Transparent Tunneling and Local Lan Access via VPN Client

Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
Mike Bowyer

Hi Mike,
"Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
What do you mean exactly with "disabled once the connection is made" ?
You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
Are any local LAN routes displayed when your are connected ?
And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
1: This feature works only on one NIC card, the same NIC card as the tunnel.
2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
Carsten
PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.

Similar Messages

Cisco ASA 5505 VPN help for local lan access.

Hi all,
I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
Thanks all!
Wen Qi

Hi,
Try adding the following configuration
policy-map global_policy
class inspection_default
inspect pptp
And then try again.
I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
- Jouni

VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.

Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable

Server Admin not connecting to Leopard Server when accessing via VPN

Hi everyone,
Recently, as the title suggests, Server Admin (or Server Preferences, for that matter) would not connect to my remote server via VPN. I'm quite sure that the server is working nicely, as the users (both of them lovely young ladies with considerable charms, which makes on-site support quite interesting, if distracting) didn't call me to complain, and I can login via SSH with no problems.
The server is a Mac Mini, connected to an Airport Extreme (gigabit N), which in turn connects to our ADSL modem, if that helps any.
Now, I did tinker around a bit with the settings before this happened, so I think it's probably my fault (well, I started my "career" of administering this server a week ago, what do you expect), so I suppose I may have inadvertently limited access to a service required for Server Admin and Server Preferences to function.
If anyone could tell me which services are absolutely necessary for Server Admin to function, or at least where to start looking, I'd be immensely grateful. I didn't yet go on site to try and wrestle the whole thing from there, as the travel costs are non-trivial, so I'd rather do it remotely, if at all possible.

This is exactly the difficulty I am having with a 10.5.4 Intel xserve. I have established a VPN connection that connects me to my business LAN, and I know it has carried out the connection because there are a number of things I can access properly that are not available on the public internet. For instance, my LOM ports are restricted to my business LAN, and when I connect to the server via VPN I can access teh LOM ports and using server monitor. However, when I try to use Server Admin, nothing works. It won't connect. I too am confused. All traffic to the xserve is allowed via the business LAN. I thought all traffic was supposed to be routed to the VPN server when connected via a VPN. If this is the case, shouldn't Server Admin work? When I go on site and connect my computer directly to the business LAN, I have no difficulty using Server Admin.

Bridging two LAN's via VPN

Recently I became interested in bridging two (or more) LAN's via a VPN in order to boost gaming practicalities. Although I could simply run Hamachi on all the computers, I'd rather have no special software installed on any of the gaming PC's, but simply have one linux machine running on each network with the appropriate VPN software installed to form the bridge.
Each household's LAN setup would be pretty identical; router -> hub/switch -> PC's. That said, there may also be random singular machines also wanting to connect to the VPN, but I'd rather focus on simply bridging the two LAN's to begin with.
I'm guessing such a setup is possible.
What software would I need to achieve this? I've read about FreeS/WAN and OpenVPN, but am not sure what kind of configuration I'm looking for. I've seen the page in ArchWiki, but similarly, don't know if that'll give me what I'm after.
Any help, links, suggestions would be appreciated.
EDIT: I think I've found what I'm after. Will this achieve my goal?[/url]

Abecedarian wrote:EDIT: I think I've found what I'm after. Will this achieve my goal?[/url]
OpenVPN should work fine. Other alternatives include CIPE or OpenSWAN.

E4200v2: Local Management Access via Wireless *ALWAYS* Enabled

I just found a slightly unsettling bug in the E4200v2 (running the latest firmware 2.0.36 build 126507).
Administration > Local Management Access > Access via Wireless ... set to DISABLED.
HOWEVER, when I attempted to access the web interface on a handy iPAD I had absolutely no problem getting through to the web interface (after providing username and passsword).
Limiting access to wired clients seems like a simple a prudent measure ... which is why this option is there for the paranoid among us.
This seems like a black-and-white bug. Comments welcome. Fix in the next firmware revisio even more welcome.

It was mentioned in another thread that disabling wireless management does indeed disable http access over port 80. However, if you're using https access--which uses port 443, that access is not blocked. So for anyone who wants to disable wireless management access, you need to enable management access via http only, and then disable the wireless access. That combination will indeed work.
I have confirmed this on my own router and can now only manage via wired connections over http.
Strange bug/oversight!

Local bean access via JNDI returns a proxy object?

Hi,
I am using JBoss, and trying to access a local bean from another bean. One would think simple enough no, with the following code adequate:
Context initialContext = new InitialContext();
CartHome cartHome = (CartHome) initialContext.lookup(“java:comp/env/ejb/cart”);Which returns the home interface, right, but no in fact a $Proxy77 is returned. Can anyone tell me why this is? Or a solution please.
Thanks in advance.
Mike

Thanks, it works. But do you think calling the executeQuery from a backing bean is against any ADF related coding standards? Should that call be only in Application Module? Please comment.

