VPN Clients cannot access remote site

Similar Messages

• VPN Client cannot access Internet

  I am currently using PIX 501 and VPN 3000. Everything is running fine except that VPN Client cannot access internet after they logged in via Cisco System VPN CLient. I can't any solution to this problem and is really lost. This is a very important task assign to me.
  Hope someone can help me asap.
  Thanks You

  You need to enable split tunneling. This link is for VPN client to router. The same equivalent config may apply to a PIX as well.
  http://www.cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bf8.pdf

• VPN clients cannot access inside LAN

  I have a vpn setup.  I can vpn in from either the outside (internet) or from inside my network.  Once I do that I can no longer ping or remote into the server I have setup on the 192.168.1.0/24 subnet.  I can ping from the 192.168.1.0 subnet to any other subnet but I cannot ping from the vpn subnet to any other subnet.  I know that I have some permits on Outside-IN and Inside-IN, this is only to make it easier to troubleshoot.  Thank you in advance.
  The VPN subnet is 192.168.2.0
  The Server subnet is 192.168.1.0
  the Internal client subnet is 10.0.0.0 /24
  Here is the config and the packet-tracer output
  RUNNING-CONFIG
  =====================
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network Axon
  network-object host 192.168.1.6
  object-group network VPN-Clients
  network-object 192.168.2.0 255.255.255.0
  object-group service HTTP-HTTPS tcp
  port-object eq www
  port-object eq https
  object-group service RDP tcp
  port-object eq 3389
  access-list Outside-IN extended permit ip any any
  access-list Inside-IN extended permit ip any any
  access-list Axon-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNPool 192.168.2.2-192.168.2.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
  access-group Inside-IN in interface inside
  access-group Outside-IN in interface outside
  route outside 192.168.2.0 255.255.255.0 192.168.1.0 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no sysopt connection permit-vpn
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.5-192.168.1.36 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy VPNPolicy internal
  group-policy VPNPolicy attributes
  vpn-tunnel-protocol svc webvpn
  address-pools value VPNPool
  webvpn
    url-list none
    svc ask enable
  username test2 password sLyNkwX4lP/BSsCW encrypted privilege 0
  username test2 attributes
  vpn-group-policy VPNPolicy
  username fwaarmac password 5rABwjFzDBYcp0nJ encrypted privilege 15
  username fwaarmac attributes
  vpn-group-policy VPNPolicy
  username test1 password sLyNkwX4lP/BSsCW encrypted privilege 0
  username test1 attributes
  vpn-group-policy VPNPolicy
  username dan password vFpifCksRBgKm.0Q encrypted privilege 15
  username dan attributes
  vpn-group-policy VPNPolicy
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy VPNPolicy
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool VPNPool
  default-group-policy VPNPolicy
  tunnel-group VPN webvpn-attributes
  group-alias vpn enable
  group-url https://10.0.0.10/vpn enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:b8d7144e7d51265fa9a5f38e29f40269
  : end
  NAT / PACKET-TRACER
  ========================
  packet-tracer input outside tcp 192.168.2.1 3389 192.168.1.6 3389 detailed
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.0     255.255.255.0   inside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group Outside-IN in interface outside
  access-list Outside-IN extended permit ip any any
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc95ea0e0, priority=12, domain=permit, deny=false
          hits=5247, user_data=0xc793c350, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 3
  Type: IP-OPTIONS
  Subtype:     
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc95e6d48, priority=0, domain=inspect-ip-options, deny=true
          hits=10050, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 4
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959fab8, priority=0, domain=host-limit, deny=false
          hits=5248, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 1 0.0.0.0 0.0.0.0
    match ip inside any outside any
      dynamic translation to pool 1 (10.0.0.10 [Interface PAT])
      translate_hits = 88, untranslate_hits = 7
  Additional Information:
  Forward Flow based lookup yields rule:
  out id=0xc962a5f8, priority=1, domain=nat-reverse, deny=false
          hits=415, user_data=0xc962a388, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule

  You would need to configure NAT exemption for the VPN client to access internal host:
  access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  nat (inside) 0 access-list nonat
  route inside 10.0.0.0 255.255.255.0 192.168.1.x
  access-list splitacl permit 192.168.1.0 255.255.255.0
  access-list splitacl permit 10.0.0.0 255.255.255.0
  group-policy VPNPolicy attributes
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value splitacl

