VPN Tunnel setup - can't ping either endpoint

Similar Messages

• VPN Clients Can't Ping Hosts

  I will include a post of my config. I have the clients connecting through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the primary network for the office.
  I can connect to the VPN and I do recieve the correct address assignment. I belive tunneling may be setup correct in the aspect that I can still connect to the internet while on the VPN, but I can not ping any hosts on the 192.168.1.0 network. In the debug log from the ASDM I can see pings reaching the ASA, but no responce is received on the client.
  6
  Feb 21 2013
  21:54:26
  180.0.0.1
  53508
  192.168.1.1
  0
  Built inbound ICMP connection for faddr 180.0.0.1/53508 gaddr 192.168.1.1/0 laddr 192.168.1.1/0 (christopher)
  Any help would be greatly appreciated, I am currently presuring my CCNP so I would like to get a deeper understanding of how to solve these issues.
  -Chris
  hostname RegencyRE-ASA
  domain-name regencyrealestate.info
  enable password 2/VA7dRFkv6fjd1X encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 180.0.0.0 Regency
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  description link to REGENCYSERVER
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  description link to RegencyRE-AP
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.120 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.248
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 208.67.220.220
  name-server 208.67.222.222
  domain-name regencyrealestate.info
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Regency 255.255.255.224
  access-list RegencyRE_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool Regency 180.0.0.1-180.0.0.20 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm location Regency 255.255.255.0 inside
  asdm location 192.168.0.0 255.255.0.0 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 12.186.110.2 1
  route inside 192.0.0.0 255.0.0.0 192.168.1.102 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication serial console LOCAL
  http server enable 8443
  http 0.0.0.0 0.0.0.0 outside
  http 0.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 15
  ssh version 2
  console timeout 0
  dhcprelay server 192.168.1.102 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 69.25.96.13 source outside prefer
  ntp server 216.171.124.36 source outside prefer
  webvpn
  group-policy RegencyRE internal
  group-policy RegencyRE attributes
  dns-server value 208.67.220.220 208.67.222.222
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RegencyRE_splitTunnelAcl
  username adriana password  encrypted privilege 0
  username christopher password  encrypted privilege 15
  username irene password  encrypted privilege 0
  tunnel-group RegencyRE type remote-access
  tunnel-group RegencyRE general-attributes
  address-pool Regency
  default-group-policy RegencyRE
  tunnel-group RegencyRE ipsec-attributes
  pre-shared-key R3&eNcY1.
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d
  : end

  Looking at a previous ASA 5520 I configured when I ping hosts I see the following in the logs. I know there is something obvious I am missing.
  6
  Feb 21 2013
  22:01:49
  302020
  170.0.0.1
  13317
  172.16.0.253
  0
  Built inbound ICMP connection for faddr 170.0.0.1/13317 gaddr 172.16.0.253/0 laddr 172.16.0.253/0 (cxv1)
  6
  Feb 21 2013
  22:01:49
  302020
  172.16.0.253
  0
  170.0.0.1
  13317
  Built outbound ICMP connection for faddr 170.0.0.1/13317 gaddr 172.16.0.253/0 laddr 172.16.0.253/0

• Can QoS be implemented when VPN tunnel bandwidth is unknown?

  Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?

  Hey Martin,
  Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.
  What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.
  Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.
  My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.
  It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.
  Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?
  I Hope I wrote it understandable ;).
  Regards

