VPN CLIENT PROBLEM
Hi
I have a problem with ping in VPN Client,
In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.
The router is able to ping Z.Z.Z.0/24.
The Tunnel and VPN client are working.
1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.
2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.
3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.
4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.
5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.
6. ASA-2 can ping ASA-1 and Z.Z.Z.2.
This is my config on ASA-1 and ASA-2:
hostname ASA-1
interface G0/0
nameif Outside
security-level 0
ip address x.x.x.1 255.255.255.224
NO SHUT
interface G0/3
nameif Inside
security-level 100
ip address 20.20.0.1 255.255.0.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1
object-group network DM_INLINE_NETWORK_1
network-object 10.10.10.0 255.255.255.0
network-object 20.20.0.0 255.255.0.0
network-object z.z.z.0 255.255.255.0
ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp enable Outside
tunnel-group y.y.y.1 type ipsec-l2l
tunnel-group y.y.y.1 ipsec-attributes
pre-shared-key 1234
group-policy ATA internal
group-policy ATA attributes
vpn-tunnel-protocol IPSec
username TEST password TEST privilege 0
username TEST attributes
vpn-group-policy ATA
tunnel-group ATA type remote-access
tunnel-group ATA general-attributes
address-pool ATA
default-group-policy ATA
tunnel-group ATA ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer y.y.y.200
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
hostname ASA-2
interface E0/0
nameif Outside
security-level 0
ip address y.y.y.1 255.255.255.192
NO SHUT
interface E0/3
nameif Inside
security-level 100
ip address 10.10.10.20 255.255.255.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
route Inside z.z.z.0 255.255.255.0 10.10.10.1 1
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp enable Outside
tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer x.x.x.1
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
Regards
Hi,
My suggestion to your puzzle is to either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with information and some clues on what the issue could be. You may also try to packet capture in ASA-2 , either way, I would start with easiest one which is realtime log on ASDM.
Could you provide the folloing:
1 - Post output of c:\ipconfig /all from PC-4 z.z.z.2/24
2 - Post output of show ip route from Router where PC-4 subnet is routed from
Regards
Similar Messages
-
Mac Lion and Cisco VPN client problems
I just installed Lion 10.7 on my iMac and can no longer use the downloaded Cisco VPN client to connect to Microsoft Remote Desktop and access the PC in my company's office. When I try to launch the VPN client I get Error 51. I used to be able to enter a command in the Terminal as a workaround to use the VPN client when that happened, but that no longer works. I have tried booting into 32-bit mode; doesn't work. I tried to use the Cisco client built into Lion using settings provided by my company. When I try to connect I get the following message: "The negotiation with the VPN server failed. Verify the server address and try reconnecting."
I have searched the web looking for a solution. My company's tech department is stumped; the Apple Geniuses haven't been able to help. Does anyone have any ideas how I can use either the downloaded Cisco VPN client or the client built into Lion?
Sent from Cisco Technical Support iPad AppHere is the link which you can use to configure the inbuilt VPN client in MAC Lion.
http://glazenbakje.wordpress.com/2011/07/28/how-to-create-a-cisco-vpn-connection-in-apple-mac-os-x-lion/
Make sure you configure the attributes correctly.
Secondly the inbuilt VPN client code of Lion is made in collaboration with Cisco so there will not be any issues of compatibility.
Cheers,
Rohan -
Problem with VPN client on Cisco 1801
Hi,
I have configured a new router for a customer.
All works fine but i have a strange issue with the VPN client.
When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
This is the log form the VPN client:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 14:37:59.133 04/08/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 14:38:01.321 04/08/13 Sev=Info/4 CM/0x63100002
Begin connection process
3 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100004
Establish secure connection
4 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "asgardvpn.dyndns.info"
5 14:38:02.380 04/08/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 79.52.36.120.