• Remote Access VPN Clients Cannot Access inside LAN

  I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.
  : Saved
  ASA Version 8.2(1)
  hostname ASA5505
  domain-name default.domain.invalid
  enable password eelnBRz68aYSzHyz encrypted
  passwd eelnBRz68aYSzHyz encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group dataDSL
  ip address 76.244.75.57 255.255.255.255 pppoe
  interface Vlan3
  nameif dmz
  security-level 50
  ip address 192.168.9.1 255.255.255.0
  interface Vlan10
  nameif outside_cable
  security-level 0
  ip address 50.84.96.178 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 10
  interface Ethernet0/2
  switchport access vlan 3
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Netbios udp
  port-object eq 139
  port-object eq 445
  port-object eq netbios-ns
  object-group service Netbios_TCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.100.177
  network-object host 192.168.100.249
  object-group service Web_Services tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  object-group network DM_INLINE_NETWORK_10
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_11
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_2
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_3
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_4
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_5
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_6
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_7
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_8
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network DM_INLINE_NETWORK_9
  network-object host 192.168.9.10
  network-object host 192.168.9.4
  object-group network VPN
  network-object 192.168.255.0 255.255.255.0
  access-list outside_access_in extended permit icmp any host 76.244.75.61
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
  access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
  access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
  access-list dmz_access_in remark Quickbooks
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
  access-list dmz_access_in remark Quickbooks range
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
  access-list dmz_access_in remark QB
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
  access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
  access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
  access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
  access-list dmz_access_in remark Printer
  access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
  access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
  access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
  access-list dmz_access_in remark QB probably does not need any udp
  access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark QB included in other rule range
  access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
  access-list dmz_access_in remark May be required for Quickbooks
  access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
  access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
  access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
  access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
  access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
  access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
  access-list Local_LAN_Access standard permit host 0.0.0.0
  access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
  access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered informational
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500 
  mtu outside_cable 1500
  ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
  ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside_cable) 10 interface
  nat (inside) 0 access-list nonat-in
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 0 access-list dmz_nat0_outbound
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
  static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
  static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
  static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
  static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  access-group outside_cable_access_in in interface outside_cable
  route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.100.0 255.255.255.0 inside
  http 204.107.173.0 255.255.255.0 outside
  http 204.107.173.0 255.255.255.0 outside_cable
  http 0.0.0.0 0.0.0.0 outside_cable
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_cable_map interface outside_cable
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp enable outside_cable
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.100.0 255.255.255.0 inside
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh 204.107.173.0 255.255.255.0 outside
  ssh 204.107.173.0 255.255.255.0 outside_cable
  ssh 0.0.0.0 0.0.0.0 outside_cable
  ssh timeout 15
  console timeout 0
  vpdn group dataDSL request dialout pppoe
  vpdn group dataDSL localname [email protected]
  vpdn group dataDSL ppp authentication pap
  vpdn username [email protected] password *********
  dhcpd address 192.168.100.30-192.168.100.99 inside
  dhcpd dns 192.168.100.5 68.94.156.1 interface inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  group-policy cad_supplies_RAVPN internal
  group-policy cad_supplies_RAVPN attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
  group-policy VPNPHONE internal
  group-policy VPNPHONE attributes
  dns-server value 192.168.100.5
  vpn-tunnel-protocol IPSec
  split-tunnel-policy excludespecified
  split-tunnel-network-list value Local_LAN_Access
  client-firewall none
  client-access-rule none
  username swinc password BlhBNWfh7XoeHcQC encrypted
  username swinc attributes
  vpn-group-policy cad_supplies_RAVPN
  username meredithp password L3lRjzwb7TnwOyZ1 encrypted
  username meredithp attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone1 attributes
  vpn-group-policy VPNPHONE
  username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone2 attributes
  vpn-group-policy VPNPHONE
  username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
  username ipphone3 attributes
  vpn-group-policy VPNPHONE
  username oethera password WKJxJq7L6wmktFNt encrypted
  username oethera attributes
  vpn-group-policy cad_supplies_RAVPN
  service-type remote-access
  username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
  username markh attributes
  vpn-group-policy cad_supplies_RAVPN
  tunnel-group DefaultRAGroup general-attributes
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cad_supplies_RAVPN type remote-access
  tunnel-group cad_supplies_RAVPN general-attributes
  address-pool VPN_IP_range
  default-group-policy cad_supplies_RAVPN
  tunnel-group cad_supplies_RAVPN ipsec-attributes
  pre-shared-key *
  tunnel-group VPNPHONE type remote-access
  tunnel-group VPNPHONE general-attributes
  address-pool VPN_Phone
  default-group-policy VPNPHONE
  tunnel-group VPNPHONE ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1500
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
  : end

  Hi,
  You have your "group-policy" set so that you have excluding some networks from being tunneled.
  In this access-list named Local_LAN_Access you specify "0.0.0.0"
  Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
  This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
  - Jouni

• VPN Client Cannot Access Anything at Main Site

  I am sure this problem has been solved a million times over but I can't get this to work.  Can someone take a look at this config quick and tell me what is wrong?
  The Cisco VPN client connects no problem but I can't access anything.
  ASA Version 8.4(4)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 15
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.43.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address a.a.a.a 255.255.255.248
  interface Vlan15
  no forward interface Vlan1
  nameif IPOffice
  security-level 100
  ip address 192.168.42.254 255.255.255.0
  boot system disk0:/asa844-k8.bin
  ftp mode passive
  object network obj-192.168.43.0
  subnet 192.168.43.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.11.12.0_24
  subnet 10.11.12.0 255.255.255.0
  object network NETWORK_OBJ_192.168.43.160_28
  subnet 192.168.43.160 255.255.255.240
  object network IPOffice
  subnet 0.0.0.0 0.0.0.0
  access-list outside_access_in extended permit icmp any 192.168.42.0 255.255.255.0
  access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
  access-list vpn_SplitTunnel standard permit 192.168.43.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu IPOffice 1500
  ip local pool newvpnpool 10.11.12.100-10.11.12.150 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-649.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup
  nat (IPOffice,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network IPOffice
  nat (IPOffice,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication http console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http 192.168.43.0 255.255.255.0 inside
  http 192.168.42.0 255.255.255.0 IPOffice
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set encrypt-method-1 esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map dynmap 30 set pfs group1
  crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map rpVPN 65535 ipsec-isakmp dynamic dynmap
  crypto map rpVPN interface outside
  crypto isakmp identity address
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 2
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.43.5-192.168.43.36 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy RPVPN internal
  group-policy RPVPN attributes
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ikev1
  username admin password gP3lHsTOEfvj7Z3g encrypted privilege 15
  username mark password blPoPZBKFYhjYewF encrypted privilege 0
  tunnel-group RPVPN type remote-access
  tunnel-group RPVPN general-attributes
  address-pool newvpnpool
  default-group-policy RPVPN
  tunnel-group RPVPN ipsec-attributes
  ikev1 pre-shared-key *****
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2
  : end

  Yup, you are totally correct, spot on!!
  Asymmetric routing is not supported on the firewall, as traffic in and out must be through the same interfaces, otherwise, it thinks it is an attack and drop the packet.
  Default gateway on the devices in IPOffice subnet should be the ASA IPOffice interface (192.168.42.254), not the switch if it is a shared switch with your inside network. And likewise for devices in the inside subnet, the default gateway should be the ASA 192.168.43.254.
  With regards to the switch, you can pick a default gateway either the ASA inside or the ASA IPOffice interface IP, and the return traffic needs to route via the same path

