Vista and VPN Client Troubles
Hello. We are evaluating Windows Vista along with the VPN Client version 5.0.01.0600. Many of our VPN users are reporting that they are experiencing problems connecting VPN to the ASA 5520 firewall. We are experiencing the same problems with error such as "Reason 418: Unable to configure the firewall software." Also in the client's log we see:
3 08:11:49.845 08/07/07 Sev=Warning/2 IKE/0xE3000086
Invalid concentrator firewall configuration.
Is anyone else experiencing this problem and is there a workaround? Thanks in advance.
Fyi - I ended up opening up a TAC case for this (SR 606571713) and received the following information from the engineer:
"Either disable the firewall check on for that group on the VPN appliance or clear a custom DLL check looking for the Microsoft Firewall DLLS or use an alternative Firewall that is supported on Vista and by the VPN appliance.
CPP pushes will not work for any other Firewalls other then ZoneLabs, if or when ZoneLabs releases ZoneAlarm for Vista customers can install this to get CPP support.
For more reference on this BUG please go to the following link :
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi26229&Submit=Search
Note:This feature is not enabled because we are still waiting for the patch from ZoneLab for Vista vpn client."
Similar Messages
-
Vista, Cisco VPN Client 5.0.01.0600 "Failed to enable Virtual Adapter"
Four times out of five when trying to connect with the VPN client on Vista Business I get a message that the Virtual adapter cannot be enabled.
When checking the logs there are two entries that always is seen together with this failure:
123 09:21:36.026 12/27/07 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: unable CreateUnicastIpAddressEntry, error 0
129 09:21:55.709 12/27/07 Sev=Warning/3 CVPND/0xA340001A
Failed to find VA MAC Address
Anyone else who have seen this issue on Vista?Hi Magnus
Uninstall VPN client. Restart the PC
Donwload and run the following software, then restart the PC
http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml
Reinstall VPN client
Regards -
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
Vpn configuration problems 2621xm and vpn client
hello,
I'm trying to configure my home cisco 2621xm to accept vpn connections. I've used many cisco pdf documents and they all same almost the same so I've done my configuration using these documents.
now I just can't get past this error message I'm getting and I have no idea why this is happening.
any ideas to help me get past this step, I'm really stuck here.
also, I've tried vpn client version 5 and 4.8
cisco ios version is:
Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 05:48 by prod_rel_team
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
vision-router-01 uptime is 2 hours, 53 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advipservicesk9-mz.124-16.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 2621XM (MPC860P) processor (revision 1.0) with 127308K/3764K bytes of memory.
Processor board ID JAD06350FM7
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
here is my the config that's vpn related
aaa authentication login MYTAC group tacacs+ local enable
aaa authorization network GROUPAUTHOR local
username someuser password 0 somepassword
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration group VTELVPN
key cisco123
dns 192.168.10.5
domain xyz.com
pool VTELVPNPOOL
crypto ipsec transform-set VTELSET1 esp-aes esp-sha-hmac
crypto dynamic-map VTELDYNAMAP 10
set transform-set VTELSET1
set identity thisrouter-01
reverse-route
crypto map VTELCLIENTMAP client authentication list MYTAC
crypto map VTELCLIENTMAP isakmp authorization list GROUPAUTOHOR
crypto map VTELCLIENTMAP client configuration address respond
crypto map VTELCLIENTMAP 10 ipsec-isakmp dynamic VTELDYNAMAP
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname xxxxxx
ppp chap password 7 hahahahohoho
ppp pap sent-username xxxxxx password 7 hahahahohoho
crypto map VTELCLIENTMAP
ip local pool VTELVPNPOOL 192.168.6.3 192.168.6.254Hi
Can you try assigning a static ip to the dialer interface and try checking out the vpn connectivity ?
regds -
Windows 8.1 pro and vpn client issue
dear support community ,
Am using windows 8.1 pro and cisco vpn client version 5.0.0.7.0410
.my issue is that am able to connect to the VPN succesfully but when connected i cant ping nodes inside the VPN
whereas when i do the same test with a windows 7 and xp PCs , am able to ping and even remote desktop nodes.
someone help please ??funniest thing is , after using my PC for two weeks and doing regular updates , am now able to ping and RDP to nodes
inside the VPN..:-) -
Windows 8.1 pro and VPN client 5.0.07.0290-k9
We are using windows 8.1 pro in our dell brand desktop. Our users access the client machine through vpn. We are using VPN client version 5.0.07.0290-k9.
That is working fine.
Issue:
I have a Cisco router RV325. I am Configured Easy vpn in my router.Then i am using the same cisco vpn client and the same OS.
Result is not getting ping. but vpn is connected good.I'm no expert, but do you have ICMP allowed in your tunnel?