6 14:38:02.384 04/08/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 14:38:02.388 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
8 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
11 14:38:02.460 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
12 14:38:02.506 04/08/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
13 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
16 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
18 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
19 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
20 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
21 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194
22 14:38:02.465 04/08/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
23 14:38:02.465 04/08/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24 14:38:02.502 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
25 14:38:02.502 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
26 14:38:02.502 04/08/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 14:38:07.623 04/08/13 Sev=Info/4 CM/0x63100017
xAuth application returned
28 14:38:07.623 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
29 14:38:12.656 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
30 14:38:22.808 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
31 14:38:32.949 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 14:38:43.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 14:38:53.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 14:39:03.371 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 14:39:13.514 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
36 14:39:23.652 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
37 14:39:33.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
38 14:39:43.948 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
39 14:39:54.088 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 14:40:04.233 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
41 14:40:14.384 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
42 14:40:24.510 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 14:40:34.666 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 14:40:44.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
45 14:40:54.947 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
46 14:41:05.090 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 14:41:15.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 14:41:25.370 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
49 14:41:35.524 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 14:41:45.665 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 14:41:55.805 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
52 14:42:05.951 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
53 14:42:16.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 14:42:26.228 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
55 14:42:36.383 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
56 14:42:46.523 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 14:42:56.664 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
59 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
60 14:43:03.248 04/08/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
61 14:43:03.248 04/08/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
62 14:43:03.248 04/08/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
63 14:43:03.262 04/08/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
64 14:43:03.262 04/08/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
65 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
67 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
68 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
And this is the conf from the 1801:
hostname xxx
boot-start-marker
boot-end-marker
enable secret 5 xxx
aaa new-model
aaa authentication login xauthlist local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.1.60 10.0.1.200
ip dhcp excluded-address 10.0.1.225
ip dhcp excluded-address 10.0.1.250
ip dhcp pool LAN
network 10.0.1.0 255.255.255.0
default-router 10.0.1.10
dns-server 10.0.1.200 8.8.8.8
domain-name xxx
lease infinite
ip name-server 10.0.1.200
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall udp
ip inspect name Firewall tcp
ip inspect name Firewall https
ip inspect name Firewall http
multilink bundle-name authenticated
username xxx password 0 xxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxx
key xxx
dns 10.0.1.200
wins 10.0.1.200
domain xxx
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode adsl2+
hold-queue 224 in
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address 10.0.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 0 aliceadsl
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source list 101 interface Dialer0 overload
access-list 101 remark *** ACL nonat ***
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 150 remark *** ACL split tunnel ***
access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxx
scheduler max-task-time 5000
end
Anyone can help me ?
Sometimes the vpn can be vreated using the iPhone or iPad vpn client...I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP? -
Problem with Cisco VPN client and HP elitebook 2530p windows 7 64-bit
Hi there
I have a HP Elitebook 2530p which i upgraded to windows 7 64-bit. I installed the Cisco VPN client application (ver. 5.0.07.0290 and also 64-bit) and the HP connection manager to connect to the internet through a modem Qualcomm gobi 1000 (that is inside the laptop). When I connect to the VPN, it connects (I write the username and password) but there is no traffic inside de virtual adapter for my servers. When I connect to the internet through wire or wireless internet, I connect de VPN client and there is no problem to establish communication to my servers.
I tried everything, also change the driver and an earlier version of the HP connection manager application. I also talked to HP and they told me that there was a report with this kind of problem and it was delivered to Cisco. I don’t know where is the problem.
Could anyone help me?
Thanks to all.You can try to update Deterministic Network Enhancer to the below listed release which supports
WWAN Drivers.
http://www.citrix.com/lang/English/lp/lp_1680845.asp.
DNE now supports WWAN devices in Win7. Before downloading the latest version of DNEUpdate from the links below, be sure you have the latest
drivers for your network adapters by downloading them from the vendors websites.