• VPN clients cannot access to Remote location

  I have setup the VPN remote access to ASA 5520. The login is working. The users can access to the local network. But they can't access to the remote network through the tunnel. Is it the NAT setting need to be set for the tunnel or the VPN client to allow the VPN client access to the remote network?
  Thanks                  

  Hi Chieu,
  There are couple of questions I have for you that might help me to help you too!
  First what software code are you using?
  Can you post a descent config of your device?
  Do you have multiple vlans in your network?
  Did you implement routing for your remote vpn subnet to access the lan?
  What is your topology like?
  Once I get a good grasp of these we might be able to resolve your problem together.
  Thanks
  Teddy

• VPN client cannot access inside hosts

  Hello,
      I have an ASA 5505 device with the attached configuration and my vpn clients can connect to it fine.  Although, once a vpn client is connected they cannot RDP, ping, or telnet any internal hosts.  The goal is to have a connected vpn client to have all access rights as anyone sitting on the internal network.  Any assistance is greatly appreciated.
  : Saved
  ASA Version 7.2(3)
  hostname Kappa-GW01
  domain-name Kappa.com
  enable password xxxxxxxxx encrypted
  names
  name 172.20.42.42 UMEFTP2 description UMAP FTP2
  name 172.20.40.246 UMEMAIL1 description Exchange Server
  name 172.20.41.3 UMERPS
  name x.x.81.81 Wilkes
  name x.x.84.41 KappaPittston
  dns-guard
  interface Ethernet0/0
  shutdown
  nameif outside
  security-level 0
  ip address x.x.148.194 255.255.255.248
  interface Ethernet0/1
  nameif Outside_Windstream
  security-level 0
  ip address x.x.205.210 255.255.255.240
  interface Ethernet0/2
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  passwd 7Tpgc2AiWGxbNjkj encrypted
  boot system disk0:/asa723-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name Kappa.com
  object-group network Blue_Bell_Internal_Networks
  description Blue Bell internal network Group
  network-object 192.168.100.0 255.255.255.0
  network-object 10.0.0.0 255.255.255.0
  network-object 10.0.1.0 255.255.255.0
  network-object 10.0.2.0 255.255.255.0
  object-group network VPN-Sites
  network-object host Wilkes
  network-object host KappaPittston
  object-group network Michigan_VPN_GRP
  network-object 172.20.40.0 255.255.252.0
  object-group network ASA_OutSide_Vendors
  description ASA OutSide Vendor Access
  access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list 101 extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl remark Blue Bell Office
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl remark Williamston Office
  access-list KappaVPN_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
  access-list KappaVPN_splitTunnelAcl remark Pittston Office
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.10.0 255.255.255.0
  access-list KappaVPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.20.40.0 255.255.252.0 inactive
  access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.0.30.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.30.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
  access-list umeemp_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.30.0 255.255.255.0
  access-list umeemp_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
  access-list outside_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list 102 extended permit tcp any any eq 2000
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq smtp
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq pop3 inactive
  access-list Outside_Winstream_access_in extended permit udp object-group VPN-Sites interface Outside_Windstream eq isakmp
  access-list Outside_Winstream_access_in extended permit tcp object-group ASA_OutSide_Vendors host x.x.205.217 eq 4080
  access-list Outside_Winstream_access_in remark SMTP Access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq smtp
  access-list Outside_Winstream_access_in remark POP access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq pop3
  access-list Outside_Winstream_access_in remark OWA Access
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq https
  access-list Outside_Winstream_access_in extended permit tcp host x.x.87.65 host x.x.205.218 eq 3389
  access-list Outside_Winstream_access_in extended permit udp host x.x.56.111 eq ntp host x.x.205.216 eq ntp
  access-list Outside_Winstream_access_in remark OWA UMAP
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq https
  access-list Outside_Winstream_access_in remark JLAN
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.215 eq https
  access-list Outside_Winstream_access_in remark UMERPS
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq https
  access-list Outside_Winstream_access_in remark UMERPS
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq ssh
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq https
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq 5494
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.214 eq www
  access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq 8081
  access-list Outside_Winstream_access_in extended permit icmp any any echo
  access-list outside_6_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list outside_6_cryptomap extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_11 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_10 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_5 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list Outside_Windstream_cryptomap_12 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list Outside_Windstream_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
  access-list nonat extended permit ip any any inactive
  pager lines 24
  logging enable
  logging asdm debugging
  logging flash-bufferwrap
  mtu outside 1500
  mtu Outside_Windstream 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn-pool 192.168.100.100-192.168.100.200
  no failover
  monitor-interface outside
  monitor-interface Outside_Windstream
  monitor-interface inside
  monitor-interface management
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (Outside_Windstream) 1 x.x.205.216 netmask 255.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 172.20.40.0 255.255.252.0
  nat (inside) 1 10.0.0.0 255.255.0.0
  static (inside,Outside_Windstream) x.x.205.217 10.0.0.20 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.220 10.0.0.21 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.218 10.0.0.15 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.215 172.20.40.145 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.211 UMEMAIL1 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.212 UMERPS netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.213 172.20.40.243 netmask 255.255.255.255
  static (inside,Outside_Windstream) x.x.205.214 172.20.40.146 netmask 255.255.255.255
  access-group acl_inbound in interface outside
  access-group Outside_Winstream_access_in in interface Outside_Windstream
  route Outside_Windstream 0.0.0.0 0.0.0.0 x.x.205.209 1
  route inside 172.20.40.0 255.255.252.0 10.0.0.3 1
  route inside 10.0.30.0 255.255.255.0 10.0.0.254 1
  route inside 10.0.1.0 255.255.255.0 10.0.0.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server BBPA-SRV-DC01 protocol radius
  aaa-server BBPA-SRV-DC01 host 10.0.0.15
  timeout 5
  key G6G7#02bj!
  aaa-server UMAP protocol radius
  aaa-server UMAP host 172.20.40.245
  timeout 5
  key gfrt1a
  aaa-server UMAP host 172.20.40.244
  timeout 5
  key gfrt1a
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.0.0.0 255.255.255.0 inside
  http 10.0.0.15 255.255.255.255 inside
  http 192.168.1.0 255.255.255.0 management
  http 192.168.100.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map Outside_Windstream_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map Outside_Windstream_dyn_map 40 set pfs
  crypto dynamic-map Outside_Windstream_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto map outside_map 5 match address outside_5_cryptomap
  crypto map outside_map 5 set peer Wilkes
  crypto map outside_map 5 set transform-set ESP-3DES-SHA
  crypto map outside_map 10 match address outside_6_cryptomap
  crypto map outside_map 10 set peer KappaPittston
  crypto map outside_map 10 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto map Outside_Windstream_map 5 match address Outside_Windstream_cryptomap_5
  crypto map Outside_Windstream_map 5 set peer Wilkes
  crypto map Outside_Windstream_map 5 set transform-set ESP-3DES-SHA
  crypto map Outside_Windstream_map 10 match address Outside_Windstream_cryptomap_10
  crypto map Outside_Windstream_map 10 set peer KappaPittston
  crypto map Outside_Windstream_map 10 set transform-set ESP-3DES-SHA
  crypto map Outside_Windstream_map 65535 ipsec-isakmp dynamic Outside_Windstream_dyn_map
  crypto map Outside_Windstream_map interface Outside_Windstream
  crypto isakmp enable Outside_Windstream
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 3600
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 10.0.0.0 255.255.0.0 inside
  telnet timeout 5
  ssh 10.0.0.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ftp
    inspect skinny
    inspect pptp
  service-policy global_policy global
  webvpn
  enable Outside_Windstream
  svc image disk0:/sslclient-win-1.1.4.177.pkg 1
  svc enable
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc required
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy umeemp internal
  group-policy umeemp attributes
  dns-server value 172.20.40.245
  vpn-filter none
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value KappaVPN_splitTunnelAcl
  default-domain value umapinc.com
  group-policy KappaVPN internal
  group-policy KappaVPN attributes
  wins-server value 10.0.0.15
  dns-server value 10.0.0.15
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value umeemp_splitTunnelAcl
  default-domain value kappa.loc
  username gwadmin password AVjtEPq7nvtiAAk0 encrypted
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool vpn-pool
  authentication-server-group BBPA-SRV-DC01
  authorization-required
  tunnel-group KappaVPN type ipsec-ra
  tunnel-group KappaVPN general-attributes
  address-pool vpn-pool
  authentication-server-group BBPA-SRV-DC01
  default-group-policy KappaVPN
  tunnel-group KappaVPN ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.131.62 type ipsec-l2l
  tunnel-group x.x.131.62 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.232.2 type ipsec-l2l
  tunnel-group x.x.232.2 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.49.114 type ipsec-l2l
  tunnel-group x.x.49.114 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.226.218 type ipsec-l2l
  tunnel-group x.x.226.218 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.116.133 type ipsec-l2l
  tunnel-group x.x.116.133 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.21.36 type ipsec-l2l
  tunnel-group x.x.21.36 ipsec-attributes
  pre-shared-key *
  tunnel-group umeemp type ipsec-ra
  tunnel-group umeemp general-attributes
  address-pool vpn-pool
  authentication-server-group UMAP
  default-group-policy umeemp
  tunnel-group umeemp ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.81.81 type ipsec-l2l
  tunnel-group x.x.81.81 ipsec-attributes
  pre-shared-key *
  tunnel-group x.x.84.41 type ipsec-l2l
  tunnel-group x.x.84.41 ipsec-attributes
  pre-shared-key *
  prompt hostname context
  Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
  : end
  asdm image disk0:/asdm-523.bin
  no asdm history enable

