VPN Work but no ping
I have a vpn tunner working but I can not ping the other side,
Please help me, check this out
RouterVPN1#show crypto ipsec sa
interface: Ethernet0
Crypto map tag: VPN1-VPN2, local addr 192.168.1.77
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
current_peer 192.168.1.78 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1075, #pkts encrypt: 1075, #pkts digest: 1075
#pkts decaps: 1045, #pkts decrypt: 1045, #pkts verify: 1045
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
current_peer 192.168.1.78 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1290, #pkts encrypt: 1290, #pkts digest: 1290
#pkts decaps: 1260, #pkts decrypt: 1260, #pkts verify: 1260
The tunne is working the packages going thru are the keepalive. but when I ping I get this,
RouterVPN1#ping 192.168.201.1
Sending 5, 100-byte ICMP Echos to 192.168.201.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
RouterVPN1#
Please help
I have a vpn tunner working but I can not ping the other side,
Please help me, check this out
RouterVPN1#show crypto ipsec sa
interface: Ethernet0
Crypto map tag: VPN1-VPN2, local addr 192.168.1.77
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
current_peer 192.168.1.78 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1075, #pkts encrypt: 1075, #pkts digest: 1075
#pkts decaps: 1045, #pkts decrypt: 1045, #pkts verify: 1045
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
current_peer 192.168.1.78 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1290, #pkts encrypt: 1290, #pkts digest: 1290
#pkts decaps: 1260, #pkts decrypt: 1260, #pkts verify: 1260
The tunne is working the packages going thru are the keepalive. but when I ping I get this,
RouterVPN1#ping 192.168.201.1
Sending 5, 100-byte ICMP Echos to 192.168.201.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
RouterVPN1#
Please help
Similar Messages
-
Azure Site-to-Site VPN works, but RDP/Server Manager/Replication does not.
Hi,
At home, I have a Raspberry Pi with Raspbian as OS. I have installed OpenSwan to make a Site-to-Site VPN between the Raspberry and Azure. The Raspberry has an IP Address of 192.168.1.2 behind NAT. Ping works from both sites, but I'm not able to RDP or for
example manage the servers within the Server Manager. The AD Replication doesn't work either, but I was able to join a VM in Azure over this VPN. I'm using the following configuration:
Network topology:
• 192.168.1.0/24 - Home network
• 192.168.2.0/24 - Azure network
• 192.168.1.1 - Home router's private IP
• 192.168.1.2 - Raspberry Pi
I enabled L2TP Passthrough in the router firewall and I tried to forward the following ports to my RPI:
• UDP 500
• UDP 4500
I also tried to place the Pi in the DMZ.
My ipsec.conf looks like this:
version 2.0
config setup
nat_traversal=yes
virtual_private=%4:192.168.1.0/24
protostack=auto
interfaces="ipsec0=eth0"
conn azure
authby=secret
auto=start
type=tunnel
left=192.168.1.2
leftsubnet=192.168.1.0/24
leftnexthop=192.168.1.1
right=[Azure IP]
rightsubnet=192.168.2.0/24
ike=3des-sha1-modp1024,aes128-sha1-modp1024
esp=3des-sha1,aes128-sha1
pfs=no
ipsec.secrets:
192.168.1.2 [Azure IP] : PSK "AzureSecret"
That got the link up and running, to allow routing between sites:
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
IPtables rules:
iptables -A FORWARD -s 192.168.2.0/24 -m policy --dir in --pol ipsec -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -m policy --dir out --pol ipsec -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
The NAT table allows the Azure VM's to connect to any machine on my home network:
iptables -A PREROUTING –t nat -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination [Azure IP]:4500
iptables -A PREROUTING –t nat -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination [Azure IP]:500
iptables –t nat -A POSTROUTING -o eth0 -j MASQUERADE
With all this I can ping and communicate in both directions, all Azure VM's can see my home network, all home network machines can see my Azure VM's.
Any idea what's going wrong? Thank you!Hi Arvind,
I can confirm that RDP from the server in Azure works to my home lab. It doesn't work from my home lab (DC01) to Azure (DC02-1). I did a capture on my DC01 with NetMon.