• Connect to VPN but can't ping past inside interface

  Hello,
  I've been working on this issue for a few days with no success. We're setting  up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec  VPN setup on it for remote access. After some initial problems, we've gotten it  to where the VPN tunnel authenticates the user and connects as it should,  however we cannot ping into our LAN. We are able to ping as far as the  firewall's inside interface. I've tried other types of traffic too and nothing  gets through. I've checked the routes listed on the VPN client while we're  connected and they look correct - the client also shows both sent and received  bytes when we connect using TCP port 10000, but no Received bytes when we  connect using UDP 4500. We are trying to do split tunneling, and that seems to  be setup correctly because I can still surf while the VPN is connected.
  Below is our running config. Please excuse any messyness in the config as  there are a couple of us working on it and we've been trying a whole bunch of  different settings throughout the troubleshooting process. I will also note that  we're using ASDM as our primary method of configuring the unit, so any  suggestions that could be made with that in mind would be most helpful.  Thanks!
  ASA-01# sh run
  : Saved
  ASA Version 8.6(1)2
  hostname ASA-01
  domain-name domain.org
  enable password **** encrypted
  passwd **** encrypted
  names
  interface GigabitEthernet0/0
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 10.2.0.1 255.255.0.0
  interface GigabitEthernet0/1
  description Primary WAN Interface
  nameif outside
  security-level 0
  ip address 76.232.211.169 255.255.255.192
  interface GigabitEthernet0/2
  shutdown
  <--- More --->
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  <--- More --->
  duplex full
  shutdown
  nameif management
  security-level 100
  ip address 10.4.0.1 255.255.0.0
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.2.11.6
  domain-name domain.org
  dns server-group sub
  name-server 10.2.11.121
  name-server 10.2.11.138
  domain-name sub.domain.net
  same-security-traffic permit intra-interface
  object network 76.232.211.132
  host 76.232.211.132
  object network 10.2.11.138
  host 10.2.11.138
  object network 10.2.11.11
  host 10.2.11.11
  <--- More --->
  object service DB91955443
  service tcp destination eq 55443
  object service 113309
  service tcp destination range 3309 8088
  object service 11443
  service tcp destination eq https
  object service 1160001
  service tcp destination range 60001 60008
  object network LAN
  subnet 10.2.0.0 255.255.0.0
  object network WAN_PAT
  host 76.232.211.170
  object network Test
  host 76.232.211.169
  description test
  object network NETWORK_OBJ_10.2.0.0_16
  subnet 10.2.0.0 255.255.0.0
  object network NETWORK_OBJ_10.2.250.0_24
  subnet 10.2.250.0 255.255.255.0
  object network VPN_In
  subnet 10.3.0.0 255.255.0.0
  description VPN User Network
  object-group service 11
  service-object object 113309
  <--- More --->
  service-object object 11443
  service-object object 1160001
  object-group service IPSEC_VPN udp
  port-object eq 4500
  port-object eq isakmp
  access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
  access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
  access-list outside_access_in extended permit object DB91955443 any interface outside
  access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any
  access-list inside_access_in extended permit ip any any log disable
  access-list inside_access_in extended permit icmp any any echo-reply log disable
  access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
  access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
  access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
  access-list vpn_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
  <--- More --->
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any management
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source dynamic any WAN_PAT inactive
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
  nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
  nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ActiveDirectory protocol nt
  aaa-server ActiveDirectory (inside) host 10.2.11.121
  nt-auth-domain-controller sub.domain.net
  aaa-server ActiveDirectory (inside) host 10.2.11.138
  nt-auth-domain-controller sub.domain.net
  user-identity default-domain LOCAL
  eou allow none
  http server enable
  http 10.4.0.0 255.255.255.0 management
  http 10.2.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  no sysopt connection permit-vpn
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  <--- More --->
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  <--- More --->
  subject-name CN=ASA-01
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate a6c98751
      308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
      0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
      092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
      67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
      5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
      2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
      acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
      fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
      140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
      61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
      0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
      acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
      288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
      92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
      1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
    quit
  crypto isakmp identity address
  crypto isakmp nat-traversal 30
  crypto ikev2 policy 1
  <--- More --->
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  <--- More --->
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  <--- More --->
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  <--- More --->
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  <--- More --->
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  <--- More --->
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd dns 10.2.11.121 10.2.11.138
  dhcpd lease 36000
  dhcpd ping_timeout 30
  dhcpd domain sub.domain.net
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  <--- More --->
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy domain internal
  group-policy domain attributes
  banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
  wins-server value 10.2.11.121 10.2.11.138
  dns-server value 10.2.11.121 10.2.11.138
  vpn-idle-timeout none
  vpn-filter value vpn_access_in
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  group-policy DfltGrpPolicy attributes
  dns-server value 10.2.11.121 10.2.11.138
  vpn-filter value outside_access_in
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  address-pools value VPNUsers
  username **** password **** encrypted privilege 15
  <--- More --->
  username **** password **** encrypted privilege 15
  username **** attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect dtls compression lzs
    anyconnect ssl dtls enable
    anyconnect profiles value VPN_client_profile type user
  tunnel-group DefaultL2LGroup general-attributes
  default-group-policy domain
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNUsers
  authentication-server-group ActiveDirectory
  default-group-policy domain
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  ikev1 trust-point ASDM_TrustPoint0
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy domain
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool (inside) VPNUsers
  address-pool VPNUsers
  authentication-server-group ActiveDirectory LOCAL
  authentication-server-group (inside) ActiveDirectory LOCAL
  <--- More --->
  default-group-policy domain
  dhcp-server link-selection 10.2.11.121
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
  <--- More --->
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 21
    subscribe-to-alert-group configuration periodic monthly 21
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
  : end