  I'm sorry, I misunderstood what you were asking.  Yes those three networks are on the inside of our ASA.  we have 2 outside of the ASA (10.0.2.x, 10.0.10.x).  When our clients vpn they connect to the x.x.205.210 ip address, which maps them depending on the preshared key that puts them on either the kappaVPN or the umeempVPN.  (I am kind of new to configuring the ASA).  When the cisco vpn client connects to the network, I checked the statistics and it lists all of our LAN networks under secure routes.  I cannot ping anything inside the LAN nor can I connect RDP, telnet or anything.
  Hope this answers your questions, just let me know if you need any more information.
  -Rudy

• VPN clients cannot access inside network

  I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.

  I realized after I posted that I should have a connection active when running this command. Here is the results:
  Result of the command: "show crypto ipsec sa"
  interface: outside
  Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10
  local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)
  current_peer: 169.130.14.253, username: kenz
  dynamic allocated peer ip: 10.27.2.2
  #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0
  local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253
  path mtu 1500, ipsec overhead 58, media mtu 1500
  current outbound spi: 208F45F5
  inbound esp sas:
  spi: 0x2026D973 (539416947)
  transform: esp-3des esp-sha-hmac none
  in use settings ={RA, Tunnel, }
  slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
  sa timing: remaining key lifetime (sec): 28406
  IV size: 8 bytes
  replay detection support: Y
  outbound esp sas:
  spi: 0x208F45F5 (546260469)
  transform: esp-3des esp-sha-hmac none
  in use settings ={RA, Tunnel, }
  slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
  sa timing: remaining key lifetime (sec): 28406
  IV size: 8 bytes
  replay detection support: Y
  So it looks like there are encrypts but no decrypts. What should I do now?