DC01 is 192.168.1.10 (home)
DC02-1 is 192.168.2.4 (Azure)
I found the following 'errors' in the capture:
- Scale factor not supported
- Checksum: 0x9EBF, Disregarded
Do you know what's the problem?
Take a look at the capture below:
215 11:24:20 27-12-2014 1.8730574 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=CE....S., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688143, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:5, IPv4:11}
222 11:24:20 27-12-2014 1.9105602 mstsc.exe 192.168.2.4 192.168.1.10 TCP TCP:Flags=.E.A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000 {TCP:5, IPv4:11}
223 11:24:20 27-12-2014 1.9106166 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=...A...., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688144, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
224 11:24:20 27-12-2014 1.9118241 mstsc.exe 192.168.1.10 192.168.2.4 RDP RDP:Windows stub parser: Requires full Common parsers. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading these parser sets. {TCP:5, IPv4:11}
236 11:24:20 27-12-2014 2.2214169 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
262 11:24:21 27-12-2014 2.8307052 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
338 11:24:22 27-12-2014 4.0339011 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
370 11:24:23 27-12-2014 4.9156751 mstsc.exe 192.168.2.4 192.168.1.10 TCP TCP:Flags=.E.A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000 {TCP:5, IPv4:11}
371 11:24:23 27-12-2014 4.9157253 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=...A...., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
383 11:24:23 27-12-2014 5.2369090 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
429 11:24:25 27-12-2014 6.4450070 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
520 11:24:27 27-12-2014 8.8541736 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
587 11:24:29 27-12-2014 10.9267084 mstsc.exe 192.168.2.4 192.168.1.10 TCP TCP:Flags=...A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000 {TCP:5, IPv4:11}
Frame: Number = 587, Captured Frame Length = 62, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[MAC Address],SourceAddress:[B8-27-EB-8C-CA-84]
+ Ipv4: Src = 192.168.2.4, Dest = 192.168.1.10, Next Protocol = TCP, Packet ID = 17414, Total IP Length = 48
- Tcp: Flags=...A..S., SrcPort=MS WBT Server(3389), DstPort=50487, PayloadLen=0, Seq=3665192609, Ack=4073688144, Win=64000 ( Scale factor not supported ) = 64000
SrcPort: MS WBT Server(3389)
DstPort: 50487
SequenceNumber: 3665192609 (0xDA7666A1)
AcknowledgementNumber: 4073688144 (0xF2CF8C50)
+ DataOffset: 112 (0x70)
+ Flags: ...A..S.
Window: 64000 ( Scale factor not supported ) = 64000
Checksum: 0x57F9, Good
UrgentPointer: 0 (0x0)
+ TCPOptions:
588 11:24:29 27-12-2014 10.9267808 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[Dup Ack #371]Flags=...A...., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
698 11:24:32 27-12-2014 13.6755119 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:[ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840 {TCP:5, IPv4:11}
Frame: Number = 698, Captured Frame Length = 73, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[MAC Address],SourceAddress:[MAC Address]
+ Ipv4: Src = 192.168.1.10, Dest = 192.168.2.4, Next Protocol = TCP, Packet ID = 17408, Total IP Length = 59
- Tcp: [ReTransmit #224]Flags=...AP..., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=19, Seq=4073688144 - 4073688163, Ack=3665192610, Win=515 (scale factor 0x8) = 131840
SrcPort: 50487
DstPort: MS WBT Server(3389)
SequenceNumber: 4073688144 (0xF2CF8C50)
AcknowledgementNumber: 3665192610 (0xDA7666A2)
+ DataOffset: 80 (0x50)
+ Flags: ...AP...