  Hello,
  I've been working on this issue for a few days with no success. We're setting  up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec  VPN setup on it for remote access. After some initial problems, we've gotten it  to where the VPN tunnel authenticates the user and connects as it should,  however we cannot ping into our LAN. We are able to ping as far as the  firewall's inside interface. I've tried other types of traffic too and nothing  gets through. I've checked the routes listed on the VPN client while we're  connected and they look correct - the client also shows both sent and received  bytes when we connect using TCP port 10000, but no Received bytes when we  connect using UDP 4500. We are trying to do split tunneling, and that seems to  be setup correctly because I can still surf while the VPN is connected.
  Below is our running config. Please excuse any messyness in the config as  there are a couple of us working on it and we've been trying a whole bunch of  different settings throughout the troubleshooting process. I will also note that  we're using ASDM as our primary method of configuring the unit, so any  suggestions that could be made with that in mind would be most helpful.  Thanks!
  ASA-01# sh run
  : Saved
  ASA Version 8.6(1)2
  hostname ASA-01
  domain-name domain.org
  enable password **** encrypted
  passwd **** encrypted
  names
  interface GigabitEthernet0/0
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 10.2.0.1 255.255.0.0
  interface GigabitEthernet0/1
  description Primary WAN Interface
  nameif outside
  security-level 0
  ip address 76.232.211.169 255.255.255.192
  interface GigabitEthernet0/2
  shutdown
  <--- More --->
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  speed 100
  <--- More --->
  duplex full
  shutdown
  nameif management
  security-level 100
  ip address 10.4.0.1 255.255.0.0
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.2.11.6
  domain-name domain.org
  dns server-group sub
  name-server 10.2.11.121
  name-server 10.2.11.138
  domain-name sub.domain.net
  same-security-traffic permit intra-interface
  object network 76.232.211.132
  host 76.232.211.132
  object network 10.2.11.138
  host 10.2.11.138
  object network 10.2.11.11
  host 10.2.11.11
  <--- More --->
  object service DB91955443
  service tcp destination eq 55443
  object service 113309
  service tcp destination range 3309 8088
  object service 11443
  service tcp destination eq https
  object service 1160001
  service tcp destination range 60001 60008
  object network LAN
  subnet 10.2.0.0 255.255.0.0
  object network WAN_PAT
  host 76.232.211.170
  object network Test
  host 76.232.211.169
  description test
  object network NETWORK_OBJ_10.2.0.0_16
  subnet 10.2.0.0 255.255.0.0
  object network NETWORK_OBJ_10.2.250.0_24
  subnet 10.2.250.0 255.255.255.0
  object network VPN_In
  subnet 10.3.0.0 255.255.0.0
  description VPN User Network
  object-group service 11
  service-object object 113309
  <--- More --->
  service-object object 11443
  service-object object 1160001
  object-group service IPSEC_VPN udp
  port-object eq 4500
  port-object eq isakmp
  access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
  access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
  access-list outside_access_in extended permit object DB91955443 any interface outside
  access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any
  access-list inside_access_in extended permit ip any any log disable
  access-list inside_access_in extended permit icmp any any echo-reply log disable
  access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
  access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
  access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
  access-list vpn_access_in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
  <--- More --->
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any management
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source dynamic any WAN_PAT inactive
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
  nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
  nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
  nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  <--- More --->
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server ActiveDirectory protocol nt
  aaa-server ActiveDirectory (inside) host 10.2.11.121
  nt-auth-domain-controller sub.domain.net
  aaa-server ActiveDirectory (inside) host 10.2.11.138
  nt-auth-domain-controller sub.domain.net
  user-identity default-domain LOCAL
  eou allow none
  http server enable
  http 10.4.0.0 255.255.255.0 management
  http 10.2.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  no sysopt connection permit-vpn
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  <--- More --->
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  <--- More --->
  subject-name CN=ASA-01
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate a6c98751
      308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
      0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
      092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
      67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
      5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
      2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
      30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
      acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
      fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
      140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
      61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
      0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
      acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
      288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
      92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
      1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
    quit
  crypto isakmp identity address
  crypto isakmp nat-traversal 30
  crypto ikev2 policy 1
  <--- More --->
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  <--- More --->
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 ipsec-over-tcp port 10000
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  <--- More --->
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  <--- More --->
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  <--- More --->
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  <--- More --->
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcpd dns 10.2.11.121 10.2.11.138
  dhcpd lease 36000
  dhcpd ping_timeout 30
  dhcpd domain sub.domain.net
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  <--- More --->
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy domain internal
  group-policy domain attributes
  banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
  wins-server value 10.2.11.121 10.2.11.138
  dns-server value 10.2.11.121 10.2.11.138
  vpn-idle-timeout none
  vpn-filter value vpn_access_in
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  group-policy DfltGrpPolicy attributes
  dns-server value 10.2.11.121 10.2.11.138
  vpn-filter value outside_access_in
  vpn-tunnel-protocol l2tp-ipsec
  default-domain value sub.domain.net
  split-dns value sub.domain.net
  address-pools value VPNUsers
  username **** password **** encrypted privilege 15
  <--- More --->
  username **** password **** encrypted privilege 15
  username **** attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect dtls compression lzs
    anyconnect ssl dtls enable
    anyconnect profiles value VPN_client_profile type user
  tunnel-group DefaultL2LGroup general-attributes
  default-group-policy domain
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPNUsers
  authentication-server-group ActiveDirectory
  default-group-policy domain
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  ikev1 trust-point ASDM_TrustPoint0
  tunnel-group DefaultWEBVPNGroup general-attributes
  default-group-policy domain
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool (inside) VPNUsers
  address-pool VPNUsers
  authentication-server-group ActiveDirectory LOCAL
  authentication-server-group (inside) ActiveDirectory LOCAL
  <--- More --->
  default-group-policy domain
  dhcp-server link-selection 10.2.11.121
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
  <--- More --->
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly 21
    subscribe-to-alert-group configuration periodic monthly 21
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
  : end

• ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp

  Hello all,
  I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
  MafSecASA# show run
  : Saved
  ASA Version 8.2(1)
  hostname MafSecASA
  domain-name mafsec.com
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.4.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 7.3.3.2 255.255.255.248
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.20.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  speed 100
  duplex full
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 3
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name mafsec.com
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object tcp
  protocol-object udp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object icmp
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in remark allow remote users to internal users
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any
  access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
  access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
  ip verify reverse-path interface outside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.4.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.4.0.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd option 6 ip 8.8.8.8 8.8.4.4
  dhcpd address 10.4.0.15-10.4.0.245 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd lease 86400 interface inside
  dhcpd option 3 ip 10.4.0.1 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLVPN internal
  group-policy SSLVPN attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol svc
  group-lock none
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value inside_split_tunnel
  vlan none
  address-pools value SSLVPNPool2
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  username user1 password
  username user1 attributes
  service-type remote-access
  username user2 password
  tunnel-group SSLVPNGROUP type remote-access
  tunnel-group SSLVPNGROUP general-attributes
  address-pool SSLVPNPool2
  default-group-policy SSLVPN
  tunnel-group SSLVPNGROUP webvpn-attributes
  group-alias SSLVPN enable
  prompt hostname context
  Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
  : end
  Thank in advance for any help!

  Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs?  I'd try pinging a router or switch just to make sure.
  --Jason

• VPN connection works, but can't ping or access any other device on remote network

  I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
  The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
  My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
  Both routers are using subnet mask of 255.255.255.0
  The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
  Example:
  At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
  In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
  I'm not sure how to fix this, or whether I need to change settings on either router or the server.
  Would greatly appreciate any insight or help on this. Thanks.

  danimalapple wrote:
  I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
  The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
  My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
  Both routers are using subnet mask of 255.255.255.0
  The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
  Example:
  At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
  In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
  I'm not sure how to fix this, or whether I need to change settings on either router or the server.
  Would greatly appreciate any insight or help on this. Thanks.
  Check the DNS settings on the server (see my earlier post in this thread).

• ASA 5505 VPN clients can't ping router or other clients on network

  I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
  : end
  Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
  Thanks.

  I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
  here is the runnign config again:
  Result of the command: "show startup-config"
  : Saved
  : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  asdm location Server 255.255.255.255 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:78864f4099f215f4ebdd710051bdb493

• Quickvpn / client to gateway vpn rv042 can only ping router

  I am setting up remote access using an RV042 router.  Using quickvpn or a client-to gateway vpn and shrewsoft client,  I can only access/ping the LAN side of the remote router and one machine on the remote network.  The PPTP server and native Windows 7 connection provide access to all machines on the remote network.
  I have 2 possible reasons for this and would like to find the real reason:
  1) The remote RV042 is behind another router, and that router restricts access other than the PPTP traffic.
  2)  The VPN tunnels other than PPTP only allow access to the remote LAN side of the router and remote machines that have the remote router defined as their gateway in the IP configuration.
  Any ideas?

  I've narrowed the problem down to option 2 above. If I change the gateway of a LAN resource to point to the LAN side of the router, it can be accessed through the VPN tunnel. 
  I haven't had time to see if adding routing entries can fix this problem.  Any suggestions will be appreciated.
  Also, I would appreciate an explanation of why the PPTP connection works.  I will research this myself (eventually) but am  already backed up with other projects..

• Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!

  Hi,
  I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
  Config
  ciscoasa# sh run
  : Saved
  ASA Version 8.0(3)
  hostname ciscoasa
  enable password 5QB4svsHoIHxXpF/ encrypted
  names
  name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
  name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
  name xxx.xxx.xxx.xxx Mail_Server
  name xxx.xxx.xxx.xxx IncomingIP
  name xxx.xxx.xxx.xxx SAP
  name xxx.xxx.xxx.xxx WebServer
  name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
  name 192.168.2.2 isa_server_outside
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address IncomingIP 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.253 255.255.255.0
  management-only
  passwd 123
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  object-group service TCP_8081 tcp
  port-object eq 8081
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq 3389
  port-object eq ftp
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object eq pop3
  port-object eq 3200
  port-object eq 3300
  port-object eq 3600
  port-object eq 3299
  port-object eq 3390
  port-object eq 50000
  port-object eq 3396
  port-object eq 3397
  port-object eq 3398
  port-object eq imap4
  port-object eq 587
  port-object eq 993
  port-object eq 8000
  port-object eq 8443
  port-object eq telnet
  port-object eq 3901
  group-object TCP_8081
  port-object eq 1433
  port-object eq 3391
  port-object eq 3399
  port-object eq 8080
  port-object eq 3128
  port-object eq 3900
  port-object eq 3902
  port-object eq 7777
  port-object eq 3392
  port-object eq 3393
  port-object eq 3394
  port-object eq 3395
  port-object eq 92
  port-object eq 91
  port-object eq 3206
  port-object eq 8001
  port-object eq 8181
  port-object eq 7778
  port-object eq 8180
  port-object eq 22222
  port-object eq 11001
  port-object eq 11002
  port-object eq 1555
  port-object eq 2223
  port-object eq 2224
  object-group service RDP tcp
  port-object eq 3389
  object-group service 3901 tcp
  description 3901
  port-object eq 3901
  object-group service 50000 tcp
  description 50000
  port-object eq 50000
  object-group service Enable_Transparent_Tunneling_UDP udp
  port-object eq 4500
  access-list inside_access_in remark connection to SAP
  access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
  access-list inside_access_in remark VPN Outgoing - PPTP
  access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
  access-list inside_access_in remark VPN Outgoing - GRE
  access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
  access-list inside_access_in remark VPN - GRE
  access-list inside_access_in extended permit gre any any
  access-list inside_access_in remark VPN Outgoing - IKE Client
  access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
  access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
  access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
  access-list inside_access_in remark DNS Outgoing
  access-list inside_access_in extended permit udp any any eq domain
  access-list inside_access_in remark DNS Outgoing
  access-list inside_access_in extended permit tcp any any eq domain
  access-list inside_access_in remark Outoing Ports
  access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
  access-list outside_access_in extended permit ip any any
  access-list outside_access_in extended permit tcp any any eq pptp
  access-list outside_access_in extended permit gre any any
  access-list outside_access_in extended permit gre any host Mail_Server
  access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
  access-list outside_access_in extended permit esp any any
  access-list outside_access_in extended permit ah any any
  access-list outside_access_in extended permit udp any any eq isakmp
  access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
  access-list VPN standard permit 192.168.2.0 255.255.255.0
  access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-603.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 2 Mail_Server netmask 255.0.0.0
  global (outside) 1 interface
  global (inside) 2 interface
  nat (inside) 0 access-list corp_vpn
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
  static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
  static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
  static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
  static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
  static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
  static (inside,outside) 192.168.2.0  access-list corp_vpn
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set transet esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set pfs
  crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
  crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
  crypto map cryptomap interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  no crypto isakmp nat-traversal
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
  dhcpd domain domain.local interface inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  tftp-server management 192.168.1.123 /
  group-policy mypolicy internal
  group-policy mypolicy attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN
  username vpdn password 123
  username vpdn attributes
  vpn-group-policy mypolicy
  service-type remote-access
  tunnel-group mypolicy type remote-access
  tunnel-group mypolicy general-attributes
  address-pool POOL
  default-group-policy mypolicy
  tunnel-group mypolicy ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
  : end
  Thank you very much.