For 64-bit: ftp://files.citrix.com/dneupdate64.msi
Hope that helps. -
Problem with VPN Client and PIX 7.0(5)
Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
This is the configuration i apply
access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit ip any any
access-list acl-vpn-sap-remoto extended permit icmp any any
ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
nat (inside) 0 access-list cryptomap-scada
group-policy VPN_SAP_PED internal
group-policy VPN_SAP_PED attributes
vpn-filter value acl-vpn-sap-remoto
vpn-tunnel-protocol IPSec
username vpnuser password **** encrypted
username vpnuser attributes
vpn-group-policy VPN_SAP_PED
crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 43200
tunnel-group VPN_SAP_PED type ipsec-ra
tunnel-group VPN_SAP_PED general-attributes
address-pool pool_vpn_sap
default-group-policy VPN_SAP_PED
tunnel-group VPN_SAP_PED ipsec-attributes
pre-shared-key clavevpnsap
Thanks in AdvancedHi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
PIX-Principal(config)# show running-config nat
nat (inside) 0 access-list cryptomap-scada
nat (inside) 9 JOsorioPC 255.255.255.255
nat (inside) 9 GColinaPC 255.255.255.255
nat (inside) 9 AlfonsoPC 255.255.255.255
nat (inside) 9 AngelPC 255.255.255.255
nat (inside) 9 JerryPC 255.255.255.255
nat (inside) 9 EstebanPC 255.255.255.255
nat (inside) 9 GiancarloPC 255.255.255.255
nat (inside) 9 WilliamsPC 255.255.255.255
nat (inside) 9 PerniaPC 255.255.255.255
nat (inside) 9 ElvisDomPC 255.255.255.255
nat (inside) 8 LBermudezPC 255.255.255.255
nat (inside) 9 HelpDeskPC 255.255.255.255
nat (inside) 9 OscarOPC 255.255.255.255
nat (inside) 9 AnaPC 255.255.255.255
nat (inside) 9 RobertoPC 255.255.255.255
nat (inside) 9 MarthaPC 255.255.255.255
nat (inside) 9 NOCPc5-I 255.255.255.255
nat (inside) 9 NOCPc6-I 255.255.255.255
nat (inside) 9 CiraPC 255.255.255.255
nat (inside) 9 JaimePC 255.255.255.255
nat (inside) 9 EugemarPC 255.255.255.255
nat (inside) 9 JosePC 255.255.255.255
nat (inside) 9 RixioPC 255.255.255.255
nat (inside) 9 DaniellePC 255.255.255.255
nat (inside) 9 NorimarPC 255.255.255.255
nat (inside) 9 NNavaPC 255.255.255.255
nat (inside) 8 ManriquePC 255.255.255.255
nat (inside) 8 MarcialPC 255.255.255.255
nat (inside) 8 JAlbornozPC 255.255.255.255
nat (inside) 9 GUrdanetaPC 255.255.255.255
nat (inside) 9 RVegaPC 255.255.255.255
nat (inside) 9 LLabarcaPC 255.255.255.255
nat (inside) 9 Torondoy-I 255.255.255.255
nat (inside) 9 Escuque-I 255.255.255.255
nat (inside) 9 Turbio-I 255.255.255.255
nat (inside) 9 JoseMora 255.255.255.255
nat (inside) 8 San-Juan-I 255.255.255.255
nat (inside) 8 Router7507 255.255.255.255
nat (inside) 8 NOCPc4-I 255.255.255.255
nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255 -
Problem with IKE ASA 5510 VPN client
We are experiencing a problem getting the vpn clients to connect to the ASA. The Log shows this error:
"12 12:14:08.413 05/15/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.10.101.2
Our Config is attached. Any thoughts?
Thanks
johnTry removing under:-
tunnel-group * general-attributes
remove
"authorization-server-group TEST2"
Test again?
HTH. -
Problem with VPN Client passthrough on ASA 5505
I am having a problem with passing through a VPN client connection on an ASA 5505. The ASA is running version 8 and terminates an anyconnect VPN. The ASA is using PAT. When the inside user connects with the VPN client, it connects but no traffic passes through the tunnel. I see the error
305006 regular translation creation failed for protocol 50 src INSIDE:y.y.y.y dst OUTSIDE:x.x.x.x
UDP 500,4500 and ESP are allowed into the ASA. Ipsec inspection has also been setup on a global policy, but the user still cannot pass traffice to the remote VPN he is connected through.
At the Main Office we have an ASA 5510 that terminates a site to site VPN, allows remote connections with PAT and allows passthrough no problems. Any ideas?I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP? -
Problem with VPN Client and network access
We are running VPN client 4.0.1 on our laptops, and there are a number of users who are getting documents they are using on the internal network (off VPN) corrupted. The initial cause seemed to be the stateful firewall, but I have that turned off, and we are still getting it.
It only seems to be on the machines with VPN client installed, and it is only happening when the user is working on a file direct from the network drive. They are not connecting via the VPN client when the problem occurs.
any suggestions?
William.Did you get any joy with this ? We seem to be having the same issue.