Window: 515 (scale factor 0x8) = 131840
Checksum: 0x9EBF, Disregarded
UrgentPointer: 0 (0x0)
RetransmitPayload: Binary Large Object (19 Bytes)
722 11:24:32 27-12-2014 14.3901288 mstsc.exe 192.168.1.10 192.168.2.4 TCP TCP:Flags=C..A.R.., SrcPort=50487, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=4073688163, Ack=3665192610, Win=0 (scale factor 0x8) = 0 {TCP:5, IPv4:11} -
Cisco asa- vpn established but cant ping
I am using 2 cisco asa 5505 routers, i have established vpn between them but i cant ping client internal or outside interface, client can ping my outside interface. Only configuration on client is basic easy vpn settings and interfaces, here is server part configuration on my side:
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 10.1.2.0 255.255.255.0
object network outside
subnet 10.1.3.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list 101 extended permit object-group DM_INLINE_PROTOCOL_1 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit object-group DM_INLINE_PROTOCOL_2 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.1.3.0 255.255.255.0 echo-reply inside
icmp permit any inside
icmp permit any outside
icmp permit 10.1.3.0 255.255.255.0 echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static outside outside destination static inside inside no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group global_access global
route inside 0.0.0.0 0.0.0.0 10.1.3.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname *********
vpdn group iskon ppp authentication pap
vpdn username ***** password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.132 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN internal
group-policy VPN attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
vpn-session-timeout none
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f2923b78a04ee8cfe9324e3e2733d78SOLVED!!! i just needed to configure nat here is configuration for any1 with same problem
: Saved
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ladimirevci
subnet 10.1.2.0 255.255.255.0
object network lekenik
subnet 10.1.3.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 101 extended permit ip object lekenik object ladimirevci
access-list 101 extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object lekenik object ladimirevci
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip object ladimirevci object lekenik
access-list inside_access_in extended permit ip object lekenik object ladimirevci
access-list inside_access_in extended permit ip any any
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip object lekenik object ladimirevci
access-list global_access extended permit ip object ladimirevci object lekenik
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static ladimirevci ladimirevci destination static lekenik lekenik
object network obj_any
nat (inside,outside) dynamic interface dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set pfs
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto dynamic-map DYN-MAP 5 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname vivaindo@iskon-dsl
vpdn group iskon ppp authentication pap
vpdn username vivaindo@iskon-dsl password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-clientless
group-policy VPN internal
group-policy VPN attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-lock value VPN-TUNNEL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ddac35422ebbf57095be7a1d33b0b67d
: end
asdm image disk0:/asdm-712.bin
no asdm history enable -
VPN connects but No Ping; AFP; or SMB
Folks;
All Mac's are fully updated Tiger or Tiger Server {running dual NIC's w/ NAT;DNS;DCHP;VPN;AFP;Firewall;Windows;DNS}
I can connect using the client's IntenetConnet L2TP mechanism and the clock ticks away...
But once connected I cannot mount shares or ping.
I have verfied that these shares can be mounted if connected NOT thru the VPN.
I have read a long thread here from last year and based on that have implemented firewall rules for allowing all traffic (TCP & UPD) (In or Out) for ppp* to 19.168.2.0/24 and for 192.168.2.0/24 to ppp* {4 rules total}
I have not made any Network Routing Definitions in the VPN settings
Help Please!
How do you debug this? Where is the best documentation to read on this?
I'm going nuts!
SteveStart by enabling logging of denied packets in the firewall settings.
Then: what IP are you trying to use to get at the server services (you should use the NATed LAN IP)?
Also the remote client must not be connecting from a network which are using the same IP range as the server LAN.
And VPN client IPs must be part of the LAN IP range. -
Arch router / connection share dns lookup works, but no ping [solved]
I lost some config and forgot how to set this up. I have a dual nic arch box with some clients behind it. dnsmasq serves dhcp and dns on the LAN side (192.168.10.0/24). WAN port of arch box (192.168.1.201) talks to actual modem (192.168.1.1).
router
root@router ~ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:25:90:95:08:40 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.201/24 brd 192.168.1.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet6 fe80::225:90ff:fe95:840/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:25:90:95:08:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 brd 192.168.10.255 scope global enp3s0
valid_lft forever preferred_lft forever
inet6 fe80::225:90ff:fe95:841/64 scope link
valid_lft forever preferred_lft forever
root@router ~ # ip route
default via 192.168.1.1 dev enp2s0
192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.201
192.168.10.0/24 dev enp3s0 proto kernel scope link src 192.168.10.1
root@router ~ # sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@router~ # ping archlinux.org
PING archlinux.org (66.211.214.131) 56(84) bytes of data.
