonat-in
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
  static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  access-group outside_cable_access_in in interface outside_cable
  route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.100.0 255.255.255.0 inside
  http 204.107.173.0 255.255.255.0 outside
  http 204.107.173.0 255.255.255.0 outside_cable
  http 0.0.0.0 0.0.0.0 outside_cable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_cable_map interface outside_cable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp enable outside_cable
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.100.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh 204.107.173.0 255.255.255.0 outside
  ssh 204.107.173.0 255.255.255.0 outside_cable
  ssh 0.0.0.0 0.0.0.0 outside_cable
  ssh timeout 15
  console timeout 0
  vpdn group dataDSL request dialout pppoe
  vpdn group dataDSL localname [email protected]
  vpdn group dataDSL ppp authentication pap
  vpdn username [email protected] password *********
  dhcpd address 192.168.100.30-192.168.100.99 inside
  dhcpd dns 192.168.100.5 68.94.156.1 interface inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  group-policy cad_supplies_RAVPN internal
  group-policy cad_supplies_RAVPN attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
  split-tunnel-network-list value Local_LAN_Access
  client-firewall none
  client-access-rule none
  username swinc password BlhBNWfh7XoeHcQC encrypted
  username swinc attributes
  vpn-group-policy cad_supplies_RAVPN
  username meredithp password L3lRjzwb7TnwOyZ1 encrypted
  username meredithp attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone1 attributes
  vpn-group-policy VPNPHONE
  username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone2 attributes
  vpn-group-policy VPNPHONE
  username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone3 attributes
  vpn-group-policy VPNPHONE
  username oethera password WKJxJq7L6wmktFNt encrypted
  username oethera attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
  username markh attributes
  vpn-group-policy cad_supplies_RAVPN
  tunnel-group DefaultRAGroup general-attributes
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cad_supplies_RAVPN type remote-access
  tunnel-group cad_supplies_RAVPN general-attributes
  address-pool VPN_IP_range
  default-group-policy cad_supplies_RAVPN
  tunnel-group cad_supplies_RAVPN ipsec-attributes
  pre-shared-key *
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool VPN_Phone
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1500
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
  : end

  Hi,
  You have your "group-policy" set so that you have excluding some networks from being tunneled.
  In this access-list named Local_LAN_Access you specify "0.0.0.0"
  Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
  This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
  - Jouni

• ASA 5505 VPN client LAN access problem

  Hello,
  I'm not expert in ASA and routing so I ask some support the following case.
  There is a Cisco VPN client (running on Windows 7) and an ASA5505.
  The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
  The Skype works well but I cannot access devices in the interface inside via VPN connection.
  Can you please check my following config and give me advice to correct NAT or VPN settings?
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password wDnglsHo3Tm87.tM encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
  access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 1 10.0.0.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (outside) 1 10.0.0.0 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.33 inside
  dhcpd dns xx.xx.xx.xx interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server value 84.2.44.1
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem enable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy XXXXXX internal
  group-policy XXXXXX attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
  username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
  username XXXXXX attributes
  vpn-group-policy XXXXXX
  username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
  tunnel-group XXXXXX type ipsec-ra
  tunnel-group XXXXXX general-attributes
  address-pool VPNPOOL
  default-group-policy XXXXXX
  tunnel-group XXXXXX ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
  : end
  ciscoasa#
  Thanks in advance!
  fbela

  config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
  Need to add - config#same-security-traffic permit intra-interface
                                   #access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
                                   #nat (inside) 0 access-list nonat
  Please add and test it.
  Thanks
  Ajay

• ASA 5505 VPN clients can't ping router or other clients on network

  I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
  : end
  Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
  Thanks.

  I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
  here is the runnign config again:
  Result of the command: "show startup-config"
  : Saved
  : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  asdm location Server 255.255.255.255 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:78864f4099f215f4ebdd710051bdb493

• Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

  Hi:
  Need your great help for my new ASA 5505 (8.4)
  I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
  ASA Version 8.4(3)
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.29.8.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 177.164.222.140 255.255.255.248
  ftp mode passive
  clock timezone GMT 0
  dns server-group DefaultDNS
  domain-name ABCtech.com
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 172.29.8.0 255.255.255.0
  object service RDP
  service tcp source eq 3389
  object network orange
  host 172.29.8.151
  object network WAN_173_164_222_138
  host 177.164.222.138
  object service SMTP
  service tcp source eq smtp
  object service PPTP
  service tcp source eq pptp
  object service JT_WWW
  service tcp source eq www
  object service JT_HTTPS
  service tcp source eq https
  object network obj_lex
  subnet 172.29.88.0 255.255.255.0
  description Lexington office network
  object network obj_HQ
  subnet 172.29.8.0 255.255.255.0
  object network guava
  host 172.29.8.3
  object service L2TP
  service udp source eq 1701
  access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
  access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended deny tcp any any eq 135
  access-list inside_access_in extended deny tcp any eq 135 any
  access-list inside_access_in extended deny udp any eq 135 any
  access-list inside_access_in extended deny udp any any eq 135
  access-list inside_access_in extended deny tcp any any eq 1591
  access-list inside_access_in extended deny tcp any eq 1591 any
  access-list inside_access_in extended deny udp any eq 1591 any
  access-list inside_access_in extended deny udp any any eq 1591
  access-list inside_access_in extended deny tcp any any eq 1214
  access-list inside_access_in extended deny tcp any eq 1214 any
  access-list inside_access_in extended deny udp any any eq 1214
  access-list inside_access_in extended deny udp any eq 1214 any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit tcp any any eq www
  access-list inside_access_in extended permit tcp any eq www any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
  89
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
  w
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
  tps
  access-list outside_access_in extended permit gre any host 177.164.222.138
  access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
  01
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit icmp any any
  access-list inside_access_out extended permit ip any any
  access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
  .88.0 255.255.255.0
  access-list inside_in extended permit icmp any any
  access-list inside_in extended permit ip any any
  access-list inside_in extended permit udp any any eq isakmp
  access-list inside_in extended permit udp any eq isakmp any
  access-list inside_in extended permit udp any any
  access-list inside_in extended permit tcp any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static orange interface service RDP RDP
  nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
  lex route-lookup
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
  WW
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
  _HTTPS
  nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
  nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
  route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Guava protocol nt
  aaa-server Guava (inside) host 172.29.8.3
  timeout 15
  nt-auth-domain-controller guava
  user-identity default-domain LOCAL
  http server enable
  http 172.29.8.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set peer 173.190.123.138
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
  P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 inside
  telnet 172.29.8.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcprelay server 172.29.8.3 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  group-policy ABCtech_VPN internal
  group-policy ABCtech_VPN attributes
  dns-server value 172.29.8.3
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_Tunnel_User
  default-domain value ABCtech.local
  group-policy GroupPolicy_10.8.8.1 internal
  group-policy GroupPolicy_10.8.8.1 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username who password eicyrfJBrqOaxQvS encrypted
  tunnel-group 10.8.8.1 type ipsec-l2l
  tunnel-group 10.8.8.1 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 10.8.8.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  tunnel-group ABCtech type remote-access
  tunnel-group ABCtech general-attributes
  address-pool ABC_HQVPN_DHCP
  authentication-server-group Guava
  default-group-policy ABCtech_VPN
  tunnel-group ABCtech ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 173.190.123.138 type ipsec-l2l
  tunnel-group 173.190.123.138 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 173.190.123.138 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect pptp
    inspect ftp
    inspect netbios
  smtp-server 172.29.8.3
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:6a26676668b742900360f924b4bc80de
  : end

  Hello Wayne,
  Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
  I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
  Regards,
  Julio
  Security Trainer

• Server 2003 VPN clients can't verify username and password

  Hi,
  Hoping someone can help or point me in the right direction. I have a Windows Server 2003 R2 standard SP2 running RRAS. It has Dual NIC's and is configured for PPTP VPN. I am using a BT Business Hub 5 for internet access and using the BT Static IP service.
  The BT Hub assigns the static IP address chosen to the Server using DHCP. The firewall is configured to port forward PPTP traffic to the 2003 server. This all works correctly.
  The 2003 server is on a domain where the DC is a 2008 R2 server. The DC also acts as the DNS and DHCP for the network.
  The default gateway for the domain is pointed towards our WinGate proxy server which also acts as a DNS server.
  The 2003 server LAN NIC is configured manually, usually I would not configure a deafult gateway on the LAN NIC as the WAN NIC needs the default gateway for the BT Hub.
  The problem I am having is if a default gateway is configured on the LAN NIC, I can connect to the VPN and it will logon to the network. Once connected everything works ok. If the connection drops, when trying to reconnect the client can no longer verify
  the user name and password against the domain and the connection is refused.
  If I do not have a default gateway configured in the LAN NIC the VPN clients can not verify the username and password for the domain at all and I get RPC failure errors in the event viewer with the source dnsapi.
  Once this error occurs the only way I can get the clients to reconnect is to disable the WAN NIC, restart the RRAS service and enable the WAN NIC again.
  Any insight will be much appreciated.