Thanks -
Problems with VPN-Client 5.0 instoled on Windows Vista over ADSL Conecction
Hi, I have severals clients that they use Windows Vista and connects throw there lan over a VPN-Client. The clients that has an ADSL connection in there hose has disconect problems. Do you know why?? Do you know same workarround to do?? Thanks.
Regards.Make sure that you have the right cable pinout and that your ISP has turned on the DSL service. Troubleshoot the DSL connection by watching the modem state of the ADSL interface as the line retrains.
To use the VPN Client, you need
- Direct network connection (cable or DSL modem and network adapter/interface card), or
- Internal or external modem
For further more troubleshoot click this link,
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/release/notes/51client.html#wp1550392 -
Problem accessing company resources remotely using Cisco VPN Client
I connect to my company's network remotely using Cisco VPN client both from a PC (v 4.0.1) and from a MacBook Pro (v 4.9.00)(same configs), and use Remote Desktop to connect to my work computer, and now i'm able to use Citrix to run applications on the company server.
The problem occurs on the Mac when I'm connecting from a location that uses the same private domain IP as our company's private domain. Our company's private domain is 192.168.1.x, so when I'm using the Mac on a WiFi router that happens to be set to 192.168.1.1, the Mac can connect using VPN but the remote desktop cannot connect to my work computer. Presumably, the Mac doesn't "know" that I'm trying to go through the VPN for the connection and not connect to something locally.
This problem seems to be unique to the Mac. Every Windows machine with the same client installed has no problems no matter what WiFi I've tried. The Mac works fine on any WiFi that is not 192.168.1.x.
However, since 192.168.1.x is very common (hotels, airports, etc., its a major problem with the Mac.
Suggestions are greatly appreciated!
Also, now that we're moving to Citrix, our administrator has created a webpage on the intranet that we launch applications from, but the Mac cannot find that page when connected to VPN from 192.168.1.x. Same problem.
Thanks in advance.Hi,
I presume you have split-tunneling activated.
1. Make sure the 192.168.1.x is on the protected networks and on the MacBook client, disable "Allow local LAN access"
2. Create a separate group for the Mac users and assgn them a different pool (192.168.100.x )and advertise it in your company to point to the VPN Concentrator.
3. Use the NAT feature on your VPN concentrator.
If this helped, please rate.
Regards,
Daniel -
Problems Installing VPN Client on Intel iMac Core Duo
We tried installing the VPN Client software (v.4.9.00.0050) on an Intel Core Duo iMac by dragging the application into the applications folder on the hard drive. When trying to start VPN Client, it gave a message referring to "architecture not supported) and wouldn't start up. We have installed this successfully on other macs outside our office without problems. Does anyone have any suggestions?
For such appkcation to work in a platfrom you need to install the application using the stansard installer supplied with the application.
For more information refer the url given below,
http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a00806ecf3b.html -
Watchguard SSL VPN client on OSX 10.7 Lion TUN/TAP Kernel Problem
I upgraded to OSX 10.7 Lion and lost the use of the Watchguard VPN client.
I eventually found a solution at http://lesmond.net/2011/07/watchguard-ssl-vpn-client-on-osx-10-7-lion/
I had already uninstalled Watchguard VPN and tried to reinstall to see if that worked (poor advice from another forum)
I hadn't manually removed Watchguard icon from the dock.
When you try to reinstall the dialog tells you to run an postupgrade script on the TUN/TAP kernel and then quits with a fail.
If you install openVPN in this scenario you get an openVPN app and menu item, both of which do nothing.
Click on the Watchguard dock icon and connect.
I was then asked to upgrade and ended up with the run post upgrade script dialog and quit with a fail.
I then clicked on the Watchguard doc icon again and connected.
This time it connected with no problem.
Hope this helps!WG has new firmware that will fix the problem, once flashed, download the new client vpn client (11.5.1) and you should be good to go.
I had to contact WG to get the patch as it was not in the portal Version 11.3.4 CSP6 for my device. Hope this helps someone. -
ASA 5505 VPN client LAN access problem
Hello,
I'm not expert in ASA and routing so I ask some support the following case.
There is a Cisco VPN client (running on Windows 7) and an ASA5505.
The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
The Skype works well but I cannot access devices in the interface inside via VPN connection.
Can you please check my following config and give me advice to correct NAT or VPN settings?