  Here is the output:
  ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 2
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.2.0  access-list corp_vpn
  nat-control
    match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
      static translation to 192.168.2.0
      translate_hits = 0, untranslate_hits = 139
  Additional Information:
  NAT divert to egress interface inside
  Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit ip any any
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: CP-PUNT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.2.0  access-list corp_vpn
  nat-control
    match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
      static translation to 192.168.2.0
      translate_hits = 0, untranslate_hits = 140
  Additional Information:
  Phase: 11
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule

• Intermittent Internet Connection and VPN clients can't ping internal LAN but connected after installating cisco ASA5512x

  Hi!
  I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
  ISP ->  Firewall -> Core switch -> Internal LAN
  after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
  here's my configuration from my firewall.
  ASA Version 8.6(1)2
  hostname ciscofirewall
  enable password 2KFQnbNIdI.2KYOU encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 203.x.x.x 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.152.11.15 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 4.2.2.2 -------> public DNS
  name-server 8.8.8.8 -------> public
  name-server 203.x.x.x   ----> Clients DNS
  name-server 203.x.x.x  -----> Clients DNS
  same-security-traffic permit intra-interface
  object network net_access
  subnet 10.0.0.0 255.0.0.0
  object network citrix_server
  host 10.152.11.21
  object network NETWORK_OBJ_10.10.10.0_28
  subnet 10.10.10.0 255.255.255.240
  object network NETWORK_OBJ_10.0.0.0_8
  subnet 10.0.0.0 255.0.0.0
  object network InterconHotel
  subnet 10.152.11.0 255.255.255.0
  access-list net_surf extended permit ip any any
  access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
  access-list outside_access extended permit tcp any object citrix_server eq www
  access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
  access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
  access-list LAN_Users remark LAN_clients
  access-list LAN_Users standard permit any
  access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu outside 1500
  mtu inside 1500
  ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
  object network net_access
  nat (inside,outside) dynamic interface
  object network citrix_server
  nat (inside,outside) static 203.177.18.234 service tcp www www
  object network NETWORK_OBJ_10.10.10.0_28
  nat (any,outside) dynamic interface
  object network InterconHotel
  nat (inside,outside) dynamic interface dns
  access-group outside_access in interface outside
  access-group net_surf out interface outside
  route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
  route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 10.0.0.100 255.255.255.255 inside
  http 10.10.10.0 255.255.255.240 outside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  client-update enable
  telnet 10.152.11.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  enable outside
  anyconnect-essentials
  group-policy outsidevpn internal
  group-policy outsidevpn attributes
  dns-server value 203.x.x.x 203.x.x.x
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
  split-tunnel-policy tunnelall
  split-tunnel-network-list value outsidevpn_splitTunnelAcl
  default-domain value interconti.com
  address-pools value vpnpool
  username test1 password i1lji/GiOWB67bAs encrypted privilege 5
  username test1 attributes
  vpn-group-policy outsidevpn
  username mnlha password WlzjmENGEEZmT9LA encrypted
  username mnlha attributes
  vpn-group-policy outsidevpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group outsidevpn type remote-access
  tunnel-group outsidevpn general-attributes
  address-pool (inside) vpnpool
  address-pool vpnpool
  authentication-server-group (outside) LOCAL
  default-group-policy outsidevpn
  tunnel-group outsidevpn ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect http
    inspect ipsec-pass-thru
  class class-default
    user-statistics accounting
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
  : end
  thanks. please help.

  I think you should change your nat-exemption rule to smth more general, like
  nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
  'cause your inside networks are not the same as your vpn-pool subnet.
  Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA.