  Hello,
  for Networking configuration questions better ask in
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home#forum=winserverNIS&filter=alltypes&sort=lastpostdesc&content=Search
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• IPSEC VPN clients can't reach internal nor external resources

  Hi!
  At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
  Im pretty sure it's not ACL's, although I might be wrong.
  The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
  # Issue 1.
  IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
  When trying to access an external resource, the "translate_hits" below are changed:
  Auto NAT Policies (Section 2)
  1 (outside) to (outside) source dynamic vpn_nat interface
     translate_hits = 37, untranslate_hits = 11
  When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
  5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
      translate_hits = 31, untranslate_hits = 32
  Most NAT, some sensitive data cut:
  Manual NAT Policies (Section 1)
  <snip>
  3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
      translate_hits = 0, untranslate_hits = 0
  4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
      translate_hits = 0, untranslate_hits = 0
  5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
      translate_hits = 22, untranslate_hits = 23
  Auto NAT Policies (Section 2)
  1 (outside) to (outside) source dynamic vpn_nat interface
      translate_hits = 37, untranslate_hits = 6
  Manual NAT Policies (Section 3)
  1 (something_free) to (something_outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  2 (something_something) to (something_outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  3 (inside) to (outside) source dynamic any interface
      translate_hits = 5402387, untranslate_hits = 1519419
  ##  Issue 2, vpn user cannot access anything on internet
  asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Relevant configuration snippet:
  interface Vlan2
  nameif outside
  security-level 0
  ip address 1.2.3.2 255.255.255.248
  interface Vlan3
  nameif inside
  security-level 100
  ip address 10.0.0.5 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network anywhere
  subnet 0.0.0.0 0.0.0.0
  object network something_free
  subnet 10.0.100.0 255.255.255.0
  object network something_member
  subnet 10.0.101.0 255.255.255.0
  object network obj-ipsecvpn
  subnet 172.16.31.0 255.255.255.0
  object network allvpnnet
  subnet 172.16.32.0 255.255.255.0
  object network OFFICE-NET
  subnet 10.0.0.0 255.255.255.0
  object network vpn_nat
  subnet 172.16.32.0 255.255.255.0
  object-group network the_office
  network-object 10.0.0.0 255.255.255.0
  access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
  ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
  ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
  nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
  nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
  nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
  object network vpn_nat
  nat (outside,outside) dynamic interface
  nat (some_free,some_outside) after-auto source dynamic any interface
  nat (some_member,some_outside) after-auto source dynamic any interface
  nat (inside,outside) after-auto source dynamic any interface
  group-policy companyusers attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol IPSec
  default-domain value company.net
  tunnel-group companyusers type remote-access
  tunnel-group companyusers general-attributes
  address-pool ipsecvpnpool
  default-group-policy companyusers
  tunnel-group companyusers ipsec-attributes
  pre-shared-key *****

  Hi,
  I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
  asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  asa# show capture capo
  12 packets captured
     1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
    10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
    11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
    12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
  asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
  asa# show capture capi
  8 packets captured
     1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
  Packet-capture.
  Phase: 1
  Type: CAPTURE
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   172.16.32.1     255.255.255.255 outside
  Phase: 4
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside_access_in in interface inside
  access-list inside_access_in extended permit ip any any log
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7     
  Type: DEBUG-ICMP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
  Additional Information:
  Static translate 10.0.0.72/0 to 10.0.0.72/0
  Phase: 9
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: VPN    
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_out out interface outside
  access-list outside_access_out extended permit ip any any log
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 5725528, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow

• VPN Clients can't access DMZ Network

  Hello,
  I will try to describe my problem as best as possible. The title says VPN clients cannot access DMZ network, but that is not exactly the problem, the situation is this, a group of users are using an actual 10.x network where they have their servers and pretty much everything. The users must be relocated into a new network, the 172.16.x.  In a point in time they will not have to use 10.x anymore, but meanwhile, they need access to that network.
  I have an ASA 5510 as default gateway for the new network (172.16.x.x), one interface e0/0 connected to the outside (internet), interface e0/1 to the inside and other interface connected to the actual 10.x (which I call DMZ), so basically I am using the ASA as a bridge using NAT to grant access to the users in the network 172.16.x to the resources in the 10.x network while the migration is completed.
  All the users must use the path to the internet thru the ASA using the NAT overload to the outside interface and I put in place a NAT policy to 10.x to allow access to the 10.x network only when the internal users 172.16.x try to reach that path and so far, everything is working just fine for the internal users.
  Now for some reason, when I do VPN, the VPN clients cannot reach the 10.x network, even when they are supposed to be in the internal network (because they are doing VPN right?) .
  I have enabled split tunneling with NAT exempt the 172.16 network and I am not sure if that is causing the problem, because when I trace from my PC the 172.16.16.1 address using the VPN I get the proper route path, but when I try to reach 10.x, my PC is using its default gateway and not the VPN gateway which has a route to 10.x.
  I’m not even sure if what I am trying to do is possible, I want VPN users to be able to access a 10.x network using NAT overload with the Interface of the ASA plugged to the 10.x network, just like the internal users are doing right now.
  Any help or advice will be highly appreciated.

  Allow clients to access DMZ, add exempt NAT rule, add both the "same-security-traffic" thru cli. Please give it a try.
  Sent from Cisco Technical Support iPad App

• Intermittent Internet Connection and VPN clients can't ping internal LAN but connected after installating cisco ASA5512x

  Hi!
  I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
  ISP ->  Firewall -> Core switch -> Internal LAN
  after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
  here's my configuration from my firewall.
  ASA Version 8.6(1)2
  hostname ciscofirewall
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 203.x.x.x 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.152.11.15 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 4.2.2.2 -------> public DNS
  name-server 8.8.8.8 -------> public
  name-server 203.x.x.x   ----> Clients DNS
  name-server 203.x.x.x  -----> Clients DNS
  same-security-traffic permit intra-interface
  object network net_access
  subnet 10.0.0.0 255.0.0.0
  object network citrix_server
  host 10.152.11.21
  object network NETWORK_OBJ_10.10.10.0_28
  subnet 10.10.10.0 255.255.255.240
  object network NETWORK_OBJ_10.0.0.0_8
  subnet 10.0.0.0 255.0.0.0
  object network InterconHotel
  subnet 10.152.11.0 255.255.255.0
  access-list net_surf extended permit ip any any
  access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
  access-list outside_access extended permit tcp any object citrix_server eq www
  access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
  access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
  access-list LAN_Users remark LAN_clients
  access-list LAN_Users standard permit any
  access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu outside 1500
  mtu inside 1500
  ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
  object network net_access
  nat (inside,outside) dynamic interface
  object network citrix_server
  nat (inside,outside) static 203.177.18.234 service tcp www www
  object network NETWORK_OBJ_10.10.10.0_28
  nat (any,outside) dynamic interface
  object network InterconHotel
  nat (inside,outside) dynamic interface dns
  access-group outside_access in interface outside
  access-group net_surf out interface outside
  route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
  route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 10.0.0.100 255.255.255.255 inside
  http 10.10.10.0 255.255.255.240 outside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 10.152.11.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  enable outside
  anyconnect-essentials
  group-policy outsidevpn internal
  group-policy outsidevpn attributes
  dns-server value 203.x.x.x 203.x.x.x
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
  split-tunnel-policy tunnelall
  split-tunnel-network-list value outsidevpn_splitTunnelAcl
  default-domain value interconti.com
  address-pools value vpnpool
  username test1 password i1lji/GiOWB67bAs encrypted privilege 5
  username test1 attributes
  vpn-group-policy outsidevpn
  username mnlha password WlzjmENGEEZmT9LA encrypted
  username mnlha attributes
  vpn-group-policy outsidevpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group outsidevpn type remote-access
  tunnel-group outsidevpn general-attributes
  address-pool (inside) vpnpool
  address-pool vpnpool
  authentication-server-group (outside) LOCAL
  default-group-policy outsidevpn
  tunnel-group outsidevpn ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect http
    inspect ipsec-pass-thru
  class class-default
    user-statistics accounting
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
  : end
  thanks. please help.

  I think you should change your nat-exemption rule to smth more general, like
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
  'cause your inside networks are not the same as your vpn-pool subnet.
  Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA.

• VPN Client can't reach router or hosts, but can reach other connected sites.

