VPN Client 2nd Ethernet Port

I have a laptop computer running VPN Client software. I connect to a remote network and typically use Remote Desktop Connection to access one of the machines in the network 10.62.94.xxx. I want to add an Ethernet adapter in a PC Card slot or USB port on the laptop, and plug in a device that will also be part of the 10.62.94.xxx network.
Is there a way to do this?
Thanks,
Jim

Hi Jim,
I don't think you can achieve this using the VPN client.
The VPN client creates a virtual network card that is used to encrypt the traffic, then to send it to the physical LAN card.
On the VPN client virtual card you don't have the Bridging option normally present in the physical ones.
Please rate if this helped.
Regards,
Daniel

Similar Messages

I need to tell Print services to use the 2nd ethernet port

I need to tell Print services to use the 2nd ethernet port
Thanks in advance to anyone who can shed some light. My research has led me to a dead-end so far. Running 10.3.9 on my server. XServe Dual 2.3
I want to have File services and the various other duties pushed through one ethernet port, and print services on the other. I know there is probably a config file to make one simple edit, but I can not find it, or perhaps a "defaults" type command.
Also, where is this "command-line administration guide" that I keep running across on Apple's support?
Thanks in advance.
Matt

Similar issue here too. Is it the subnet? Basically, I'm having a problem printing to an AirportExpress-served printer. Our network looks like this:
(From Outside...>>>...to Inside)
(Public IP) DSL Modem
...(10.0.0.x) Airport Express -- HP DesignJet 100 USB -- Airtunes/stereo
...(10.0.0.x) NetGear Wireless Router
...(10.0.0.x nic 0) Mac OS X Server (192.168.0.x nic1)
......(192.168.0.x) Mac OS X client
......(192.168.0.x) Mac OS X client
......(192.168.0.x) Mac OS X client
The printer driver does not appear to be able to do IP printing, it assumes a direct USB connection. We can setup the OS X Server with the printer served by the Airport Express, as it is found via Bonjour, and then we share its queue via Server Admin. The problem is that the LAN clients cannot print to this server queue. The printer gets stopped at the server.
If we turn OFF the OS X Server's firewall, printing works from both the clients and obviously from the Server. I think my question is this: what ports or services need to be turned on in order for the clients to print? There is no clear checkbox for "Bonjour Printer Sharing", and I'm curious what ports this would open, and if it would be safe. I thought it would work because we're pushing the print job up through the firewall, but apparently some response needs to come back through the firewall, and that's what's not happening.
And to tack onto this, how could we also push iTunes to the Airport Express from the Clients? Assuming the music goes over different ports than the print jobs. ?
Thanks in advance for any help.

How do you make use of the 2nd Ethernet port on the Mac Pro?

My Mac Pro's ethernet port connects it to the local network and the internet.
Under what circumstances would I make use of the 2nd port?
Are there any settings I'd have to set up in system preferences to make sure one is used for some things while the other is used for different things?
I'm asking because we might be making some changes to our network. We have a printer with a Fiery RIP and I'm pretty much the only one who prints to it. I was wondering if we could/should set up a direct, dedicated connection so that network traffic won't bog down print jobs.

The main use for that port today is to create a subnetwork for Internet Sharing. Software inside the Mac can act as a Router and provides new DHCP Addresses for the subnetwork. In general, the devices on the subnetwork would be inaccessible from anywhere else, due to Network Address Translation.
If you are concerned about heavy network traffic, consider upgrading your Switches (not Routers) to Gigabit Ethernet speeds and using Jumbo frames. (Routers are not involved in peer-to-peer transfers such as Printing when no Address Translation is involved.)
If you have an Industrial Router, you can combine the two Ethernet ports into one composite link for faster-than-Gigabit effective speeds, but it requires a special Router not generally available.

Setting up 2nd Ethernet port for NAS connection

Hi
I want to split out my internet and NAS drive access across my two Ethernet ports.
Port 1 is connected to my router and connects to the internet.
Port 2 is connected to a gigabit switch and then into two NAS drives. I have set up the second ethernet port with a manual ip and it says it is connected. But when I use Command K to connect to the ip address of the NAS, it cannot connect. Previously this worked fine when everything was going out of Ethernet port 1.
I suspect I have not set up Ethernet port 2 correctly. So far I have set it up for manual configuration and given it an ip address of 192.168.1.17 (the NAS is 192.168.1.18, Ethernet 1 is 192.168.119). Nothing else has been entered.
Any advice gratefully received. Thanks

Ping the destination address 192.168.1.19 from a terminal window and see if it responds.