64 bytes from gudrun.archlinux.org (66.211.214.131): icmp_seq=1 ttl=47 time=70.0 ms
64 bytes from gudrun.archlinux.org (66.211.214.131): icmp_seq=2 ttl=47 time=70.0 ms
client
root@lucid-desktop:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: can0: <NOARP> mtu 16 qdisc noop state DOWN qlen 64
link/can
3: can1: <NOARP> mtu 16 qdisc noop state DOWN qlen 64
link/can
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:1f:f2:09:19:89 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.101/24 brd 192.168.10.255 scope global eth0
root@lucid-desktop:~# ip route
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.101
169.254.0.0/16 dev eth0 scope link metric 1000
default via 192.168.10.1 dev eth0 metric 100
root@lucid-desktop:~# nslookup archlinux.org
Server: 192.168.10.1
Address: 192.168.10.1#53
Non-authoritative answer:
Name: archlinux.org
Address: 66.211.214.131
root@lucid-desktop:~# ping archlinux.org
PING archlinux.org (66.211.214.131) 56(84) bytes of data.
*crickets*
root@lucid-desktop:~# wget archlinux.org
--2013-04-02 07:51:19-- http://archlinux.org/
Resolving archlinux.org... 66.211.214.131
Connecting to archlinux.org|66.211.214.131|:80...
Do I need iptables on? This is all with it off.
edit: yup
iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
Last edited by tladuke (2013-06-06 19:37:44)The problem has been resolved. It was the line provider that made a mistake bij giving the wrong line speed at the second pvc.
After they made the correct changes the connection was made between the 2 routers over the IPVPN
Router config Check
Router firmware Check
First pvc Check
Second pvc but now check
Ipvpn and data flow check
Connection has ben made check -
Native Cisco VPN - Works but asks for password every time
After installing Snow Leopard, I found that my Cisco Application didnt work anymore. No worries, there is a native app now.
I made a new connection with the native app, and it works.
Except.
Every time I go to connect, it prompts me for my password. Even if I've already entered it in the network settings panel. That's rather annoying, as I would prefer it remember the password for me.not a problem here is a solution just follow the instructions from this link and you should be able to save your password in your keychain, i have tried and it works great. incase you dont find the keyAux thing just use the search bar at the top of the keychain access window and you should find it
http://www.macosxhints.com/article.php?story=2009082703155512 -
VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN
Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162 -
RV082 to SA540 vpn but no ping, something wrong
I'll try my best to explani and give details.
SA540 v.2.1.71 at host
RV082 v4.2.1.02 at remote site.
Trying to setup tunnel between the 2. WHEN this works, I'll have 20 remote sites tunneling into the SA540 host.
SA540:
SA540 says site to site vpn is up and IPsec SA Established.
192.168.1.0
Gateway Policies
Client Policies
Exchange Mode:
Main
Aggressive
ID Type:
Local WAN IP
FQDN
Local WAN ID:
Local WAN IP
local.com
Remote WAN ID:
N/A
remote.com
Encryption Algorithm:
AES-128
AES-128
Authentication Algorithm:
SHA-1
SHA-1
Authentication Method:
Pre-shared Key
Pre-shared Key
Key-Group:
DH-Group 2 (1024 bit)
DH-Group 2 (1024 bit)
Life Time:
8 hours
8 hours
VPN Wizard default values for VPN:
Encryption Algorithm:
AES-128
Authentication Algorithm:
SHA-1
Life Time:
1 hour
PFS Key Group:
DH-Group 2(1024 bit)
NETBIOS:
Enabled (Gateway Policies)
Disabled (Client Policies)
WAN Security Checks
Block Ping to WAN interface
Enable Stealth Mode
Block TCP flood
RV082:
RV082 says gateway to gateway is Connected.
192.168.2.0
same settings w/ Aggressive, Keep Alive and NAT Traversal checked.
Firewall Setting Status
SPI (Stateful Packet Inspection) :
On
DoS (Denial of Service) :
On
Block WAN Request :
Off
Remote Management :
On
FROM RV082 diagnostics on router, I cannot ping 192.168.1.1 router or 192.168.1.70 server inside host.
FROM SA540 host diagnostics, I CAN ping 192.168.2.1 when I check Ping through VPN tunnel, but I canNOT ping an XP computer at 192.168.2.100 which has firewall turned off.
What am I missing?
Goal is to establish full tunneling and computer/server access between sites.