• VPN client cannot access Lan

  Hi,
  I can connect via VPN to my ASA 5505 but I cannot access my asa. I do not quite understand the routing,acl and nat configs I would need.
  attached is my config

  Here is the my config

• Vpn client can access internet but cannot access internal network

  I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....

  enable password ********** encrypted
  passwd ********** encrypted
  hostname Firewall
  domain-name aqswdefrgt.com.sg
  access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
  access-list nat permit tcp any host 65.165.123.142 eq smtp
  access-list nat permit tcp any host 65.165.123.142 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq smtp
  access-list nat permit tcp any host 65.165.123.143 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq www
  access-list nat permit tcp any host 65.165.123.152 eq smtp
  access-list nat permit tcp any host 65.165.123.152 eq pop3
  access-list nat permit tcp any host 65.165.123.152 eq www
  access-list nat permit tcp any host 65.165.123.143 eq https
  access-list nat permit icmp any any
  ip address outside 65.165.123.4 255.255.255.240
  ip address inside 192.168.1.2 255.255.255.0
  ip verify reverse-path interface outside
  ip local pool clientpool 192.168.50.1-192.168.50.50
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
  .255 0 0
  static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
  5.255 0 0
  static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
  .255.255 0 0
  access-group nat in interface outside
  route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa-server plexus protocol radius
  aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set myset esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map cisco 1 set transform-set myset
  crypto map dyn-map 20 ipsec-isakmp dynamic cisco
  crypto map dyn-map client authentication plexus
  crypto map dyn-map interface outside
  isakmp enable outside
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 40 authentication pre-share
  isakmp policy 40 encryption 3des
  isakmp policy 40 hash md5
  isakmp policy 40 group 2
  isakmp policy 40 lifetime 86400
  vpngroup vpn3000 address-pool clientpool
  vpngroup vpn3000 dns-server 192.168.1.55
  vpngroup vpn3000 wins-server 192.168.1.55
  vpngroup vpn3000 default-domain aqswdefrgt.com.sg
  vpngroup vpn3000 idle-time 1800
  vpngroup vpn3000 password ********
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80

• Windows 7 pro client cannot access folders on server 2003 domain server

  I added a windows 7 64 bit client to a server 2003 32 bit domain 3 weeks ago and file sharing was working fine until today, 5/4/12. Now, when trying to access shared folders that reside on the server,
  I get the following "access denied" message:
  […folder…] is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
  The user name could not be found.
  Strangely enough...
  The windows 7 client
  can open shared folders that reside on the XP clients in the domain
  All the XP clients in the domain can access the server 2003 folders
  All the XP clients and the server 2003 machine can access shared folders and printers on the windows 7 client.
  The windows 7 client can ping the server 2003 machine and vice versa
  I can “see” the server in my network list, but when I click on it, I get the same “access denied” message listed above.
  So... the only problem is that the windows 7 client cannot access folders that reside on the windows server 2003 machine. There must be some sharing setting that got changed
  by a recent windows update.
  Here is what I have done/verified so far on the windows 7 client:
  In advanced sharing settings for Home/Work, Public and Domain profiles:
  network discovery is enabled
  file and print sharing is enabled
  use user accounts and passwords to connect to other computers is selected (I also tried allowing windows to manage homegroup connections instead, but the problem remained.)
  40 -56 bit encryption is enabled
  In “gpedit.msc” Local Policies/Security Settings:
  enabled the following policies:
  Network access: Allow anonymous SID/name translation
  Network access: Let Everyone permissions apply to anonymous users
  disabled the following policies:
  Network access: Restrict anonymous access to Named Pipes and Shares
  Network access: Do not allow anonymous enumeration of SAM accounts
  Network access: Do not allow anonymous enumeration of SAM accounts and shares
  What am I missing? Are there policies on the server that need to be adjusted?
  Please help! My business is crippled if I cannot access server files from this workstation. Thank you in advance.

  As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous
  steps should be helpful for many similar scenarios.  <o:p></o:p>
  If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You
  can also choose to unmark the answer as you wish.  <o:p></o:p>
  In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar
  problems.  <o:p></o:p>
  Thanks!<o:p></o:p>
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• I cannot access a site I use often as a403 error occurs. How do I resolve

  I cannot access a site I use often as a 403 error occurs. How do I resolve?

  You need to contact the website and tell them to upgrade their security protocols. Especially the following:
  * The site uses SSLv3, meaning it's vulnerable to the well known POODLE attack. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  * The site uses RC4, which is insecure.
  * The site does not support TLS 1.2, which is recommended.
  You can see a full list of all the problems with the website at https://www.ssllabs.com/ssltest/analyze.html?d=secure.crbonline.gov.uk
  It very soon will not work in Google Chrome either, so it's in the website's best interest to update ASAP (besides protecting their users from having all their data and information stolen)