• One router on ASA 5505 Site to Site VPN can't ping other router

  I have two Cisco ASA routers and I have a site to site vpn set up between the two. The VPN link works but Site A can't ping anything on Site B. Site B can ping Site A. Site B can ping other pcs on it's own network. Site A has been in place for a while and has other site to site VPNs that work fine, so I think the problem is with Site B. Here is the config for Site B:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(4)1
  hostname SaskASA
  enable password POgOWyKyb0jgJ1Hm encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.16.1 255.255.254.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_192.168.16.0_23
  subnet 192.168.16.0 255.255.254.0
  object network NETWORK_OBJ_192.168.2.0_23
  subnet 192.168.2.0 255.255.254.0
  access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.254.0 192.168.2.0 255.255.254.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_23 NETWORK_OBJ_192.168.16.0_23 destination static NETWORK_OBJ_192.168.2.0_23 NETWORK_OBJ_192.168.2.0_23 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  nat (inside,outside) after-auto source dynamic any interface
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable 444
  http 192.168.16.0 255.255.254.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 207.228.xx.xx
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd auto_config outside
  dhcpd address 192.168.16.100-192.168.16.200 inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy GroupPolicy_207.228.xx.xxinternal
  group-policy GroupPolicy_207.228.xx.xx attributes
  vpn-tunnel-protocol ikev1 ikev2
  username User password shbn5zbLkuHP/mJX encrypted privilege 15
  tunnel-group 207.228.xx.xxtype ipsec-l2l
  tunnel-group 207.228.xx.xxgeneral-attributes
  default-group-policy GroupPolicy_207.228.xx.xx
  tunnel-group 207.228.xx.xxipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f06bd1d6d063318339d98417b171175e
  : end
  Any ideas? Thanks.

  I looked over the config for Site A, but couldn't find anything unusual. Perhaps I'm overlooking something. Here is the config for site A:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(1)
  hostname SiteA
  domain-name domain
  enable password POgOWyKyb0jgJ1Hm encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.254.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 192.168.2.6
  domain-name domain
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.14.0 255.255.254.0
  network-object 192.168.4.0 255.255.254.0
  network-object 192.168.6.0 255.255.254.0
  network-object 192.168.8.0 255.255.254.0
  object-group network DM_INLINE_NETWORK_2
  network-object 192.168.12.0 255.255.254.0
  network-object 192.168.14.0 255.255.254.0
  network-object 192.168.4.0 255.255.254.0
  network-object 192.168.6.0 255.255.254.0
  network-object 192.168.8.0 255.255.254.0
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_1
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2
  access-list inside_nat0_outbound extended permit ip any 192.168.15.192 255.255.255.192
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
  access-list VPNGeo_splitTunnelAcl standard permit any
  access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
  access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.4.0 255.255.254.0
  access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.8.0 255.255.254.0
  access-list outside_5_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool GeoVPNPool 192.168.15.200-192.168.15.254 mask 255.255.254.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable 444
  http 192.168.2.0 255.255.254.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http authentication-certificate inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 207.228.xx.xx
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 208.119.xx.xx
  crypto map outside_map 2 set transform-set ESP-3DES-SHA
  crypto map outside_map 3 match address outside_3_cryptomap
  crypto map outside_map 3 set pfs group1
  crypto map outside_map 3 set peer 208.119.xx.xx
  crypto map outside_map 3 set transform-set ESP-3DES-SHA
  crypto map outside_map 4 match address outside_4_cryptomap
  crypto map outside_map 4 set pfs
  crypto map outside_map 4 set peer 208.119.xx.xx
  crypto map outside_map 4 set transform-set ESP-3DES-SHA
  crypto map outside_map 5 match address outside_5_cryptomap
  crypto map outside_map 5 set pfs group1
  crypto map outside_map 5 set peer 70.64.xx.xx
  crypto map outside_map 5 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access inside
  dhcp-client client-id interface outside
  dhcpd auto_config outside
  dhcpd address 192.168.2.100-192.168.2.254 inside
  dhcpd auto_config outside interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy VPNGeo internal
  group-policy VPNGeo attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPNGeo_splitTunnelAcl
  username user password shbn5zbLkuHP/mJX encrypted privilege 15
  username namepassword vP98Lj8Vm5SLs9PW encrypted
  username nameattributes
  vpn-group-policy VPNGeo
  tunnel-group 207.228.xx.xxtype ipsec-l2l
  tunnel-group 207.228.xx.xxipsec-attributes
  pre-shared-key *
  tunnel-group VPNGeo type remote-access
  tunnel-group VPNGeo general-attributes
  address-pool GeoVPNPool
  default-group-policy VPNGeo
  tunnel-group VPNGeo ipsec-attributes
  pre-shared-key *
  tunnel-group 208.119.xx.xxtype ipsec-l2l
  tunnel-group 208.119.xx.xxipsec-attributes
  pre-shared-key *
  tunnel-group 208.119.xx.xx type ipsec-l2l
  tunnel-group 208.119.xx.xx ipsec-attributes
  pre-shared-key *
  tunnel-group 208.119.xx.xxtype ipsec-l2l
  tunnel-group 208.119.xx.xxipsec-attributes
  pre-shared-key *
  tunnel-group 70.64.xx.xxtype ipsec-l2l
  tunnel-group 70.64.xx.xxipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:e3adf4e597198f58cd21e508aabdbab9
  : end