Any help is greatly appreciated.I have added the permit any any on the outside and vpn interfaces of both ASAs. I also change the source and destination of the nat exempt rule to any any.
-
RV220W IPsec tunnel connected, but no ping is working
Hello,
I have a problem with my RV220w router and IPsec connections.
The tunnel is connected, but no ping is working. I have not changed any Settings on the Client Site or Router Site. The last succsessful tunnel wit this configuration is a half year ago.
The local and remote network have different ip-address.
I have both firmware versions 1.0.4.17 and 1.0.5.8 tested.
A tunnel over PPTP is working fine. The ping works successful.
Has anyone an idea?
kind regards
Martin Schubert
Configuration:
Client Software:
- Windows 7 64Bit
- ShrewSoft VPNClient 2.2.2
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:1
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:0
n:client-wins-auto:1
n:phase1-dhgroup:5
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:phase1-keylen:0
n:phase2-keylen:0
s:client-auto-mode:pull
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:remote.com
s:ident-server-data:local.com
s:phase1-exchange:aggressive
s:phase1-cipher:aes
s:phase1-hash:sha2-256
s:phase2-transform:esp-aes
s:phase2-hmac:sha2-256
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto
s:policy-list-include:192.168.1.0
Router:
IpsecIKEPolicy[1]["Direction"] = "1"
IpsecIKEPolicy[1]["EncryptionAlgorithm"] = "5"
IpsecIKEPolicy[1]["LocalIdentifier"] = "local.com"
IpsecIKEPolicy[1]["ExchangeMode"] = "1"
IpsecIKEPolicy[1]["RemoteIdentifier"] = "remote.com"
IpsecIKEPolicy[1]["Presharedkey"] = "is secret"
IpsecIKEPolicy[1]["IKEPolicyName"] = "abc"
IpsecIKEPolicy[1]["LocalIdentifierType"] = "1"
IpsecIKEPolicy[1]["SALifeTime"] = "28800"
IpsecIKEPolicy[1]["DPDDetectionPeriod"] = "10"
IpsecIKEPolicy[1]["ModeConfigStatus"] = "0"
IpsecIKEPolicy[1]["XAUTHType"] = "2"
IpsecIKEPolicy[1]["DPDFailureCount"] = "3"
IpsecIKEPolicy[1]["AuthAlgorithm"] = "3"
IpsecIKEPolicy[1]["AuthType"] = "0"
IpsecIKEPolicy[1]["DHGroup"] = "5"
IpsecIKEPolicy[1]["DPD"] = "0"
IpsecIKEPolicy[1]["_ROWID_"] = "1"
IpsecIKEPolicy[1]["RemoteIdentifierType"] = "1"
IpsecVPNPolicy[1]["EnableKeepAlive"] = "0"
IpsecVPNPolicy[1]["LocalSubnetMask"] = "255.255.255.0"
IpsecVPNPolicy[1]["EncryptionAlgorithm"] = "5"
IpsecVPNPolicy[1]["AuthAlgorithm"] = "3"
IpsecVPNPolicy[1]["RemoteNetworkType"] = "0"
IpsecVPNPolicy[1]["LocalGateway"] = "0"
IpsecVPNPolicy[1]["RVGStatus"] = "0"
IpsecVPNPolicy[1]["VPNPolicyName"] = "abc"
IpsecVPNPolicy[1]["LocalStartAddress"] = "192.168.1.0"
IpsecVPNPolicy[1]["Status"] = "1"
IpsecVPNPolicy[1]["Netbios"] = "0"
IpsecVPNPolicy[1]["AutoPolicyType"] = "1"
IpsecVPNPolicy[1]["KeepAlivePeriod"] = "10"
IpsecVPNPolicy[1]["PFSKeyGroup"] = "5"
IpsecVPNPolicy[1]["SPIOut"] = "0x"
IpsecVPNPolicy[1]["KeepAliveFailureCount"] = "3"
IpsecVPNPolicy[1]["LocalNetworkType"] = "3"
IpsecVPNPolicy[1]["SALifeTime"] = "3600"
IpsecVPNPolicy[1]["IKEPolicyName"] = "abc"
IpsecVPNPolicy[1]["FailbackTime"] = "30"
IpsecVPNPolicy[1]["RemoteEndPoint"] = "remote.com"
IpsecVPNPolicy[1]["NodeId"] = "1"
IpsecVPNPolicy[1]["SALifeTimeType"] = "0"
IpsecVPNPolicy[1]["PolicyType"] = "1"
IpsecVPNPolicy[1]["SPIIn"] = "0x"
IpsecVPNPolicy[1]["RemoteEndPointType"] = "1"
IpsecVPNPolicy[1]["_ROWID_"] = "1"
IpsecVPNPolicy[1]["Rollover"] = "0"At the glance,
First, what are your netmasks for those networks? I suppose they are 255.255.255.0.