• Remote site to site VPN user cannot access LAN resources

  Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
  What do I need to do to fix this?
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SFGallery
  boot-start-marker
  boot-end-marker
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  clock timezone PCTime -7 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 172.16.0.1 172.16.3.99
  ip dhcp excluded-address 172.16.3.200 172.16.3.254
  ip dhcp pool SFGallery172
  import all
  network 172.16.0.0 255.255.252.0
  domain-name xxxxxxxxxxxx
  dns-server 10.10.10.10
  default-router 10.10.10.94
  netbios-name-server 10.10.10.10
  ip domain name gpgallery.com
  ip name-server 10.10.10.10
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip name-server 10.10.10.80
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki trustpoint SFGallery_Certificate
  enrollment selfsigned
  serial-number none
  ip-address none
  revocation-check crl
  rsakeypair SFGallery_Certificate_RSAKey 512
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  crypto pki certificate chain SFGallery_Certificate
  certificate self-signed 01
  xxxxxx
  quit
  license udi pid CISCO2911/K9 sn FTX1542AKJ3
  license boot module c2900 technology-package securityk9
  license boot module c2900 technology-package datak9
  hw-module sm 1
  object-group network Corp
  172.16.4.0 255.255.252.0
  10.10.10.128 255.255.255.224
  object-group network SFGallery
  172.16.0.0 255.255.252.0
  10.10.10.0 255.255.255.128
  object-group network NY
  10.10.10.160 255.255.255.224
  172.16.16.0 255.255.252.0
  object-group network GPAll
  group-object SFGallery
  group-object NY
  group-object Corp
  username xxx
  username xxx
  username xxx
  username xxx
  redundancy
  no ip ftp passive
  ip ssh version 1
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
  pass
  zone security sslvpn-zone
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key TempVPN1# address xx.xx.xx.xx
  crypto isakmp client configuration group SFGallery
  key Peters2011
  dns 10.10.10.10 10.10.10.80
  wins 10.10.10.10 10.10.10.80
  domain gpgallery.com
  pool SDM_POOL_1
  acl 111
  save-password
  split-dns gpgallery.com
  max-users 25
  max-logins 3
  netmask 255.255.252.0
  banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group SFGallery
  client authentication list ciscocp_vpn_xauth_ml_3
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 3
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 43200
  set transform-set ESP-3DES-SHA3
  set isakmp-profile ciscocp-ike-profile-1
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel toxx.xx.xx.xx
  set peer xx.xx.xx.xx
  set transform-set ESP-3DES-SHA1
  match address 107
  reverse-route
  interface Loopback1
  ip address 192.168.5.1 255.255.255.0
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description T1 Cybermesa$ETH-WAN$
  ip address xx.xx.xx.xx 255.255.255.240
  ip access-group 105 in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  interface GigabitEthernet0/1
  description LANOverloadNet$ETH-WAN$
  no ip address
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  description LAN$ETH-LAN$
  ip address 10.10.10.2 255.255.255.128
  ip access-group 100 in
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface FastEthernet0/0/0
  ip address 192.168.100.1 255.255.255.0
  ip access-group ReplicationIN out
  duplex auto
  speed auto
  interface GigabitEthernet1/0
  description $ETH-LAN$
  ip address 172.16.0.1 255.255.252.0
  ip nat inside
  ip virtual-reassembly in
  interface GigabitEthernet1/1
  description Internal switch interface connected to EtherSwitch Service Module
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1
  interface Virtual-Template2
  ip unnumbered Loopback1
  zone-member security sslvpn-zone
  interface Virtual-Template3 type tunnel
  ip unnumbered GigabitEthernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  no ip address
  ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
  ip forward-protocol nd
  ip http server
  ip http access-class 1
  ip http authentication local
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 10
  sort-by bytes
  cache-timeout 60000
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
  ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
  ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
  ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
  ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
  ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
  ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
  ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
  ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
  ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
  ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
  ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
  ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
  ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
  ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
  ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
  ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended ReplicationIN
  remark CCP_ACL Category=1
  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  deny   ip any any
  ip access-list extended ReplicationOUT
  remark CCP_ACL Category=1
  deny   ip any any
  no logging trap
  logging 10.10.10.107
  access-list 1 permit 192.168.1.2
  access-list 1 remark CCP_ACL Category=1
  access-list 1 permit 72.216.51.56 0.0.0.7
  access-list 1 permit 172.16.0.0 0.0.3.255
  access-list 1 permit 172.16.4.0 0.0.3.255
  access-list 1 permit 10.10.10.128 0.0.0.31
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 permit xx.xx.xx.xx 0.0.0.15
  access-list 1 permit 10.10.10.0 0.0.0.127
  access-list 100 remark Auto generated by SDM Management Access feature
  access-list 100 remark CCP_ACL Category=1
  access-list 100 permit tcp object-group GPAll object-group NY eq www
  access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
  access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
  access-list 100 permit ip any host 10.10.10.2
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
  access-list 100 deny   tcp any host 10.10.10.2 eq telnet
  access-list 100 deny   tcp any host 10.10.10.2 eq 22
  access-list 100 deny   tcp any host 10.10.10.2 eq www
  access-list 100 deny   tcp any host 10.10.10.2 eq 443
  access-list 100 deny   tcp any host 10.10.10.2 eq cmd
  access-list 100 deny   udp any host 10.10.10.2 eq snmp
  access-list 100 permit udp any eq domain host 10.10.10.2
  access-list 100 permit udp host 10.10.10.80 eq domain any
  access-list 100 permit udp host 10.10.10.10 eq domain any
  access-list 100 permit ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark CCP_ACL Category=1
  access-list 101 permit ip 72.216.51.56 0.0.0.7 any
  access-list 101 permit ip 172.16.0.0 0.0.3.255 any
  access-list 101 permit ip 172.16.4.0 0.0.3.255 any
  access-list 101 permit ip 10.10.10.128 0.0.0.31 any
  access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
  access-list 101 permit ip host 192.168.1.2 any
  access-list 101 permit ip 10.10.10.0 0.0.0.127 any
  access-list 102 remark Auto generated by SDM Management Access feature
  access-list 102 remark CCP_ACL Category=1
  access-list 102 permit ip 72.216.51.56 0.0.0.7 any
  access-list 102 permit ip 172.16.0.0 0.0.3.255 any