  We have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
  Few notes:
  I have added some lines excluding NAT in a few different ways, but does not resolve.
  I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
  Any help would be greatly appreciated. Here is the config:
  boot-start-marker
  boot system flash
  boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
  no ip domain lookup
  ip inspect log drop-pkt
  ip inspect name FIREWALL tcp
  ip inspect name FIREWALL udp
  ip inspect name FIREWALL ftp
  ip inspect name FIREWALL fragment maximum 256 timeout 1
  ip inspect name FIREWALL ntp
  ip inspect name FIREWALL pptp
  ip inspect name FIREWALL dns
  ip inspect name FIREWALL l2tp
  ip inspect name FIREWALL pop3
  ip inspect name FIREWALL icmp router-traffic
  no ipv6 cef
  crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  crypto isakmp policy 5
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp policy 95
  authentication pre-share
  group 2
  crypto isakmp policy 99
  hash md5
  authentication pre-share
  group 2
  crypto isakmp policy 110
  hash md5
  authentication pre-share
  crypto isakmp client configuration group VPN-RAS
  key *********
  dns 10.96.17.2 10.1.200.50
  wins 10.96.17.2 10.1.200.50
  domain mine.com
  pool RAPOOL
  acl SPLIT
  save-password
  split-dns mind.com
  netmask 255.255.255.0
  crypto isakmp profile USERS
     match identity group VPN-RAS
     client authentication list DOMAIN
     isakmp authorization list VPN-RAS
     client configuration address respond
     keepalive 300 retry 5
  crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set DES esp-des esp-md5-hmac
  mode tunnel
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  mode tunnel
  crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  mode tunnel
  crypto dynamic-map dynmap 1
  set transform-set AES128
  set isakmp-profile USERS
  crypto map COMPANY_VPN 10 ipsec-isakmp
  set peer *******
  set transform-set 3DES-MD5
  match address PA-VPN
  qos pre-classify
  crypto map COMPANY_VPN 50 ipsec-isakmp
  set peer ******
  set transform-set AES128
  match address VPN
  qos pre-classify
  crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 37.222.111.224 255.255.255.248
  ip access-group INBOUND in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip verify unicast reverse-path
  ip flow ingress
  ip flow egress
  ip nat outside
  ip inspect FIREWALL out
  ip virtual-reassembly in
  duplex auto
  speed auto
  no cdp enable
  no mop enabled
  crypto map COMPANY_VPN
  interface GigabitEthernet0/1
  no ip address
  ip flow ingress
  duplex auto
  speed auto
  interface GigabitEthernet0/1.17
  description LAN
  encapsulation dot1Q 17
  ip address 10.96.17.253 255.255.255.0
  ip access-group OUTBOUND in
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  standby 0 ip 10.96.17.254
  standby 0 priority 110
  standby 0 preempt
  standby 0 track 1 decrement 20
  interface GigabitEthernet0/1.27
  description VOICE
  encapsulation dot1Q 27
  ip address 192.168.17.254 255.255.255.0
  ip access-group OUTBOUND in
  ip helper-address 10.96.17.2
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  h323-gateway voip bind srcaddr 192.168.17.254
  ip local pool RAPOOL 10.96.20.50 10.96.20.150
  ip forward-protocol nd
  ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
  ip route 0.0.0.0 0.0.0.0 37.222.111.223
  ip route 10.96.16.0 255.255.255.0 10.96.17.250
  ip route 172.22.1.0 255.255.255.0 10.96.17.250
  ip route 172.22.2.0 255.255.255.0 10.96.17.250
  ip route 172.22.3.0 255.255.255.0 10.96.17.250
  ip route 192.168.16.0 255.255.255.0 10.96.17.250
  ip access-list extended DMZ
  deny   ip any 10.0.0.0 0.255.255.255
  deny   ip any 192.168.0.0 0.0.255.255
  permit ip any any
  ip access-list extended GUEST
  deny   ip any 10.0.0.0 0.255.255.255
  deny   ip any 192.168.0.0 0.0.255.255
  permit ip any any
  ip access-list extended INBOUND
  deny   ip 80.25.124.0 0.0.0.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  permit udp host 173.239.147.114 any eq isakmp
  permit esp host 173.239.147.114 any
  deny   ip 192.168.0.0 0.0.255.255 any
  permit udp any host 37.222.111.224 eq isakmp
  permit udp any host 37.222.111.224 eq non500-isakmp
  permit esp any host 37.222.111.224
  ip access-list extended NAT
  deny   ip 10.96.20.0 0.0.0.255 any
  deny   ip any 10.96.20.0 0.0.0.255
  permit ip 192.168.0.0 0.0.255.255 any
  permit ip 10.0.0.0 0.255.255.255 any
  ip access-list extended NONAT
  permit ip any 192.168.0.0 0.0.255.255
  permit ip any 10.0.0.0 0.255.255.255
  ip access-list extended OUTBOUND
  deny   udp any host 22.55.77.106 eq isakmp
  deny   udp any host 22.55.77.106 eq non500-isakmp
  deny   esp any host 22.55.77.106
  permit ip any any
  ip access-list extended PA-VPN
  permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
  permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
  permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
  permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
  ip access-list extended SPLIT
  permit ip 10.0.0.0 0.255.255.255 any
  permit ip 192.168.0.0 0.0.255.255 any
  ip access-list extended VPN
  permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  route-map NAT-POOL deny 5
  match ip address NONAT
  route-map NAT-POOL permit 10
  match ip address NAT