Second, check your Remote Security Group and Local Security Group on B and C for their tunnel. Maybe permutation?
Third, check Routing table (Setup->More->Advanced Routing then at the bottom Show Routing Table).
Should be something like - on B:
10.0.0.0
255.255.255.0
GW for B
10
ipsec0
and on C:
10.0.1.0
255.255.255.0
GW for C
10
ipsec0 -
Ping to local domain works but ping to server name dont work from local network PC
Hi
I have done a fresh install of the Windows Server 2012 R2 and installed Essentials Experience role to it.
My problem is that I cannot ping server name from PC in the local network. I can ping local domain name (domain.local).
When I try to ping local domain in the server, it resolutes ok and gives server IPv4 IP but when I ping server name in the server, it gives me IPv6 IP ::1: which I understand to be IPv6 loopback IP. I dont know if this has anything to do with the pinging
problem from the PC.
I had earlier the same server configuration and this earlier server gives IPv4 IP when server name is pinged from the server itself.
How to get PC to ping server name so that I could use http://servername/connect??
Thanks in advance!Hi,
Have you set firewall to allow incoming ICMP Echo messages ?
By default, Windows Firewall does not allow incoming ICMP Echo messages, and therefore the computer cannot send an ICMP Echo Reply in response.
You may like to refer to the article below to check if it worked:
Nobody Can Ping My Computer
http://technet.microsoft.com/en-us/library/cc749323(WS.10).aspx
In addition, please also provide us the output of ipconfig /all on each side of these machines for further research.
Hope it helps.
Best Regards,
Andy Qi
Andy Qi
TechNet Community Support -
Almost got VPN to work, but Auth failing?
Hi,
I almost got VPN to work, but I have one last error. Here is, what I did so far:
1.) Configured VPN via Server app
2.) Enabled PPTP like described in Apple support doc
3.) VPN Server is reachable within my home network
4.) VPN Server is reachable from outside my home network
I'd be more than happy if anyone could provide me with some hints on how to fix either of the following two errors
When I try to connect via L2TP (From in- or outside the network), I get the following error:
Aug 29 22:42:17 server racoon[164]: Connecting.
Aug 29 22:42:17 server racoon[164]: IPSec Phase1 started (Initiated by peer).
Aug 29 22:42:17 server racoon[164]: IKE Packet: receive success. (Responder, Main-Mode message 1).
Aug 29 22:42:17 server racoon[164]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
Aug 29 22:42:17 server racoon[164]: IKE Packet: receive success. (Responder, Main-Mode message 3).
Aug 29 22:42:17 server racoon[164]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
Aug 29 22:42:17 server racoon[164]: IKE Packet: receive failed. (Responder, Main-Mode Message 5).
Aug 29 22:42:20 server racoon[164]: IKE Packet: transmit success. (Phase1 Retransmit).
Aug 29 22:42:20 server racoon[164]: IKE Packet: receive failed. (Responder, Main-Mode Message 5).
Aug 29 22:42:23: --- last message repeated 1 time ---
Aug 29 22:42:23 server racoon[164]: IKE Packet: transmit success. (Phase1 Retransmit).
Aug 29 22:42:23 server racoon[164]: IKE Packet: receive failed. (Responder, Main-Mode Message 5).
Aug 29 22:42:26: --- last message repeated 1 time ---
Aug 29 22:42:26 server racoon[164]: IKE Packet: transmit success. (Phase1 Retransmit).
Aug 29 22:42:26 server racoon[164]: IKE Packet: receive failed. (Responder, Main-Mode Message 5).
