WRT54G V7.0 VPN and Connection

I use the Cisco VPN Client 4.8.01.0590 it was working fine with my old Sweex wireless router. Now i am working with the linksys WRT54G v7.0 and connection to the remote netwerk with VPN client is no problem. After 5 minutes working with it my connection is terminated. This happens every time and on 3 different computers that are connecting with the WRT54G. Also the signal is not as good as my old sweex router. My router is 3 meters away from me and my signal is good not excelent. I think that is strange. So i wired my laptop to the router and try the Cisco VPN client again. Same thing happens. Does anyone have a solution for this issue?

You can find earlier threaths about this version of the WRT54G.
Maybe an upgrade will help, but I am not optimistic about it.
Have a v7 myself and I am facing several problems. What I still do not understand is the lack of interest from Linksys.
I my opinion thay must have lots of complaints and fearing for their (good) name.
Hopefully they once offer a solution that will work.
Sorry I cannot be more positive.

Similar Messages

VPN and Remote Desktop Connection

I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
Thanks for your help.
I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.. No calls
will be accepted to this port.
A certificate could not be found. Connections that use the L2TP protocol over IPsec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.
The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.

Morning Trent,
I don't know if this is still an issue for you, did you get it solved?
If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
to use on the server.

Can I connect to my microsoft network via VPN and download network files?

Can I connect to my microsoft network via VPN and download network files to my iPad2? If so, what app is required?

There are several apps available from App Store but the one I use is iTeleport.
Oops the Windows specific version is called Jaadu Remote Desktop for Windows
Message was edited by: Joe Bailey to add Windows version

Internet sessions, VPN session, and connections dropping frequently

I'm in an apartment. This problem started about a week ago. All of my browser sessions, vpn session, and connections such as AIM or netflix drop frequently. I often have to click links twice to get a page to load. I have to reload videos a lot to get them to continue to stream. I am constantly signing in and out of AOL IM.
I believe the problem has to do with several MoCs (coax connections) listed on my router page, and these MoCs have names of other people on them. Until I noticed them a week ago, I had only seen one MoC belonging to me listed on the router connection page.
Thus, I think that something got crossed up of misconfigured in the ONT for my apartment complex. The gateway light on my router stays green as all of these problems happen.
Pinging google.com, I get
--- google.com ping statistics ---76 packets transmitted, 55 packets received, 27.6% packet lossround-trip min/avg/max/stddev = 31.282/39.339/48.217/3.548 ms
Anyone seen this before and know how to get verizon to fix this?
I have had nothing but problems with FIOS since getting it, and I have wasted a lot of time with their "customer support."

I am sorry to hear about your connection problems. I have sent you a private message so we can get your information and look more deep into your connection.
Anthony_VZ
**If someones post has helped you, please acknowledge their assistance by clicking the red thumbs up button to give them Kudos. If you are the original poster and any response gave you your answer, please mark the post that had the answer as the solution**
Notice: Content posted by Verizon employees is meant to be informational and does not supersede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or plan

Airport Extreme 802.11n Wi-Fi Base Station and Connecting to VPN Client

I am networked beautifully with my new Airport Extreme Base Station and get out to the Internet in seconds. However, when I try to connect remotely to my company's VPN Client, I am unsuccessful in logging on to the Company's network. The error message I get is that the VPN Client has timed out. Then I am given the opportunity to attempt to logon to a second server. I am unsuccessful with the alternative server as well. I have worked with my company's tech support and after quite a bit of troubleshooting, I was told that it is a port configuration problem on the Airport Extreme Base Station. Has anyone else experienced this problem and been able to resolve this issue? What did you do? Help--I don't want to go back to my Netgear network. The Airport Extreme is so extremely faster--I can't go back!

I have their ip address and it does not appear to be the problem. I did speak to apple support and was told to get the port numbers of the vpn and enter those along with the mac address of the one laptop I needed to communicate with the vpn Nortel Client. No success with that. So, I tried tieing that one laptop to the network with the router that worked fine with being recognized by Nortel while I continued to select the apple network for my 3 other macs. I was finally able (with extreme) get to my upstairs and connect to the net on all of the macs but now I lost connectivity with even the net on the netgear router. So, I continue--not wanting to have to go back to the basement to work on the pc laptop. Thanks for your reply.