  access-list 102 permit ip 172.16.4.0 0.0.3.255 any
  access-list 102 permit ip 10.10.10.128 0.0.0.31 any
  access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
  access-list 102 permit ip host 192.168.1.2 any
  access-list 102 permit ip 10.10.10.0 0.0.0.127 any
  access-list 103 remark Auto generated by SDM Management Access feature
  access-list 103 remark CCP_ACL Category=1
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
  access-list 103 deny   tcp any host 172.16.0.1 eq telnet
  access-list 103 deny   tcp any host 172.16.0.1 eq 22
  access-list 103 deny   tcp any host 172.16.0.1 eq www
  access-list 103 deny   tcp any host 172.16.0.1 eq 443
  access-list 103 deny   tcp any host 172.16.0.1 eq cmd
  access-list 103 deny   udp any host 172.16.0.1 eq snmp
  access-list 103 permit ip any any
  access-list 104 remark CCP_ACL Category=4
  access-list 104 remark IPSec Rule
  access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
  access-list 105 remark Auto generated by SDM Management Access feature
  access-list 105 remark CCP_ACL Category=1
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
  access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
  access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
  access-list 105 deny   tcp any host xx.xx.xx.xx eq telnet
  access-list 105 deny   tcp any host xx.xx.xx.xx eq 22
  access-list 105 deny   tcp any host xx.xx.xx.xx eq www
  access-list 105 deny   tcp any host xx.xx.xx.xx eq 443
  access-list 105 deny   tcp any host xx.xx.xx.xx eq cmd
  access-list 105 deny   udp any host xx.xx.xx.xx eq snmp
  access-list 105 permit tcp any host xx.xx.xx.xx eq 443
  access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
  access-list 105 permit udp any eq domain host xx.xx.xx.xx
  access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
  access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
  access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
  access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
  access-list 105 permit ip any any
  access-list 106 remark CCP_ACL Category=2
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 106 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 106 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
  access-list 106 permit ip 10.10.10.0 0.0.0.255 any
  access-list 107 remark CCP_ACL Category=4
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 107 remark IPSec Rule
  access-list 107 deny   ip 172.16.0.0 0.0.255.255 host 10.10.10.177
  access-list 108 remark CCP_ACL Category=2
  access-list 108 remark IPSec Rule
  access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
  access-list 108 permit ip 70.56.215.0 0.0.0.255 any
  access-list 109 remark CCP_ACL Category=2
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 109 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 109 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 109 permit ip 172.16.0.0 0.0.255.255 any
  access-list 111 remark CCP_ACL Category=4
  access-list 111 permit ip 10.10.10.0 0.0.0.127 any
  access-list 111 permit ip 10.10.10.128 0.0.0.31 any
  access-list 111 permit ip 172.16.0.0 0.0.3.255 any
  access-list 111 permit ip 172.16.4.0 0.0.3.255 any
  access-list 111 permit ip 10.10.10.160 0.0.0.31 any
  route-map SDM_RMAP_4 permit 1
  match ip address 109
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  route-map SDM_RMAP_2 permit 1
  match ip address 108
  snmp-server community public RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps vrrp
  snmp-server enable traps transceiver all
  snmp-server enable traps ds1
  snmp-server enable traps call-home message-send-fail server-fail
  snmp-server enable traps tty
  snmp-server enable traps eigrp
  snmp-server enable traps ospf state-change
  snmp-server enable traps ospf errors
  snmp-server enable traps ospf retransmit
  snmp-server enable traps ospf lsa
  snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
  snmp-server enable traps ospf cisco-specific state-change shamlink interface
  snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
  snmp-server enable traps ospf cisco-specific errors
  snmp-server enable traps ospf cisco-specific retransmit
  snmp-server enable traps ospf cisco-specific lsa
  snmp-server enable traps license
  snmp-server enable traps envmon
  snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
  snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
  snmp-server enable traps flash insertion removal
  snmp-server enable traps c3g
  snmp-server enable traps ds3
  snmp-server enable traps adslline
  snmp-server enable traps vdsl2line
  snmp-server enable traps icsudsu
  snmp-server enable traps isdn call-information
  snmp-server enable traps isdn layer2
  snmp-server enable traps isdn chan-not-avail
  snmp-server enable traps isdn ietf
  snmp-server enable traps ds0-busyout
  snmp-server enable traps ds1-loopback
  snmp-server enable traps energywise
  snmp-server enable traps vstack
  snmp-server enable traps mac-notification
  snmp-server enable traps bgp
  snmp-server enable traps isis
  snmp-server enable traps rf
  snmp-server enable traps aaa_server
  snmp-server enable traps atm subif
  snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
  snmp-server enable traps memory bufferpeak
  snmp-server enable traps cnpd
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps config-ctid
  snmp-server enable traps entity
  snmp-server enable traps fru-ctrl
  snmp-server enable traps resource-policy
  snmp-server enable traps event-manager
  snmp-server enable traps frame-relay multilink bundle-mismatch
  snmp-server enable traps frame-relay
  snmp-server enable traps frame-relay subif
  snmp-server enable traps hsrp
  snmp-server enable traps ipmulticast
  snmp-server enable traps msdp
  snmp-server enable traps mvpn
  snmp-server enable traps nhrp nhs
  snmp-server enable traps nhrp nhc
  snmp-server enable traps nhrp nhp
  snmp-server enable traps nhrp quota-exceeded
  snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
  snmp-server enable traps pppoe
  snmp-server enable traps cpu threshold
  snmp-server enable traps rsvp
  snmp-server enable traps syslog
  snmp-server enable traps l2tun session
  snmp-server enable traps l2tun pseudowire status
  snmp-server enable traps vtp
  snmp-server enable traps ipsla
  snmp-server enable traps bfd
  snmp-server enable traps firewall serverstatus
  snmp-server enable traps isakmp policy add
  snmp-server enable traps isakmp policy delete
  snmp-server enable traps isakmp tunnel start
  snmp-server enable traps isakmp tunnel stop
  snmp-server enable traps ipsec cryptomap add
  snmp-server enable traps ipsec cryptomap delete
  snmp-server enable traps ipsec cryptomap attach
  snmp-server enable traps ipsec cryptomap detach
  snmp-server enable traps ipsec tunnel start
  snmp-server enable traps ipsec tunnel stop
  snmp-server enable traps ipsec too-many-sas
  snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
  snmp-server host 10.10.10.107 public
  radius-server host 10.10.10.10 key HelloSFGal1#
  control-plane
  banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line 67
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  flowcontrol software
  line vty 0 4
  access-class 102 in
  transport input telnet
  line vty 5 15
  access-class 101 in
  transport input telnet
  scheduler allocate 20000 1000
  end