Aug 29 22:42:38: --- last message repeated 1 time ---
Aug 29 22:42:38 server racoon[164]: IKE Packet: transmit success. (Phase1 Retransmit).
Aug 29 22:42:38 server racoon[164]: IKE Packet: receive failed. (Responder, Main-Mode Message 5).
However, when I try to connect via PPTP (no matter if from in- or outside my network), I see the following error:
Aug 29 22:27:18 server pppd[16843]: The remote system is required to authenticate itself
Aug 29 22:27:18 server pppd[16843]: but I couldn't find any suitable secret (password) for it to use to do so.
Aug 29 22:27:18 server vpnd[16413]: --> Client with address = 192.168.1.226 has hungupI have not yet tried the VPN server in Lion, but I would normally associate IKE traffic with L2TP style VPN connections and not PPTP connections. This might indicate the remote client is trying to make an L2TP connection and you have not yet setup that properly with the same shared secret password at both ends (this different the actual users login password).
Or of course you can correct the remote client and set it to use PPTP. -
VPN on Mac works but not my iOS 7 devices
I am running OS X Mountain Lion Server 2.2.2 with the VPN switch on. I have no problem with my MBP connecting to the VPN server, however since upgrading to iOS 7 on my devices they will not connect. I keep receiving the following error. All the correct ports are forwarded and I am using an Airport Extreme as my router. This boggles my mind because VPN worked just fine on iOS 6, please help.
"The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator."Had similar problem (could VPN to Mountain Lion Server 2.2.2 with my Mavericks Macbook Pro. When trying to VPN to the server from my IOS 7.0.4 iPhone, I could get a connection, but wasn't able to access my Contacts on the server - verification kept failing with and without SSL).
I had created the VPN profile using the Server app and then saved it and emailed it to my IOS 7.0.4 iphone. I also had access to an IOS 5.x iPad, and installed the same profile there. Contacts sync worked fine on the IOS 5 device.
I finally deleted the VPN profile on the iphone, and manually created one on the iPhone 7.0.4 by typing in the account info from the Server User pane and from the Server VPN pane.
It was a bit long typing in the shared secret, but when I was finished, I was able to connect, and now I could - on the iPhone - create a new Contacts account including server information, and the verification was successful. I can now access the Contacts on the iPhone and on my server.
Am guessing something in IOS 7.0.4 misreads the VPN profile, which causes problems down the line. Apple?
Good luck bgw8probe! -
ASA 5505 IPSEC VPN connected but can't access to LAN
ASA : 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
VPN Pool: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
Below is my configure, do I mis-configure anything?
ASA Version 8.2(5)
hostname asatest
domain-name XXX.com
enable password 8Fw1QFqthX2n4uD3 encrypted
passwd g9NiG6oUPjkYrHNt encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.253 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name vff.com
access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside 10.1.1.230
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (inside) host 10.1.1.108
nt-auth-domain-controller 10.1.1.108
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.0.0 255.255.252.0 inside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpntest internal
group-policy vpntest attributes
wins-server value 10.1.1.108
dns-server value 10.1.1.108
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntest_splitTunnelAcl
default-domain value XXX.com
split-tunnel-all-dns disable
backup-servers keep-client-config
address-pools value vpnpool
username admin password WeiepwREwT66BhE9 encrypted privilege 15
username user5 password yIWniWfceAUz1sUb encrypted privilege 5
username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
tunnel-group vpntest type remote-access
tunnel-group vpntest general-attributes
address-pool vpnpool
authentication-server-group AD
authentication-server-group (inside) AD
default-group-policy vpntest
strip-realm
tunnel-group vpntest ipsec-attributes
pre-shared-key BEKey123456
peer-id-validate nocheck
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: endI change a Machine's gateway to this ASA and capture again, now we can see some reply.
All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
add two gateways to all PCs and swtichwes?
1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request -
Subnet mask 255.255.255.255 assigned to VPN client - can't ping LAN
Hi,
I configured PIX 501 with PPTP VPN to connect to the small office (PIX FW, Win 2000 Server, several Win clients, LAN IP 10.0.0.X/24):
ip local pool mypool 10.0.0.101-10.0.0.105
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username xxxx password *********
vpdn enable outside
I can connect to the office using Win VPN client, but I can't ping any hosts in the office network. I suspect that the reason for that is subnet mask assigned to the VPN client: 255.255.255.255. ipconfig of the VPN client:
PPP adapter Office:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Default GW is missing too, but I think this is not the main problem.