• How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520

  Hello,
  I just deployed one Cisco SA540 and three SA520s.
  The SA540 is at the Main Site.
  The three SA520s are the the spoke sites.
  Main Site:
  Downstream Speed: 32 Mbps
  Upstream Speed: 9.4 Mbps
  Spoke Site#1:
  Downstream Speed: 3.6 Mbps
  Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
  The SA tunnels are "Established"
  I see packets being tranmsitted and received.
  Pinging across the tunnel has an average speed of 32 ms (which is good).
  DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
  But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
  It takes about 15 minutes to print across the vpn tunnel.
  The remedy this, we have implemented Terminal Services across the Internet.
  Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
  Logging on to the network takes about 10 minutes over the vpn tunnel.
  Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
  I have used ASAs before in other implementation without any issues at all.
  I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
  I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
  I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
  Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
  I just know that my experience with the Cisco TAC has been great for the last 10 years.
  My short experience with the Cisco Small Business Support Center has not been as great at all.
  Bottom Line:
  I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
  Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
  Please help.
  I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.

  Hi Anthony,
  I agree!.  My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
  But I want to know WHY this is happening too.
  I will definitely run a sniffer trace to see what is happening.
  Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
  1.  Upgrade the SA540 at the Main Site to 2.1.45.
  2a. For cable connections, use the standard MTU of 1500 bytes.
  2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
  ping -f -l packetsize
  Perform the items below to see if this increases performance:
  I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
  3a. Lower the IKE encryption algorithm from "AES-128" to DES.
  3b. Lower the IKE authentication algorithm to MD5
  3c. Also do the above for the VPN Policy
  Any input is welcome!

• Can not ping between remote vpn site ???

  site A is l2l vpn,  site B is network-extend vpn,  both connect to same vpn device 5510 at central office and work well.  I can ping from central office to both remote sites,  But i can not ping between these two vpn sites ?  Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ??  Please help ...
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network SITE-A
   network-object 192.168.42.0 255.255.255.0
  object-group network SITE-B
   network-object 192.168.46.0 255.255.255.0
  access-list OUTSIDE extended permit icmp any any 
  access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A 
  nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
  crypto map VPN-MAP 50 match address HOLT-VPN-ACL
  crypto map VPN-MAP 50 set peer *.*.56.250 
  crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
  crypto map VPN-MAP interface outside
  group-policy REMOTE-NETEXTENSION internal
  group-policy REMOTE-NETEXTENSION attributes
   dns-server value *.*.*.*
   vpn-idle-timeout none
   vpn-tunnel-protocol ikev1 
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value REMOTE-NET2
   default-domain value *.org
   nem enable
  tunnel-group REMOTE-NETEXTENSION type remote-access
  tunnel-group REMOTE-NETEXTENSION general-attributes
   authentication-server-group (inside) LOCAL
   default-group-policy REMOTE-NETEXTENSION
  tunnel-group REMOTE-NETEXTENSION ipsec-attributes
   ikev1 pre-shared-key *****
  tunnel-group *.*.56.250 type ipsec-l2l
  tunnel-group *.*.56.250 ipsec-attributes
   ikev1 pre-shared-key *****
  ASA-5510# show route | include 192.168.42 
  S    192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
  ASA-5510# show route | include 192.168.46
  S    192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
  ASA-5510# 
  Username     : layson-ne           Index        : 10
  Assigned IP  : 192.168.46.0           Public IP    : *.*.65.201
  Protocol     : IKEv1 IPsecOverNatT
  License      : Other VPN
  Encryption   : 3DES                   Hashing      : SHA1
  Bytes Tx     : 11667685               Bytes Rx     : 1604235
  Group Policy : REMOTE-NETEXTENSION    Tunnel Group : REMOTE-NETEXTENSION
  Login Time   : 08:19:12 EST Thu Feb 12 2015
  Duration     : 6h:53m:29s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none
  ASA-5510# show vpn-sessiondb l2l
  Session Type: LAN-to-LAN
  Connection   : *.*.56.250
  Index        : 6                      IP Addr      : *.*.56.250
  Protocol     : IKEv1 IPsec
  Encryption   : 3DES AES256            Hashing      : SHA1
  Bytes Tx     : 2931026707             Bytes Rx     : 256715895
  Login Time   : 02:02:41 EST Thu Feb 12 2015
  Duration     : 13h:10m:03s

  Hi Rico,
  You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.
  example:
  Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".
  object-group network SITE-A
   network-object 192.168.42.0 255.255.255.0
  object-group network SITE-B
   network-object 192.168.46.0 255.255.255.0
  nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
  static SITE-B SITE-B
  nat (outside,outside) source dynamic SITE-B  10.10.10.254 destination
  static SITE-A SITE-A
  Hope this helps
  Thanks
  Rizwan Rafeek

• Changing S2S VPN tunnel endpoint

  Hi CSC'ers,
  For DR purposes, we have two VPN tunnel endpoints on different ISP's at our head-end office. At our branch office, we have an ASA. I am wondering if for the purpose of re-pointing the tunnel from the branch to the DR endpoint at the head-end, it's as easy as:
  no crypto map <map-name> <seq-num> set peer <ip_address_1>
  crypto map <map-name> <seq-num> set peer <ip_address_2>
  Where <ip_address_1> is the regular production endpoint, and <ip_address_2> is the DR endpoint.
  Or is there any other command that I need to run to make the tunnel re-point take effect?
  (Yes, I know I can have multiple peers set on a crypto map set peer, but we have reasons that we don't want to do that.)
  Thanks,
  Will