  We have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
  Few notes:
  I have added some lines excluding NAT in a few different ways, but does not resolve.
  I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
  Any help would be greatly appreciated. Here is the config:
  boot-start-marker
  boot system flash
  boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
  no ip domain lookup
  ip inspect log drop-pkt
  ip inspect name FIREWALL tcp
  ip inspect name FIREWALL udp
  ip inspect name FIREWALL ftp
  ip inspect name FIREWALL fragment maximum 256 timeout 1
  ip inspect name FIREWALL ntp
  ip inspect name FIREWALL pptp
  ip inspect name FIREWALL dns
  ip inspect name FIREWALL l2tp
  ip inspect name FIREWALL pop3
  ip inspect name FIREWALL icmp router-traffic
  no ipv6 cef
  crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  crypto isakmp policy 5
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp policy 95
  authentication pre-share
  group 2
  crypto isakmp policy 99
  hash md5
  authentication pre-share
  group 2
  crypto isakmp policy 110
  hash md5
  authentication pre-share
  crypto isakmp client configuration group VPN-RAS
  key *********
  dns 10.96.17.2 10.1.200.50
  wins 10.96.17.2 10.1.200.50
  domain mine.com
  pool RAPOOL
  acl SPLIT
  save-password
  split-dns mind.com
  netmask 255.255.255.0
  crypto isakmp profile USERS
     match identity group VPN-RAS
     client authentication list DOMAIN
     isakmp authorization list VPN-RAS
     client configuration address respond
     keepalive 300 retry 5
  crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set DES esp-des esp-md5-hmac
  mode tunnel
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  mode tunnel
  crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  mode tunnel
  crypto dynamic-map dynmap 1
  set transform-set AES128
  set isakmp-profile USERS
  crypto map COMPANY_VPN 10 ipsec-isakmp
  set peer *******
  set transform-set 3DES-MD5
  match address PA-VPN
  qos pre-classify
  crypto map COMPANY_VPN 50 ipsec-isakmp
  set peer ******
  set transform-set AES128
  match address VPN
  qos pre-classify
  crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 37.222.111.224 255.255.255.248
  ip access-group INBOUND in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip verify unicast reverse-path
  ip flow ingress
  ip flow egress
  ip nat outside
  ip inspect FIREWALL out
  ip virtual-reassembly in
  duplex auto
  speed auto
  no cdp enable
  no mop enabled
  crypto map COMPANY_VPN
  interface GigabitEthernet0/1
  no ip address
  ip flow ingress
  duplex auto
  speed auto
  interface GigabitEthernet0/1.17
  description LAN
  encapsulation dot1Q 17
  ip address 10.96.17.253 255.255.255.0
  ip access-group OUTBOUND in
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  standby 0 ip 10.96.17.254
  standby 0 priority 110
  standby 0 preempt
  standby 0 track 1 decrement 20
  interface GigabitEthernet0/1.27
  description VOICE
  encapsulation dot1Q 27
  ip address 192.168.17.254 255.255.255.0
  ip access-group OUTBOUND in
  ip helper-address 10.96.17.2
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  h323-gateway voip bind srcaddr 192.168.17.254
  ip local pool RAPOOL 10.96.20.50 10.96.20.150
  ip forward-protocol nd
  ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
  ip route 0.0.0.0 0.0.0.0 37.222.111.223
  ip route 10.96.16.0 255.255.255.0 10.96.17.250
  ip route 172.22.1.0 255.255.255.0 10.96.17.250
  ip route 172.22.2.0 255.255.255.0 10.96.17.250
  ip route 172.22.3.0 255.255.255.0 10.96.17.250
  ip route 192.168.16.0 255.255.255.0 10.96.17.250
  ip access-list extended DMZ
  deny   ip any 10.0.0.0 0.255.255.255
  deny   ip any 192.168.0.0 0.0.255.255
  permit ip any any
  ip access-list extended GUEST
  deny   ip any 10.0.0.0 0.255.255.255
  deny   ip any 192.168.0.0 0.0.255.255
  permit ip any any
  ip access-list extended INBOUND
  deny   ip 80.25.124.0 0.0.0.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  permit udp host 173.239.147.114 any eq isakmp
  permit esp host 173.239.147.114 any
  deny   ip 192.168.0.0 0.0.255.255 any
  permit udp any host 37.222.111.224 eq isakmp
  permit udp any host 37.222.111.224 eq non500-isakmp
  permit esp any host 37.222.111.224
  ip access-list extended NAT
  deny   ip 10.96.20.0 0.0.0.255 any
  deny   ip any 10.96.20.0 0.0.0.255
  permit ip 192.168.0.0 0.0.255.255 any
  permit ip 10.0.0.0 0.255.255.255 any
  ip access-list extended NONAT
  permit ip any 192.168.0.0 0.0.255.255
  permit ip any 10.0.0.0 0.255.255.255
  ip access-list extended OUTBOUND
  deny   udp any host 22.55.77.106 eq isakmp
  deny   udp any host 22.55.77.106 eq non500-isakmp
  deny   esp any host 22.55.77.106
  permit ip any any
  ip access-list extended PA-VPN
  permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
  permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
  permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
  permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
  ip access-list extended SPLIT
  permit ip 10.0.0.0 0.255.255.255 any
  permit ip 192.168.0.0 0.0.255.255 any
  ip access-list extended VPN
  permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  route-map NAT-POOL deny 5
  match ip address NONAT
  route-map NAT-POOL permit 10
  match ip address NAT