  Thanks so much, Herbert.
  As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  I would delete these lines:
  no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
  no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
  no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
  no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
  no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
  and replace with these
  ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
  ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
  ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
  ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
  ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
  Then add:
  access-list 150 deny   ip host 10.10.10.95 10.10.10.160 0.0.0.31
  access-list 150 deny   ip host 10.10.10.95 172.16.8.0 0.0.3.255
  access-list 150 deny   ip host 10.10.10.130 10.10.10.160 0.0.0.31
  access-list 150 deny   ip host 10.10.10.130 172.16.8.0 0.0.3.255
  access-list 150 permit ip host 10.10.10.95 any
  access-list 150 permit ip host 10.10.10.130 any
  route-map nonat permit 10
  match ip address 150

• ASA 5505 VPN client LAN access problem

  Hello,
  I'm not expert in ASA and routing so I ask some support the following case.
  There is a Cisco VPN client (running on Windows 7) and an ASA5505.
  The goals are client could use remote gateway on ASA for Skype and able to access the devices in ASA inside interface.
  The Skype works well but I cannot access devices in the interface inside via VPN connection.
  Can you please check my following config and give me advice to correct NAT or VPN settings?
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password wDnglsHo3Tm87.tM encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  no ip address
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any
  access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any
  access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool VPNPOOL 10.0.0.200-10.0.0.220 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 1 10.0.0.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (outside) 1 10.0.0.0 255.255.255.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.33 inside
  dhcpd dns xx.xx.xx.xx interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server value 84.2.44.1
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem enable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy XXXXXX internal
  group-policy XXXXXX attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  username XXXXXX password G910DDfbV7mNprdR encrypted privilege 15
  username XXXXXX password 5p9CbIe7WdF8GZF8 encrypted privilege 0
  username XXXXXX attributes
  vpn-group-policy XXXXXX
  username XXXXX password cRQbJhC92XjdFQvb encrypted privilege 15
  tunnel-group XXXXXX type ipsec-ra
  tunnel-group XXXXXX general-attributes
  address-pool VPNPOOL
  default-group-policy XXXXXX
  tunnel-group XXXXXX ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
  : end
  ciscoasa#
  Thanks in advance!
  fbela

  config#no nat (inside) 1 10.0.0.0 255.255.255.0 < This is not required.
  Need to add - config#same-security-traffic permit intra-interface
                                   #access-list extended nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
                                   #nat (inside) 0 access-list nonat
  Please add and test it.
  Thanks
  Ajay

• Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

  Hi:
  Need your great help for my new ASA 5505 (8.4)
  I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
  ASA Version 8.4(3)
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.29.8.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 177.164.222.140 255.255.255.248
  ftp mode passive
  clock timezone GMT 0
  dns server-group DefaultDNS
  domain-name ABCtech.com
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 172.29.8.0 255.255.255.0
  object service RDP
  service tcp source eq 3389
  object network orange
  host 172.29.8.151
  object network WAN_173_164_222_138
  host 177.164.222.138
  object service SMTP
  service tcp source eq smtp
  object service PPTP
  service tcp source eq pptp
  object service JT_WWW
  service tcp source eq www
  object service JT_HTTPS
  service tcp source eq https
  object network obj_lex
  subnet 172.29.88.0 255.255.255.0
  description Lexington office network
  object network obj_HQ
  subnet 172.29.8.0 255.255.255.0
  object network guava
  host 172.29.8.3
  object service L2TP
  service udp source eq 1701
  access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
  access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended deny tcp any any eq 135
  access-list inside_access_in extended deny tcp any eq 135 any
  access-list inside_access_in extended deny udp any eq 135 any
  access-list inside_access_in extended deny udp any any eq 135
  access-list inside_access_in extended deny tcp any any eq 1591
  access-list inside_access_in extended deny tcp any eq 1591 any
  access-list inside_access_in extended deny udp any eq 1591 any
  access-list inside_access_in extended deny udp any any eq 1591
  access-list inside_access_in extended deny tcp any any eq 1214
  access-list inside_access_in extended deny tcp any eq 1214 any
  access-list inside_access_in extended deny udp any any eq 1214
  access-list inside_access_in extended deny udp any eq 1214 any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit tcp any any eq www
  access-list inside_access_in extended permit tcp any eq www any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
  89
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
  w
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
  tps
  access-list outside_access_in extended permit gre any host 177.164.222.138
  access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
  01
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit icmp any any
  access-list inside_access_out extended permit ip any any
  access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
  .88.0 255.255.255.0
  access-list inside_in extended permit icmp any any
  access-list inside_in extended permit ip any any
  access-list inside_in extended permit udp any any eq isakmp
  access-list inside_in extended permit udp any eq isakmp any
  access-list inside_in extended permit udp any any
  access-list inside_in extended permit tcp any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static orange interface service RDP RDP
  nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
  lex route-lookup
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
  WW
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
  _HTTPS
  nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
  nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
  route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Guava protocol nt
  aaa-server Guava (inside) host 172.29.8.3
  timeout 15
  nt-auth-domain-controller guava
  user-identity default-domain LOCAL
  http server enable
  http 172.29.8.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set peer 173.190.123.138
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
  P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 inside
  telnet 172.29.8.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcprelay server 172.29.8.3 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  group-policy ABCtech_VPN internal
  group-policy ABCtech_VPN attributes
  dns-server value 172.29.8.3
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_Tunnel_User
  default-domain value ABCtech.local
  group-policy GroupPolicy_10.8.8.1 internal
  group-policy GroupPolicy_10.8.8.1 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username who password eicyrfJBrqOaxQvS encrypted
  tunnel-group 10.8.8.1 type ipsec-l2l
  tunnel-group 10.8.8.1 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 10.8.8.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  tunnel-group ABCtech type remote-access
  tunnel-group ABCtech general-attributes
  address-pool ABC_HQVPN_DHCP
  authentication-server-group Guava
  default-group-policy ABCtech_VPN
  tunnel-group ABCtech ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 173.190.123.138 type ipsec-l2l
  tunnel-group 173.190.123.138 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 173.190.123.138 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect pptp
    inspect ftp
    inspect netbios
  smtp-server 172.29.8.3
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:6a26676668b742900360f924b4bc80de
  : end

  Hello Wayne,
  Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
  I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
  Regards,
  Julio
  Security Trainer