Trying to connect 2nd printer through Ethernet Port of AEX b/g

Hello all, Hello (maybe) Duane,
I do have a 2nd Airport Express b/g on our home network, and have a normal laser printer running as a wireless bonjour printer through that 2nd AEX, which is set up as a remote base station. I do have the Ethernet port free on that AEX, and want to connect a Brother 4040cn network ready color laser printer through the Ethernet port of this base station and use it as a bonjour printer? wirelessly... The AEX is set up as a remote base station to the main base station using WDS... I read a lot that the ethernet port only works when this station is in WDS mode - it is, but I still can't get it to work...
I talked to a guy at the Apple Store and he told me it should work, and that I somehow have to configure the Ethernet port of the AEX as a bridge so that could work.... ? It is not a supported solution (as expected...) so I tried to find that, but I am not able to work it out.
I can see the printer using the brother software, it shows me the status of the printer correctly, but I cannot get any printouts. The printing windows shows the printer, even lets me pick it as a bonjour printer, sends it off to the printer, but nothing arrives at the printer... I can use the web based printer management utility, which directly connects to the using the IP address, and can send stuff that is printed out, but i cannot get it working.
Hope that makes sense - anyone out there able to help?
Ningaloo

Hello,
If you wanted to setup a wireless network, you could look at some Wireless Ethernet USB adapters (will work just like the AirPort):
http://www.afterthemac.com/
Understand that the "AirPort" is just Apple's fancy name for Standard WiFi Networking. It's not anything special. Just Apple's implementation.
So, any WiFi Ethernet Adapter is going to be compatible with Apple's Airport network.
If you want to use the standard USB to Ethernet adapters, then you could look to see if you can find a suitable driver that will either enable your adapter (the one you just purchased) to work, or perhaps find an adapter that has a 3rd-party driver and then purchase that one. The following website lists Mac OS drivers that will enable "Windows-Only" adapters to work:
http://www.sustworks.com/site/newsusbethernet.html
The problem there, is that most USB to Ethernet (not wireless) adapters come only with Windows drivers. So, this website provides information and support to make those devices with with Mac OS X.
Otherwise, I have not found a pre-packaged USB to Wired Ethernet device that comes with Mac drivers.
But, the first website lists lots of USB to Wireless Ethernet adapters that come with Mac Drivers.
I hope this helps.
Let us know if you have other questions.
P.S., if you'd like, go ahead and click the "Helpful" or "Solved" buttons on any of the posts / replies above if you feel they were helpful or adequately answered your question.

Airport Express Ethernet Port in Client Mode Please

Hi,
I am writing here as I can find anywhere to post feedback on Airport Express. I would really like to see the Ethernet port work in client mode. I am sure not the only one (a search on the net tells me so). If someone from apple could explain why this is not possible, I would be interested so that this subject can be put to rest.
Thanks.

Simple reason - Apple's engineers made a design decision not to support it. Speculation as to the reasons for that decision are not permitted in these forums. Apple won't tell us here either, since their employees don't post to these forums on matters of this nature.
As I suspect you are aware, the ethernet port is active when the Airport Express is configured as a remote base station in a wireless distribution system (WDS).

Does the ethernet port work when the using airport express in client mode?

I am considering using an airport express to extend my existing wireless network to a room where I can't get a cable to.
I will need to connect a at least 3 devices to the airport express.
The questions are:
- is an airport express the right answer to this problem?
- if so, does the ethernet port work (AE on client mode) as a passthru into the main network?
- can I plug a hub to it?
Thanks
RFSF

Hi Tesserax,
Really appreciate you taking time to respond.
I stopped by the Apple store this weekend and one of their sales people ( not one of their genius bar people) told me NO to all questions. I tend to believe more answers from people in this forum but just realize that I have not mentioned one possibly important point:
the main AP to which I will be connecting the airport express is not an Airport Extreme/Express AP.
Thanks,
Ricardo.

Which ports to open in PIX for outgoing Cisco VPN client connections ?

I have Cisco vpn clients behind the PIX and i want them to connect to a vpn 3005 which i behind another PIX . Can anybody tell me which ports i have to open on both the PIX firewalls ?