-
Mapping Drives using a PIX501 and vpn client
We have a 501 and are using cisco vpn client. We have a Windows 2000 and a windows 2003 server on the network we are connecting to. We use windows authentication when we logon the vpn. We are mapping drives on both servers onto the client. The mapped drives on the 2000 server are visable to the client. The mapped drives on the 2003 server are not even when we try to remap. We have Routing and Remote Access enabled on the 2003 server but still fail to map the drives (or ping the 2003 server). Can anyone out there shed any light on our problem. Thanks
Start with this link which gives a number of examples on how to configure a VPN client with the VPN 3000 -
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor22
Jon -
Web based VPN issue wheras anyconnect and VPN client working fine
Experts,
We have Cisco ASA 5540 and im running into issues with accessing the webbased VPN(https://X.X.x.x).there are about 8 VPN profiles configured and im unable to login using any of the profiles whereas VPN client and Cisco Any connect are working fine. on accessing web based VPN after providing the login credentials and hit enter the page is getting refreshed and it throws me back to the same login page again. This is the Production ASA and i cannot run debug.
Kindly, provide me your valuable inputs.
Thank you!Your problem is the NAT-config. First, the following line is not needed as RDP doesn't work ober UDP:
ip nat inside source static udp 192.168.10.136 3389 interface Dialer0 3389
Then, the following command causes the problems:
ip nat inside source static tcp 192.168.10.136 3389 interface Dialer0 3389
With that the router assumes that the server 192.168.10.136 should always be reached through the IP of dialer0 and does a translation.
There are a couple of ways to resolve the problem, but they all have some drawbacks ...
1) Only access the server through VPN. For that you just delete the NAT-statement above (the one with tcp) and you should be able to reach the server through the VPN.
2) Restrict the NAT to don't do a translation if a VPN-peer is accessing the server.
For that you need to attach a route-map to the NAT-statement. But that won't work with the "interface"-keyword in the NAT-Statement. But you can use this if you get a fixed IP from your provider.
3) Assign a second IP to the RDP-server. The original IP which is used in the NAT-statement is used for accessing the server without the VPN, the second IP is used for accessing the server through VPN.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
PIX version 6.3 and VPN Client
I have an old PIX, running version 6.3. Its version cannot be upgraded due to hardware limitation.
I am setting up IPSEC VPN, with split-tunnel disabled.
However, the client was not able to connect to Internet.
Below is part of the configuration.
ip local pool internetvpn1 10.30.11.1-10.30.11.7
vpngroup internetvpn1address-pool internetvpn1
vpngroup internetpub1 dns-server 123.4.5.6
vpngroup internetpub1 idle-time 86400
vpngroup internetpub1 password *********
I can login to VPN Client, but when I do nslookup, PIX will show log as below
110001: No route to 123.4.5.6 from 10.30.11.1
110001: No route to 123.4.5.6 from 10.30.11.1
Anybody have any idea?I just found out that in version 6.x, traffic cannot pass through when the security level are the same.
For VPN Client, user traffic came from outside interface.
If split-tunneling is disabled and user want to access Internet, it has to go out from outside interface as well.
As "same-security-traffic permit inter-interface" is not available in 6.x, it become impossilbe for VPN client to access Internet, when split-tunneling is disabled.
Am I correct? -
I have received the bad news of one of my users had purchased a new machine w/o consulting me! :^(
It's Vista Home Prem. 64 bit. Having been able to avoid the vista thing, I have not done any installs to this point. Does the VPN Vista client work on the 64 bit OS?
Thanks in advanceAny other alternatives?
Originally Posted by Mysterious
shesser wrote:
> I have received the bad news of one of my users had purchased a new
> machine w/o consulting me! :^(
> It's Vista Home Prem. 64 bit. Having been able to avoid the vista
> thing, I have not done any installs to this point. Does the VPN Vista
> client work on the 64 bit OS?
>
> Thanks in advance
>
>
no -
VPN client no access, two ip addresses
Hello,
Vista and VPN client v5.0 with 3000 concentrator. After logging in an ipconfig shows Ipv4/subnet mask twice, giving two different IP addresses in the same pool and subnet. The gateway is blank, thus no access to LAN or Internet.
No unusual changes since problem started happening a week ago, flushed DNS cache, any ideas out there? Much thanks!Thank you for your response.
If I did "ipconfig /all" it would show that the "Local Area Connection 2:" is Cisco Systems VPN Adapter.
Before connecting to VPN, the TCP/IPv4 properties of the VPN adapter showed 0.0.0.0 as the IP. After connecting, the same window showed the first IP address of two in the same subnet. The DNS and DHCP IPs are correct.
DHCP is configured at user's home. The log in admin page of the VPN showed it issued the first of the two IPs, no record of the second one. Correction: he gets internet but not LAN. Pings to LAN resources map to the correct IP...
Again, if all else fails, I'll try to get him to reinstall the client but if any of this info rings a bell with you, please advise. Thank you! -
VPN Client and Clientless users not authenticating with AD
Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510. Users authenticate in AD. I am not sure if the problem is on the server or the ASA.