Custom class loader and local class accessing local variable

I have written my own class loader to solve a specific problem. It
seemed to work very well, but then I started noticing strange errors in
the log output. Here is an example. Some of the names are in Norwegian,
but they are not important to this discussion. JavaNotis.Oppstart is the
name of my class loader class.
java.lang.ClassFormatError: JavaNotis/SendMeldingDialog$1 (Illegal
variable name " val$indeks")
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:502)
at java.lang.ClassLoader.defineClass(ClassLoader.java:431)
at JavaNotis.Oppstart.findClass(Oppstart.java:193)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:255)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:315)
at JavaNotis.SendMeldingDialog.init(SendMeldingDialog.java:78)
at JavaNotis.SendMeldingDialog.<init>(SendMeldingDialog.java:54)
at JavaNotis.Notistavle.sendMelding(Notistavle.java:542)
at JavaNotis.Notistavle.access$900(Notistavle.java:59)
at JavaNotis.Notistavle$27.actionPerformed(Notistavle.java:427)
JavaNotis/SendMeldingDialog$1 is a local class in the method
JavaNotis.SendMeldingDialog.init, and it's accessing a final local
variable named indeks. The compiler automatically turns this into a
variable in the inner class called val$indeks. But look at the error
message, there is an extra space in front of the variable name.
This error doesn't occur when I don't use my custom class loader and
instead load the classes through the default class loader in the JVM.
Here is my class loading code. Is there something wrong with it?
Again some Norwegian words, but it should still be understandable I hope.
     protected Class findClass(String name) throws ClassNotFoundException
         byte[] b = loadClassData(name);
         return defineClass(name, b, 0, b.length);
     private byte[] loadClassData(String name) throws ClassNotFoundException
         ByteArrayOutputStream ut = null;
         InputStream inn = null;
         try
             JarEntry klasse = arkiv.getJarEntry(name.replace('.', '/')
+ ".class");
             if (klasse == null)
                throw new ClassNotFoundException("Finner ikke klassen "
+ NOTISKLASSE);
             inn = arkiv.getInputStream(klasse);
             ut = new ByteArrayOutputStream(inn.available());
             byte[] kode = new byte[4096];
             int antall = inn.read(kode);
             while (antall > 0)
                 ut.write(kode, 0, antall);
                 antall = inn.read(kode);
             return ut.toByteArray();
         catch (IOException ioe)
             throw new RuntimeException(ioe.getMessage());
         finally
             try
                if (inn != null)
                   inn.close();
                if (ut != null)
                   ut.close();
             catch (IOException ioe)
     }I hope somebody can help. :-)
Regards,
Knut St�re

I'm not quite sure how Java handles local classes defined within a method, but from this example it seems as if the local class isn't loaded until it is actually needed, that is when the method is called, which seems like a good thing to me.
The parent class is already loaded as you can see. It is the loading of the inner class that fails.
But maybe there is something I've forgotten in my loading code? I know in the "early days" you had to do a lot more to load a class, but I think all that is taken care of by the superclass of my classloader now. All I have to do is provide the raw data of the class. Isn't it so?

Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

Hello at all,
is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
To be more detailed:
At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
Thank you,
Christian

Hi Christian.
This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
"From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
FlexConnect VLAN Central Switching Summary
Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
•If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
•If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
•If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
Enjoy your weekend & I am sure you will be able to get this working.
HTH
Rasika
*** Pls rate all useful responses ****

Help For Remote Access Via VPN

Need Help
what cisco product or router specification or model can we use for VPN connection in our remote site via Internet Connection
thanks Godbless

There are several options here, but more information is probably needed to give a good recommendation.
1. What type of VPN? A site to site VPN that stays up, or remote VPN that is more on demand?
2. What type of Internet access to have at your remote site?
3. Are you going to also use this as a gateway to the Internet or will this device sit to the side or behind your gateway?
My first inclination is that if you just need occasional remote access to your remote site for support issues check out the ASA 5505. Depending on where you will place it and what amount of user traffic will flow through it, you may be able to get by with just a base license and use IPSec remote VPN.
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

ISE with CWA and wired guest access via WLC Anchor

Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports. I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan. This Im sure i have done before.
So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
It comes out as:
https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client. So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

Cipher- and TLS configurations for SSTP VPN Client

Hi!
We use TMG to terminate our SSTP VPN's.
TMG is configured to use TLS1.0 and 1.2 and ECDHE SHA 256/384 based ciphers.
If I connect to some of our published web services from my Win7/8/8.1, the web browser is using TLS1.2 and latest ciphers.
If I connect to the same TMG with SSTP VPN (and capture data to get these results), the Windows VPN uses TLS 1.0 and basic SHA handshake (naturally, since TLS 1.2 isn't kicking in).
Can someone tell me, does SSTP VPN use schannels or is there some other place where i should enable TLS1.2 to get the latest protection levels also to our VPN solution?
.. Or is this a TMG thing? :)
Antti
Antti Laatikainen IT Security Manager Santen Europe