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password wDnglsHo3Tm87.tM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 10.0.0.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns xx.xx.xx.xx interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 84.2.44.1
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy XXXXXX internal
group-policy XXXXXX attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list none
username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
username XXXXXX attributes
vpn-group-policy XXXXXX
username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXX general-attributes
address-pool VPNPOOL
default-group-policy XXXXXX
tunnel-group XXXXXX ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
: end
ciscoasa#
Thanks in advance!
fbelaconfig#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
Need to add - config#same-security-traffic permit intra-interface
#access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
#nat (inside) 0 access-list nonat
Please add and test it.
Thanks
Ajay -
Vpn configuration problems 2621xm and vpn client
hello,
I'm trying to configure my home cisco 2621xm to accept vpn connections. I've used many cisco pdf documents and they all same almost the same so I've done my configuration using these documents.
now I just can't get past this error message I'm getting and I have no idea why this is happening.
any ideas to help me get past this step, I'm really stuck here.
also, I've tried vpn client version 5 and 4.8
cisco ios version is:
Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 05:48 by prod_rel_team
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
vision-router-01 uptime is 2 hours, 53 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advipservicesk9-mz.124-16.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 2621XM (MPC860P) processor (revision 1.0) with 127308K/3764K bytes of memory.
Processor board ID JAD06350FM7
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
here is my the config that's vpn related
aaa authentication login MYTAC group tacacs+ local enable
aaa authorization network GROUPAUTHOR local
username someuser password 0 somepassword
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration group VTELVPN
key cisco123
dns 192.168.10.5
domain xyz.com
pool VTELVPNPOOL
crypto ipsec transform-set VTELSET1 esp-aes esp-sha-hmac
crypto dynamic-map VTELDYNAMAP 10
set transform-set VTELSET1
set identity thisrouter-01
reverse-route
crypto map VTELCLIENTMAP client authentication list MYTAC
crypto map VTELCLIENTMAP isakmp authorization list GROUPAUTOHOR
crypto map VTELCLIENTMAP client configuration address respond
crypto map VTELCLIENTMAP 10 ipsec-isakmp dynamic VTELDYNAMAP
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname xxxxxx
ppp chap password 7 hahahahohoho
ppp pap sent-username xxxxxx password 7 hahahahohoho
crypto map VTELCLIENTMAP
ip local pool VTELVPNPOOL 192.168.6.3 192.168.6.254Hi
Can you try assigning a static ip to the dialer interface and try checking out the vpn connectivity ?
regds -
WRV200 - Problems with VPN Client and Internal network access
I have a WRV200 router and want to access the internal (Private Network) connected on the inside. I have successfully conected to the router with the Linksys VPN Client, but it does not appear to allow access to the internal network.
How do I enable NAT Transversal or Passthru? I have already selected all of the PPTP, L2TP and IPSEC Pass Through.
Has anyone gotten this to work?I have actually gotten this to work. Issues surround this include the ability to get to the VPN if the main DNS is down (it does not fail over to the next DNS in the list).
If you unselect all of the boxes in the firewall General configuration, you can connect, but if you need to have all of this unchecked, what's the sense of having it?
Anyway, you can use the DoS Prevention, this is not interfering.
HTH.
Maybe you are looking for
-
Ever since I upgraded to iOS7 just two of my contacts I get two message threads for them. One containing their iMessages to me and the other with just regular sms messages. In Contacs, their email and phone number are saved under one name. How can I
-
Is there going to be an optional TV tuner for MacBook? (Other Models as well?)
-
Integration between two HCM 9.1 systems
Hi, Our design requires two HCM 9.1 systems to be configured. One will host the core HCM data and another will host the recruiting solutions. For easy reference, I will name HCM environment as HCM and the HCM environment which will be used for recrui
-
11.1.0.6.0 instant client for x86_64?
hy, since some day's the 11.1.0.6.0 for x86 linux is out. I need the DRCP Feature for PHP and I didn't want install the big client on every server. My Problem is that I have an x86_64 system running. Does anybody know where I can find an 11.1.0.6.0 i
-
Encrypting an external hard drive for dual boot use
I'm soon to be reformatting my entire hard drive and starting from scratch-for the first time since 2007. I have a 250GB external that used to be an internal drive (for backups-and it's simply an IDE drive in an enclosure), and when I switched it I