Any way, what is wrong with my config? How to fix subnet mask assigned to clients? Or may be my assumption is wrong and this mask is ok? What is wrong then?
Any input will be greatly appreciated!
GeorgeThanks for the prompt reply.
Here it does:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname OSTBERG-PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq pptp
access-list inbound permit gre any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.189.xxx.xxx 255.255.252.0
ip address inside 10.0.0.23 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.0.0.101-10.0.0.105
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.15 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 66.189.yyy.yyy 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 10.0.0.23 255.255.255.255 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username ********* password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxx
: end
There are remnants of old config, I just recently took over this network, some lines look odd to me, but I did not touch what works. VPN config is all mine.
PIX internal 10.0.0.23 - is a gateway for the network. DNS server in LAN - 10.0.0.15.
I've been reading about the problem and came across several posts that this subnet mask is normal, but it puzzles me - how can this host communicate with anyone else if there is no room for other hosts in this network (according to the mask)?!
Thanks again!
George -
Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across
This is my first Cisco configuration ever so go easy on me. A lot of the commands that I used here I don't really understand. I got them from Googling configs. I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
The first VPN I setup, labeled vpn1 here works perfectly. I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0). I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN. I'm using the address 10.4.0.1 to test pings. The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
Here is my config (edited for names and passwords)
ciscoasa# show run
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password ********** encrypted
passwd ********** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP_DSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif private
security-level 100
ip address 10.4.13.10 255.255.240.0
ftp mode passive
access-list 100 extended permit icmp any any
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu private 1500
ip local pool vpn1pool 192.168.2.100-192.168.2.110
ip local pool vpn2pool 192.168.3.100-192.168.3.110
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (private) 0 access-list nonat
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
crypto map vpn1 interface outside
crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group ISP_DSL request dialout pppoe
vpdn group ISP_DSL localname [email protected]
vpdn group ISP_DSL ppp authentication chap
vpdn username [email protected] password **********
dhcp-client update dns
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn2 internal
group-policy vpn2 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
group-policy vpn1 internal
group-policy vpn1 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username cssadmin password ********** encrypted
username vpn2user password ********** encrypted
username vpn1user password ********** encrypted
tunnel-group vpn1-VPN type remote-access
tunnel-group vpn1-VPN general-attributes
address-pool vpn1pool
default-group-policy vpn1
tunnel-group vpn1-VPN ipsec-attributes
pre-shared-key **********
tunnel-group vpn2-VPN type remote-access
tunnel-group vpn2-VPN general-attributes
address-pool vpn2pool
default-group-policy vpn2
tunnel-group vpn2-VPN ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
: end
Theories: after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24. I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
So, what do I do? Maybe NAT the VPN traffic? If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
Thanks in advance for any insight you can provide.Hello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio
Maybe you are looking for
-
How can I remove an iTunes account from a computer I'm giving away?
How do I remove my iTunes account from a computer that I am giving to a student in my school? I want the music I purchased to play, but I don't want the student to have access to my email address or my credit card that is tied to "my account". I went
-
External Hard Drive containing data will not store new back ups in iMac
We have a Toshiba USB 3.0 & 2.0, 750 GB/Go External Hard Drive to store our Time Machine backups. It contains only the Time Machine backups Computer is an iMac6,1 with OS Snow Leopard 10.6.8. We have been using for almost a year without problems
-
CC 2014 Dateizuordnung fehlerhaft (Windows 7)
Hallo, ich benutze Windows 7 und seit kurzer Zeit passen meine Dateizuordnungen nicht mehr. Ich bin mir nicht sicher, ob es seit dem Update auf CC 2014 oder seit dem letzten Windows Update der Fall ist, jedenfalls sind viele Typen (.indd, .aep, .psd,
-
I belatedly have been able to update to belle here in Australia since last week, and I have now lost the ability of updated rss feeds on the home screen. In the nokia conversations article 'Nokia Belle: Six ways to use six screens' from the 12/04/201
-
During power up it is making a clicking sound. The ipod is unable to power up to the home screen.