Hi,
To enabling TLS 1.2 in TMG, please refer to this article:
TMG 2010 and enabling TLS 1.2
http://gnawgnu.blogspot.com/2011/09/tmg-2010-and-enabling-tls-12.html
In addition, Antti, I can only help you on this since I am not the professional on TMG and TSL.
To better help you, I suggest contacting the TMG support:
http://social.technet.microsoft.com/Forums/en-US/home?forum=Forefrontedgegeneral
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.
Thank you for your understanding.
Kate Li
TechNet Community Support

ASA 5505 site-to-site VPN tunnel and client VPN sessions

Hello all
I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z). His satellite office will have a single PC sitting behind the ASA. In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
The first question I have is about the ASA 5505 and the various licensing options. I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A. Would someone please confirm or deny that for me?
Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules? Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
Thanks in advance for any assistance provided!

First question:
Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
Second question:
Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
Last question:
This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
Here is what needs to be configured:
1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
2) On site A configures: same-security-traffic permit intra-interface
3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
On Site Z:
access-list permit ip
On Site A:
access-list permit ip
4) NAT exemption on site Z needs to include vpn client pool subnet as well.
Hope that helps.
Message was edited by: Jennifer Halim

VPN client unable to access Internert via split tunneling.

I have split tunneling configured on a PIX 515. The remote VPN client connects to the PIX fine and can ping hosts on the internal LAN, but cannot access the Internet. Am I missing something? My config as per below.
Also, I don't see any secured routes on the VPN client via Statistics (screen shot below)
Any advice is much appreciated.
Rob
PIX Version 8.0(3)
hostname PIX-A-250
enable password xxxxx encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.250 255.255.255.240
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
passwd xxxxx encrypted
ftp mode passive
dns domain-lookup outside
dns server-group Ext_DNS
name-server 194.72.6.57
name-server 194.73.82.242
object-group network LOCAL_LAN
network-object 192.168.9.0 255.255.255.0
network-object 192.168.88.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
port-object eq telnet
object-group network WAN_Network
network-object 192.168.200.0 255.255.255.0
access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log
access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log
access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log
access-list ACLIN extended permit icmp any any echo-reply log
access-list ACLIN extended permit icmp any any unreachable log
access-list ACLIN extended permit icmp any any time-exceeded log
access-list split_tunnel_list remark Local LAN
access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0
access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool testvpn 192.168.100.1-192.168.100.99
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACLIN in interface outside
access-group ACLOUT in interface inside
route outside 0.0.0.0 0.0.0.0 195.171.252.45 1
route inside 192.168.88.0 255.255.255.0 192.168.88.254 1
route inside 192.168.199.0 255.255.255.0 192.168.199.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set Set_1
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy testvpn internal
group-policy testvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
username testuser password xxxxxx encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool testvpn
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e
: end
PIX-A-250#

Hello Jennifer,
I can ping the 192.168.88.0/24 (host 88.3) from my PIX fine. The 88 subnet hangs off a 2950 switch. This is my diagram.
My configs are as follows. Please note I have left out the suggested lines of config from above as they had no effect.
Very much appreciate your time and effort with my issue.
Many thanks,
Rob
PIX A
PIX Version 8.0(3)
hostname PIX-A-250
enable password NBhgOL6eDYkO4RHk encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.250 255.255.255.240
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
passwd k85be8tPM1XyMs encrypted
ftp mode passive
dns domain-lookup outside
dns server-group Ext_DNS
name-server 194.72.6.57
name-server 194.73.82.242
object-group network LOCAL_LAN
network-object 192.168.9.0 255.255.255.0
network-object 192.168.88.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
port-object eq telnet
object-group network WAN_Network
network-object 192.168.200.0 255.255.255.0
access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log
access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log
access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log
access-list ACLIN extended permit icmp any any echo-reply log
access-list ACLIN extended permit icmp any any unreachable log
access-list ACLIN extended permit icmp any any time-exceeded log
access-list split_tunnel_list remark Local LAN
access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.200.0 255.255.255.0
access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool testvpn 192.168.100.1-192.168.100.99
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACLIN in interface outside
access-group ACLOUT in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.252.45 1
route inside 192.168.88.0 255.255.255.0 192.168.88.254 1
route inside 192.168.199.0 255.255.255.0 192.168.199.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set Set_1
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy testvpn internal
group-policy testvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
username robbie password mbztSskhuas90P encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool testvpn
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e
: end
3560_GW Gateway
test_gw01#sh run
Building configuration...
Current configuration : 2221 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname test_gw01
enable secret 5 $1$cOB4$UDjkhs&$FjQBe8/rc30
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet0/1
interface GigabitEthernet0/2
description uplink to Cisco_PIX
switchport access vlan 9
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
switchport access vlan 88
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/24
switchport access vlan 9
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/25
description trunk to 2950_SW_A port 1
switchport trunk encapsulation dot1q
interface GigabitEthernet0/26
interface GigabitEthernet0/27
description trunk to A_2950_112 port 1
switchport trunk encapsulation dot1q
shutdown
interface GigabitEthernet0/28
interface Vlan1
no ip address
shutdown
interface Vlan9
ip address 192.168.9.2 255.255.255.0
interface Vlan88
ip address 192.168.88.254 255.255.255.0
interface Vlan199
ip address 192.168.199.254 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.9.1
ip route 192.168.88.0 255.255.255.0 192.168.9.1
ip route 192.168.100.0 255.255.255.0 192.168.9.1
ip route 192.168.200.0 255.255.255.0 192.168.9.1
ip http server
control-plane
banner motd ^C This is a private network.^C
line con 0
line vty 0 4
login
line vty 5 15
login
end