  Will,
  I dont know what DR means, but if what you want to do is just to change the peer for the VPN tunnel, then yes that is all you need to do
  Let me know if you have any other questions.
  Mike

• VPN - Can't ping the next hop

  Next some advise... i've configured a VPN server -pptp on my router,  create a vpn for client to site. At the moment, client computer can connect and established a connection to router. I can ping from client to router (192.168.5.1) but can't ping 192.168.5.2(switch) or 192.168.10.X (workstations)
  What i'm trying to achieve is to access the internal network (192.168.10.X) which is from the layer 3 switch's end. Any help/extra eye would be good.
  Here are my network design and config below:
  Client Computer ---> Internet ---> (1.1.1.1) Cisco Router 881 (192.168.5.1) ---> Dell Powerconnect 6248 switch (192.168.5.2) --> Workstation(192.168.10.x)
  Cisco 881 Router
  aaa new-model
  aaa authentication ppp default local
  vpdn enable
  vpdn-group PPTP-VPDN
  accept-dialin
  protocol pptp
  virtual-template 1
  interface FastEthernet0
  description Link to Switch
  switchport access vlan 5
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  switchport access vlan 70
  no ip address
  interface FastEthernet4
  description INTERNET WAN PORT
  ip address [EXTERNAL IP]
  ip nat outside
  ip virtual-reassembly in
  duplex full
  speed 100
  crypto map VPN1
  interface Vlan1
  no ip address
  interface Vlan5
  description $ES_LAN$
  ip address 192.168.5.1 255.255.255.248
  no ip redirects
  no ip unreachables
  ip nat inside
  ip virtual-reassembly in
  interface Vlan70
  ip address [EXTERNAL IP]
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Virtual-Template1
  ip unnumbered FastEthernet4
  encapsulation ppp
  peer default ip address pool defaultpool
  ppp authentication chap ms-chap
  ip local pool defaultpool 192.168.10.200 192.168.10.210
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list NO-NAT interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 [EXTERNAL IP]
  ip route 192.168.0.0 255.255.0.0 192.168.5.2
  ip access-list extended NO-NAT
  deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
  permit ip 192.168.0.0 0.0.255.255 any
  ip access-list extended VLAN70
  permit ip [EXTERNAL IP] 0.0.0.15 192.168.10.0 0.0.1.255
  permit tcp [EXTERNAL IP] 0.0.0.15 any eq smtp
  permit tcp [EXTERNAL IP] 0.0.0.15 any eq www
  permit tcp [EXTERNAL IP] 0.0.0.15 any eq 443
  permit tcp [EXTERNAL IP] 0.0.0.15 any eq domain
  permit udp [EXTERNAL IP] 0.0.0.15 any eq domain
  ip access-list extended VPN
  permit ip 192.168.10.0 0.0.1.255 10.1.0.0 0.0.1.255
  permit ip [EXTERNAL IP] 0.0.0.15 10.1.0.0 0.0.1.255
  ip access-list extended WAN
  Layer 3 Switch - Dell Powerconnect 6224
  ip routing
  ip route 0.0.0.0 0.0.0.0 192.168.5.1
  interface vlan 5
  name "Connect to Cisco Router"
  routing
  ip address 192.168.5.2 255.255.255.248
  exit
  interface vlan 10
  name "internal network"
  routing
  ip address 192.168.10.1 255.255.255.0
  exit
  interface ethernet 1/g12
  switchport mode acesss vlan 5
  exit
  interface ethernet 1/g29
  switchport mode access vlan 10
  exit

  Hi Samuel,
  I went through your configuration and picked up some problematic lines..
  First of all you can't have your vpn-pool to be in the 192.168.10.x/24 range because you already have that subnet used behind the switch ( this would only be possible if you had 192.168.10.x range directly connected to the router ). Also, you can't bind your Virtual Template to the WAN ip, it should bind to a interface with a subnet that includes your vpn-pool IP range.
  The cleanest way to do this is,
  Create a new loop back interface with a new subnet
  interface loopback 0
  ip address 192.168.99.1 255.255.255.0
  Have new vpn pool defined,
  ip local pool defaultpool 192.168.99.200 192.168.99.210
  Change your Template to point the new loopback interface,
  interface Virtual-Template1
  ip unnumbered loopback0
  encapsulation ppp
  peer default ip address pool defaultpool
  ppp authentication chap ms-chap
  All the vpn clients will get an IP from 192.168.99.200 192.168.99.210 range. And they will be able to get in to the router and up to the desired 192.168.10.x/24 range behind the router. Packets will get in to the switch and then in to the host. Host will reply through the gateway( switch ) -> router -> Client.
  PS: Earlier, even if your packets get to the host, the host will never try to send the reply packets back through the gateway ( switch ) because from its(hosts) point of view, the packet came from the same Lan, so the host will just try to "arp" for the senders MAC  and will eventually time out)
  Hope  this helps.
  Please don't forget to rate/mark helpful posts
  Shamal