• Cisco ASA 8.3(1) with VPN Client and IP Communicator - one way communication

  Hi Community.
  I have a strange problem with my setup and I'm pretty sure it's either some type of routing (or NAT) or just a missing rule allowing the traffic. But I'm now at a point where I'd like to request your help.
  I have some remote access users who have the Cisco IP Communicator (CIPC) installed on their notebooks. So:
  VPN user with CIPC <> ASA Firewall <> Voice Router <> CCM <> IP Phone
  The VPN works fine for any other traffic. Also the basic connection for the IP Communicator works fine. It get's connected to the CallManager, is shown as registered and you even can call an internal phone and also external phones. BUT: while you can hear the called party (so the internal phone) it doesn't work for the other way. There is no sound coming from the remote/caller.
  I already figured out that it's also not possible to ping from the VPN phone to the internal IP Phone subnet. While the VPN user can ping any other device in the internal network, he can't do it to the Cisco IP Phones. But if the VPN phone calls a none-internal phone (mobiles...) - it works!
  My thought is that the call can't be build up correctly between the VPN phone and the internal phone.
  I found similiar situations with google but they are all for the other way around: call to internal works, but not to VPN.
  What do you think?

  Hi,
  Typically ASA lists specific networks to the VPN Client when Split Tunnel is used.
  This would mean that there is a Split Tunnel ACL used in the ASA configurations for this VPN connection which needs to have the missing network added for the traffic to be tunneled to the VPN connection.
  - Jouni