CPHi,
Are you using LDAP for user authentication, is this a new setup or was this working at one point?
If using LDAP please use "debug ldap 255" and reproduce, If you are using radius what are you using?
Thanks,
Sent from Cisco Technical Support iPad App -
Hi
I have a problem with ping in VPN Client,
In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.
The router is able to ping Z.Z.Z.0/24.
The Tunnel and VPN client are working.
1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.
2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.
3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.
4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.
5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.
6. ASA-2 can ping ASA-1 and Z.Z.Z.2.
This is my config on ASA-1 and ASA-2:
hostname ASA-1
interface G0/0
nameif Outside
security-level 0
ip address x.x.x.1 255.255.255.224
NO SHUT
interface G0/3
nameif Inside
security-level 100
ip address 20.20.0.1 255.255.0.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1
object-group network DM_INLINE_NETWORK_1
network-object 10.10.10.0 255.255.255.0
network-object 20.20.0.0 255.255.0.0
network-object z.z.z.0 255.255.255.0
ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp enable Outside
tunnel-group y.y.y.1 type ipsec-l2l
tunnel-group y.y.y.1 ipsec-attributes
pre-shared-key 1234
group-policy ATA internal
group-policy ATA attributes
vpn-tunnel-protocol IPSec
username TEST password TEST privilege 0
username TEST attributes
vpn-group-policy ATA
tunnel-group ATA type remote-access
tunnel-group ATA general-attributes
address-pool ATA
default-group-policy ATA
tunnel-group ATA ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer y.y.y.200
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
hostname ASA-2
interface E0/0
nameif Outside
security-level 0
ip address y.y.y.1 255.255.255.192
NO SHUT
interface E0/3
nameif Inside
security-level 100
ip address 10.10.10.20 255.255.255.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
route Inside z.z.z.0 255.255.255.0 10.10.10.1 1
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp enable Outside
tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer x.x.x.1
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
RegardsHi,
My suggestion to your puzzle is to either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with information and some clues on what the issue could be. You may also try to packet capture in ASA-2 , either way, I would start with easiest one which is realtime log on ASDM.
Could you provide the folloing:
1 - Post output of c:\ipconfig /all from PC-4 z.z.z.2/24
2 - Post output of show ip route from Router where PC-4 subnet is routed from
Regards -
Connecting Cisco VPN client v5 to asa 5505
I am having problem configuring remote vpn between ASA5505 and Cisco VPN client v5. I can successfully establish connection between ASA and Vpn client and receive IP address from ASA. VPN client statistics windows shows that packets are send and encrypted but none of the packets is Received/Decrypted.
Can not ping asa 5505
Any ideas on what I have missed?Your NAT configuration is incomplete, enter the following commands to your configuration:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
This tells the ASA that the traffic destined for the VPN Client should not be NATted and should be sent directly to the client via the VPN Tunnel!
Please rate if the post helps!
Regards,
Michael -
Seen some interesting behavior with Windows Vista and FME.
When watching the connection status of a live broadcast I get lots
of empty full buffer dumps.
#NSManager# (doLiveOnStatus:NetStream.Buffer.Full)
#NSManager# (doLiveOnStatus:NetStream.Buffer.Empty)
I have seen this happen when using the On2 Flix encoder with
2.0.479 but not typically with FME. The only different variable is
Vista and the client is running it on his laptop.Thanks for the reply. I actually got first hand use with it
on the clients machine. The problem is that FME gets cranky when
you drop packets and the client is using a wireless card to
transmit the data.
James
Maybe you are looking for
-
Blue screen of death during start-up
Hey Adobe-Community, I am having troubles with After Effects CC again. Every time I want to open After-Effects i get a BSOD. The last thing I can see is the opening-loading-thing (talking about that thing just the after effects version of it, logical
-
Is it possible to purchase songs from UK iTunes if I live in the US?
I wanted to purchase some songs listed only in the UK iTunes store...is it possible to authorize my account to do so?
-
Getting destination queue name
Hi! I was wondering if it is possible somehow to retrieve queue destination name (the queue name the message will be sent to) in a JCD? So far I have been able to retrieve only the queue name the message is coming from: String sFromQueue = input.getM
-
How 2 define alias for WD Component / Application
Hi all, There are methods in IWDDeployableObject to get WD Component / Application (WDDeploableObjectPart) by alias. But how to define alias for them? Where should definition be placed and what is the format? Could anyone share working example or poi
-
X-Fi XtremeMusic + Win7 64bit + Dolby Digital Live?
I have Windows 7 Ultimate x64 and X-Fi XtremeMusic. I was wondering if it is possible to enable Dolby Digital Li've on my setup? I have the digital I/O module and use an optical cable to connect the PC to my receiver. I found this but I don't know if