Connecting to non-VPN and VPN simultaneously

Ahoy there, I'm on high-speed (130 Mbit) restricted internet right now. The service filters certain ports and services (VoIP + P2P + FTP) and as such, I have to connect to a VPN to unblock these services. With this in mind, I ask the following questions:
(The VPN is configured as such that I currently "Send all network traffic over this connection" with a unique server, account, password and shared L2TP key, or a PPTP connection without a shared secret and just server-account-password)
Is it possible to
A. Configure Firefox to use the native Ethernet direct connection and not use the VPN to get to the internet, regardless of the fact that I have "Send all network traffic" selected. (Like, maybe disabling Send all network traffic over this connection and configuring Transmission to just use the VPN)
B. Configure Transmission (the P2P client) to only connect to the VPN and use it -solely- for P2P traffic.
C. Use BOTH an Airport connection AND an Ethernet connection to increase speed or throughput.
Any of these things would really help my dilemma, because while I'm connected to the VPN, Firefox's/the general internet speed goes down the drain, with the tradeoff being access to those services, which is immensely frustrating.
Any thoughts?
P.S. I had considered using Parallels Desktop to run another OS and use Parallels Shared Network connection and using that for P2P/VoIP and have that connect to the VPN only while the regular half of my computer is connected to the rest of the internet, but I don't know the logistics of such a thing.

I am looking to do the exact same thing. Can anyone help?
I would like to use Firefox for normal web browsing (non-VPN) and then Safari for VPN browsing. Currently, once I start up VPN all network data is going through it. I need to specify which program uses the VPN and which uses my normal "Built-in Ethernet" non-VPN.
Thanks!

I established a VPN configuration and connected but cannot connect to server?

I work from an imac at home and need to connect to my work server and files. I established the VPN configuration and connected to the building but cannot access the server. What am I doing wrong or what else do I need to do.

Once your VPN is connected, you still need to log in to the server(s) you are using. This does not necessarily happen automatically - you may have to manually log in to your server(s).   To do this, in the Finder menu do Go > Connect to Server and enter the server address. If these are windows servers it's probably an SMB connection in which case you would enter smb://<serveraddress> in the server address field.
Best bet is to talk with the IT folks where you work, as you may need specific information about how to log in to your server(s). There are ways to automate the login but you first need the correct login details (server address, userID, password).
If you want to automate the login process, here's a simple Applescript that I wrote in my own case. Create this using Applescript Editor. After testing, save it as an Application; then in System Preferences you can add it to your list of Login Items so it runs automatically whenever you sign in to your Mac. Of course, your VPN will have to already be connected in order for this to actually work.
delay 30
tell application "Finder"
    mount volume "smb://servername1/mountpoint_A"
    mount volume "smb://servername2/mountpoint_B"
end tell
(Note: "servernameX/mountpoint_Y" is the address of each of the 2 servers I log into, except that in this example they are completely fictitious names.)

VPN and Internet Connection Sharing? (bridging remote networks)

I'd like to try an experiment and some advice from this list will be useful.
+Summary: Can a Mac with two interfaces activate VPN and Internet sharing simultaneously to bridge two remote networks?+
I've created a PPTP VPN server on our XServe at work and opened the appropriate ports on our firewall. This and a second location are linked with standard (but fast) ADSL broadband. I can log in from both Mac and Windows VPN clients at an external location and indeed the experience is just like being at work- printers, file servers and other resources (eg networked Filemaker databases) are all visible. Yay.
Question: Is it possible to extend this concept further by logging onto our VPN with once interface (eg Airport) +and then+ enabling Internet Sharing through the second interface (eg Ethernet)? Will this allow a small network connected through the second interface to all behave as though they are on the work network, with transparent access to fileservers, printers and so on, without each bothering individually with VPNs and so on? I suspect there are physical boxes that will do this, but it would be wonderful to know if I can get a Mac with two NICs to do the same job, acting as a router between the two networks. Are there any limitations to this? I am happy to tweak under the hood if need be. I just need to know if this is possible, even in theory, and what the limitations might be.
Thanks.

Hey Nathan...
My VPN is down at the moment, but I think your going to have to manually configure all of the "clients" who are sharing the VPN to an IP range that your office uses. When you connect to your VPN, check your network prefs, and you'll see the IP addresses assigned to your VPN are similar to your network at the office. So, in a way, your sharing computer has 2 IP addresses... one from your modem or router at home, and one from the VPN server at the office. It's this 2nd IP address that allows you to appear to be on the network at the office.
So, if you can find a way to set up your shared clients the same way.... it might work. It will also be VERY helpful if your IP range at home is different from the IP range at the office....192.168... for one...and 10.0.0 for the other. (Whether traffic will pass thru your "sharing server" is a different matter altogether.)
Now, and I'm really guessing here.. if this works at all... you may be only able to access stuff from the office on your "shared clients" (ie no internet).... the way around that is to set up your VPN to allow VPN clients to pull stuff from the internet from the office thu the VPN... and for the life of me don't remember how that is done. But it will most likely be a bit slow.
I'd start with the basics... setup one client with a manual IP address/router/dns servers, and try to ping a computer at the office. If this works... at least part of your problem is solved.
With all that said... it may not work at all. Good Luck!