It depends on how you have deployed your VPN Remote Access users.
By default, if you enable IPSec-Over-TCP or IPSec-over-UDP, then port 10000 is used for both, these methods are Cisco Proprietary and can be changed.
If you use NAT-T (NAT Traversal), the Standards-based implementation, then it uses UDP-4500).
either way, the operation of the VPN depends on:
1) Whether these service have been enable on the VPN Concentrator
2) Enabling the relevant transport settings on the VPN Client connection Properties.
Regarding the PIX infront of the VPNC3005, you will need to allow these above ports inbound to your VPNC3005 Public interface.
Locally, it depends if you filter outbound connections through your PIX. If you don't, then the PIX will allow the connection for the VPN Client attempting to access the remote VPNC3005

Unable to activate ethernet port to bridge airport network to wired clients

Hi,
I have two AE setup in a WDS arrangement. The WDS is working fine. My problem is that I want to connect wired clients to the remote station; but everytime I select "Enable ethernet port" and restart the AE, the option is unchecked and the ethernet port is disabled.
Can you help?
Many thanks,
David.

... everytime I
select "Enable ethernet port" and restart the AE, the
option is unchecked and the ethernet port is
disabled.
I saw similar behavior in my setup. I seem to have gotten it working now.
Finally, I actually attached an ethernet cable and wired client to the AE Ethernet port (instead of just trying to configure it without an actual client connected, which I tried several times). After that, when I checked the box for Enable and restarted the AE, it worked.
Did you get yours working?

What TCP/UDP ports need to be open for VPN Client version 4.8?

What TCP/UDP ports need to be open for Cisco VPN Client version 4.8 to work?
Thanks,

Normally, you need the following ports and protocol :
UDP 500
UDP 4500
ESP
In case, you are using IPSec over TCP you have to open, TCP port 10000 or any other port you want to use for IPSec connections (Its configurable).
-Kanishka

Using 2nd Built-In Ethernet port for internet access?

Hello,
I have a Quad-G5 running 10.4.8. In its current configuration, all its network communications, including web access, go over the active ethernet port (Built-in 1).
Does anyone know how I could use the second built-in port for internet access only? I'd like to route local traffic over the first port, but go "out" over the second.
The machine is on a corporate network, and proxy access is slowwww. I have the ability to use a direct connect to the internet, but still need to be connected locally. Any thoughts? Many thanks . . . JD

Easy. Go to System Preferences > Network > Network Port Configurations and drag the port connected to the internet to the top, so that it has priority over the port connected to your LAN. This prevents DNS time-out when loading a website, but still allows LAN traffic over the other port because that traffic is most likely going to use ARP rather than DNS. For good measure, you can add your company's domain (such as "my_company.lan") to System Preferences > Network > Internal_Ethernet > TCP/IP > Search Domains.

Remote Access VPN Clients Cannot Access inside LAN

I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: end

Hi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni

ASA 5505 VPN client LAN access problem

Hello,
I'm not expert in ASA and routing so I ask some support the following case.
There is a Cisco VPN client (running on Windows 7) and an ASA5505.
The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
The Skype works well but I cannot access devices in the interface inside via VPN connection.
Can you please check my following config and give me advice to correct NAT or VPN settings?
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password wDnglsHo3Tm87.tM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 10.0.0.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns xx.xx.xx.xx interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 84.2.44.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy XXXXXX internal
group-policy XXXXXX attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list none
username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
username XXXXXX attributes
vpn-group-policy XXXXXX
username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXX general-attributes
address-pool VPNPOOL
default-group-policy XXXXXX
tunnel-group XXXXXX ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
: end
ciscoasa#
Thanks in advance!
fbela

config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
Need to add - config#same-security-traffic permit intra-interface
#access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
#nat (inside) 0 access-list nonat
Please add and test it.
Thanks
Ajay

VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,

I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

Problem with VPN client on Cisco 1801

Hi,
I have configured a new router for a customer.
All works fine but i have a strange issue with the VPN client.
When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
This is the log form the VPN client:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1      14:37:59.133 04/08/13 Sev=Info/6          GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2      14:38:01.321 04/08/13 Sev=Info/4          CM/0x63100002
Begin connection process
3      14:38:01.335 04/08/13 Sev=Info/4          CM/0x63100004
Establish secure connection
4      14:38:01.335 04/08/13 Sev=Info/4          CM/0x63100024
Attempt connection with server "asgardvpn.dyndns.info"
5      14:38:02.380 04/08/13 Sev=Info/6          IKE/0x6300003B
Attempting to establish a connection with 79.52.36.120.
6      14:38:02.384 04/08/13 Sev=Info/4          IKE/0x63000001
Starting IKE Phase 1 Negotiation
7      14:38:02.388 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
8      14:38:02.396 04/08/13 Sev=Info/4          IPSEC/0x63700008
IPSec driver successfully started
9      14:38:02.396 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
10     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
11     14:38:02.460 04/08/13 Sev=Info/4          IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
12     14:38:02.506 04/08/13 Sev=Info/6          GUI/0x63B00012
Authentication request attributes is 6h.
13     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports DPD
15     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports DWR Code and DWR Text
16     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports XAUTH
17     14:38:02.460 04/08/13 Sev=Info/5          IKE/0x63000001
Peer supports NAT-T
18     14:38:02.465 04/08/13 Sev=Info/6          IKE/0x63000001
IOS Vendor ID Contruction successful
19     14:38:02.465 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
20     14:38:02.465 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
21     14:38:02.465 04/08/13 Sev=Info/4          IKE/0x63000083
IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194
22     14:38:02.465 04/08/13 Sev=Info/5          IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device
23     14:38:02.465 04/08/13 Sev=Info/4          CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24     14:38:02.502 04/08/13 Sev=Info/5          IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
25     14:38:02.502 04/08/13 Sev=Info/4          IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
26     14:38:02.502 04/08/13 Sev=Info/4          CM/0x63100015
Launch xAuth application
27     14:38:07.623 04/08/13 Sev=Info/4          CM/0x63100017
xAuth application returned
28     14:38:07.623 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
29     14:38:12.656 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
30     14:38:22.808 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
31     14:38:32.949 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
32     14:38:43.089 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
33     14:38:53.230 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
34     14:39:03.371 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
35     14:39:13.514 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
36     14:39:23.652 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
37     14:39:33.807 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
38     14:39:43.948 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
39     14:39:54.088 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
40     14:40:04.233 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
41     14:40:14.384 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
42     14:40:24.510 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
43     14:40:34.666 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
44     14:40:44.807 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
45     14:40:54.947 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
46     14:41:05.090 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
47     14:41:15.230 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
48     14:41:25.370 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
49     14:41:35.524 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
50     14:41:45.665 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
51     14:41:55.805 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
52     14:42:05.951 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
53     14:42:16.089 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
54     14:42:26.228 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
55     14:42:36.383 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
56     14:42:46.523 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
57     14:42:56.664 04/08/13 Sev=Info/6          IKE/0x63000055
Sent a keepalive on the IPSec SA
58     14:43:02.748 04/08/13 Sev=Info/4          IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
59     14:43:02.748 04/08/13 Sev=Info/4          IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
60     14:43:03.248 04/08/13 Sev=Info/4          IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
61     14:43:03.248 04/08/13 Sev=Info/4          CM/0x63100014
Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
62     14:43:03.248 04/08/13 Sev=Info/5          CM/0x63100025
Initializing CVPNDrv
63     14:43:03.262 04/08/13 Sev=Info/6          CM/0x63100046
Set tunnel established flag in registry to 0.
64     14:43:03.262 04/08/13 Sev=Info/4          IKE/0x63000001
IKE received signal to terminate VPN connection
65     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
66     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
67     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x63700014
Deleted all keys
68     14:43:03.265 04/08/13 Sev=Info/4          IPSEC/0x6370000A
IPSec driver successfully stopped
And this is the conf from the 1801:
hostname xxx
boot-start-marker
boot-end-marker
enable secret 5 xxx
aaa new-model
aaa authentication login xauthlist local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.1.60 10.0.1.200
ip dhcp excluded-address 10.0.1.225
ip dhcp excluded-address 10.0.1.250
ip dhcp pool LAN
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.10
   dns-server 10.0.1.200 8.8.8.8
   domain-name xxx
   lease infinite
ip name-server 10.0.1.200
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall udp
ip inspect name Firewall tcp
ip inspect name Firewall https
ip inspect name Firewall http
multilink bundle-name authenticated
username xxx password 0 xxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxx
key xxx
dns 10.0.1.200
wins 10.0.1.200
domain xxx
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode adsl2+
hold-queue 224 in
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address 10.0.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 0 aliceadsl
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source list 101 interface Dialer0 overload
access-list 101 remark *** ACL nonat ***
access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 150 remark *** ACL split tunnel ***
access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxx
scheduler max-task-time 5000
end
Anyone can help me ?
Sometimes the vpn can be vreated using the iPhone or iPad vpn client...

I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP?

VPN Client 2nd Ethernet Port

Similar Messages

Maybe you are looking for