Accessing a subnet via VPN session

Hi everybody.
I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
local network: 10.30.0.0 0.0.0.0
remote network 10.31.0.0 0.0.0.0
ASA
object-group network remote-network
network-object 172.16.27.0 255.255.255.0
network-object 10.31.0.0 255.255.0.0
object-group network network-local
network-object 0.0.0.0 0.0.0.0
access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
Router 3800
ip access-list extended vpn
permit ip 10.31.0.0 0.0.255.255 any
Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
Regards and Thanks very much!!

Hi Ankur, thanks very much for your reply!
this is the "sho run" in my remote router:
I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
this is a simple diagram of where I want to connect to:
REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
(10.31.0.0/24 network)                                                                                      (10.30.0.0/16network)
                                                                                                                                        |
                                                                                                                                        |
                                                                                                                                        |
                                                                                                                                        |
                                                                                                                              REMOTE USER
                                                                                                                             (10.30.23.130/25)
REMOTESITE#sho run
Building configuration...
Current configuration : 10834 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname PYASU1ROU01
boot-start-marker
boot-end-marker
logging buffered 64000 debugging
no logging console
aaa new-model
aaa authentication login default group tac-auth local
aaa authentication enable default group tac-auth enable
aaa authorization console
aaa authorization exec default group tac-auth local if-authenticated
aaa authorization network default local
aaa accounting exec default start-stop group tac-auth
aaa session-id common
clock timezone PR -3
ip cef
voice-card 0
no dspfarm
crypto pki trustpoint TP-self-signed-4112391703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112391703
revocation-check none
rsakeypair TP-self-signed-4112391703
crypto pki certificate chain TP-self-signed-4112391703
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
94350AFF EA7CB2
quit
username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
crypto keyring apex
pre-shared-key address "headquerters public ip address"
key apex
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile companyname
   keyring apex
   match identity address "headquerters public ip address"
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto map outside 10 ipsec-isakmp
set peer "headquerters public ip address"
set transform-set 3DES
set isakmp-profile companyname
match address vpn-companyname
interface Loopback1
description monitoreo
ip address 10.31.21.255 255.255.255.255
interface GigabitEthernet0/0
description Teysa
ip address public ip address
ip nat outside
no ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
crypto map outside
interface GigabitEthernet0/1
description TO CORE-SW
ip address 192.168.255.249 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
switchport access vlan 2
duplex full
speed 100
interface FastEthernet0/0/1
switchport access vlan 10
shutdown
duplex full
speed 100
interface FastEthernet0/0/2
switchport mode trunk
shutdown
interface FastEthernet0/0/3
switchport access vlan 10
shutdown
duplex full
speed 100
interface Vlan1
no ip address
no ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat interface GigabitEthernet0/0 overload
ip access-list extended nat
deny   ip host 172.16.27.236 10.0.0.0 0.255.255.255
deny   ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny   ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.31.11.0 0.0.0.255 any
permit ip 10.31.13.0 0.0.0.255 any
permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
permit ip 172.16.27.224 0.0.0.31 any
ip access-list extended vpn-apex
permit ip 10.50.20.0 0.0.1.255 any
permit ip 172.16.27.0 0.0.0.255 any
permit ip 10.31.0.0 0.0.255.255 any
permit ip 10.30.0.0 0.0.255.255 any
route-map nat permit 10
match ip address nat
control-plane
line con 0
password 7 xxxxxxxxxx
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxx
scheduler allocate 20000 1000
ntp server 10.30.5.38
end
REMOTESITE#
Regards!

Transparent Tunneling and Local Lan Access via VPN Client

Similar Messages

Maybe you are looking for