• Strange issue with 3.6.3 VPN Client and IOS firewall

  I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
  Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
  Router is running 12.2(13)T.
  Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
  You Cisco gurus have any thoughts?
  Thanks,
  Jamey
  Config below:
  jamey#wr t
  Building configuration...
  Current configuration : 3947 bytes
  ! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
  ! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
  version 12.2
  service timestamps debug datetime msec
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname "jamey"
  no logging buffered
  no logging console
  username XXXX password 7 XXXXX
  clock timezone GMT 0
  aaa new-model
  aaa authentication login tac local
  aaa session-id common
  ip subnet-zero
  no ip domain lookup
  ip inspect name myfw ftp
  ip inspect name myfw realaudio
  ip inspect name myfw smtp
  ip inspect name myfw streamworks
  ip inspect name myfw vdolive
  ip inspect name myfw tftp
  ip inspect name myfw rcmd
  ip inspect name myfw tcp
  ip inspect name myfw udp
  ip inspect name firewall http java-list 3
  ip audit notify log
  ip audit po max-events 100
  crypto isakmp policy 3
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group XXXX
  key XXXXXXX
  dns x.x.x.x
  domain xxx.com
  pool ipsec-pool
  acl 191
  crypto ipsec security-association lifetime kilobytes 536870911
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set foxset esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set foxset
  crypto map clientmap client authentication list tac
  crypto map clientmap isakmp authorization list XXXXX
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback10
  description just for test purposes
  ip address 172.16.45.1 255.255.255.0
  interface Ethernet0/0
  description "Internet"
  ip address x.x.x.x 255.255.255.224
  ip access-group 103 in
  ip inspect myfw out
  no ip route-cache
  no ip mroute-cache
  half-duplex
  crypto map clientmap
  interface Ethernet0/1
  description "LAN"
  ip address 192.168.45.89 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  half-duplex
  ip local pool ipsec-pool 192.168.100.1 192.168.100.254
  ip classless
  ip route 0.0.0.0 0.0.0.0 Ethernet0/0
  no logging trap
  access-list 3 permit any
  access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
  access-list 103 permit icmp any any log
  access-list 103 permit udp any eq isakmp any log
  access-list 103 permit esp any any log
  access-list 103 permit ahp any any log
  access-list 103 permit udp any any eq non500-isakmp log
  access-list 103 permit tcp any any eq 1723 log
  access-list 103 permit udp any any eq 1723 log
  access-list 103 deny tcp any any log
  access-list 103 deny udp any any log
  access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  radius-server authorization permit missing Service-Type
  call rsvp-sync
  line con 0
  line aux 0
  line vty 0 4
  exec-timeout 0 0
  password XXXXXX
  line vty 5 15
  end
  Some debugging info:
  At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
  .Jan 22 01:27:38.284: ICMP type=8, code=0
  .Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:38.288: ICMP type=0, code=0
  .Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
  40, access denied
  .Jan 22 01:27:38.637: UDP src=2301, dst=2301
  .Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
  40, rcvd 2
  .Jan 22 01:27:38.641: UDP src=2301, dst=2301
  .Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:38.765: ICMP type=8, code=0
  .Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:38.765: ICMP type=0, code=0
  .Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:39.286: ICMP type=8, code=0
  .Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:39.290: ICMP type=0, code=0
  .Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:39.767: ICMP type=8, code=0
  .Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:39.767: ICMP type=0, code=0
  .Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:40.287: ICMP type=8, code=0
  .Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:40.291: ICMP type=0, code=0
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
  .52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
  .52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
  here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
  from a host on the internal side (LAN) (192.168.45.1)
  .Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
  g=2.2.2.2, len 44, forward
  .Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
  SYN
  .Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  here is where by VPN connection breaks
  .Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check

  Ok..I found the bug ID for this:
  CSCdz46552
  the workaround says to configure an ACL on the dynamic ACL.
  I don't understand what that means.
  I found this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
  and they talk about it, but I'm having a hard time decoding what this means:
  "To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

• Problem with Cisco VPN client and HP elitebook 2530p windows 7 64-bit

  Hi there
  I have a HP Elitebook 2530p which i upgraded to windows 7 64-bit. I installed the Cisco VPN client application (ver. 5.0.07.0290 and also 64-bit) and the HP connection manager to connect to the internet through a modem Qualcomm gobi 1000 (that is inside the laptop). When I connect to the VPN, it connects (I write the username and password) but there is no traffic inside de virtual adapter for my servers. When I connect to the internet through wire or wireless internet, I connect de VPN client and there is no problem to establish communication to my servers.
  I tried everything, also change the driver and an earlier version of the HP connection manager application. I also talked to HP and they told me that there was a report with this kind of problem and it was delivered to Cisco. I don’t know where is the problem.
  Could anyone help me?
  Thanks to all.

  You can try to update Deterministic Network Enhancer to the below listed release which supports
  WWAN Drivers.
  http://www.citrix.com/lang/English/lp/lp_1680845.asp.
  DNE now supports WWAN devices in Win7.  Before downloading the latest version of DNEUpdate from the links below,  be sure you have the latest
  drivers for your network adapters by downloading them from the vendors’ websites.
  For 64-bit: ftp://files.citrix.com/dneupdate64.msi
  Hope that helps.