Using Applescript to connect to VPN and add routes

I posted this in the wrong place last night, but actually managed to get an answer to it. Here is the original post:
I need to be able to set some routes upon opening a particular VPN connection so I did some searching and found a really simple Applescript that does the job. Problem is it tries to set the routes before the VPN actually connects so the routes don't go in.
I added in a 10 second delay which does the trick, but I'm thinking there has to be a way to do this that waits until the VPN actually connects before continuing - so if it takes 5 seconds or 10 or whatever, it waits.
The other thing I'm doing that I think is bad is I'm sending a route delete command before sending the add command. Why? Because if I don't and for some reason the route is partially in the table, it doesn't give an error and ends up not routing. Again, probably a better way to do this.
Here is my current script:
-- Connect Work VPN
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
end tell
end tell
delay 10
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
From the response I received, I modified the script to this:
tell application "System Events"
tell current location of network preferences
set VPNservice to service "Work" -- name of the VPN service
if exists VPNservice then connect VPNservice
repeat until (connected of current configuration of VPNservice)
delay 1
end repeat
end tell
end tell
set gateway to "x.x.x.x" -- omitted here for security
do shell script "route delete 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route delete 192.168.20.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.25.0/24 " & gateway with administrator privileges
do shell script "route add 192.168.20.0/24 " & gateway with administrator privileges
That seems to work perfectly, but I'm still wondering if there is a better way of handling the routes. Suggestions?
Thanks.

I realize the VPN gateway should add the routes, but it's not and they don't seem to want it to. No idea why.
As for deleting/adding the routes, yes it does seem wrong to do this or pointless. The reason I'm doing this is for what I found in my testing of the script which was if the script hung for some reason and the route did not fully go into the table, I would be unable to add it with the script when I ran it again.
I'm probably not explaining it that well, but when I couldn't route after trying to run my script initially, I tried manually running the add route command and I'd get an error. Thus, I deleted/added the route and than it worked again.
As pointless as it seems it works every time. I'm sure there's a better/cleaner/smarter way of doing this, but I don't know enough about Applescript to do any more. At this point I can probably remove the delete command, though, since it should run properly each time.

IpSec VPN and NAT don't work togheter on HP MSR 20 20

Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1

ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab

Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts

I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enable

Hi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair

VPN client connected to VPN but can't ping or access to server

HI ,
i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
Software itself shown connected but request time out when ping.
Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
aaa new-model
aaa authentication login userauthen local
aaa authorization network adminmap group VPNClient
aaa authorization network groupauthor local
aaa authorization network map-singapore local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key emptyspace address 203.142.83.218 no-xauth
crypto isakmp keepalive 15 periodic
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group map-singapore
key cisco123
dns 192.168.6.3
domain cisco.com
pool ippool
acl 102
crypto isakmp profile VPNclient
   match identity address 27.54.43.210 255.255.255.255
   match identity group vpnclient
   client authentication list userauthen
   client configuration address respond
crypto ipsec security-association idle-time 86400
crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set DYNSET
set isakmp-profile VPNclient
reverse-route
crypto map VPNMAP client authentication list userauthen
crypto map VPNMAP isakmp authorization list map-singapore
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
crypto map VPNMAP 11 ipsec-isakmp
description VPN to ASA5520
set peer 203.142.83.218
set security-association lifetime kilobytes 14608000
set security-association lifetime seconds 86400
set transform-set REMSET
match address 100
interface GigabitEthernet0/0
ip address 27.54.43.210 255.255.255.240
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
crypto map VPNMAP
interface GigabitEthernet0/1
ip address 192.168.6.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex full
speed 100
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
ip local pool ippool 10.20.1.0 10.20.1.100
ip forward-protocol nd
ip pim bidir-enable
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.6.3 27.54.43.212
ip route 0.0.0.0 0.0.0.0 27.54.43.209
ip route 192.168.1.0 255.255.255.0 27.54.43.209
ip route 192.168.151.0 255.255.255.0 192.168.6.151
ip route 192.168.208.0 255.255.255.0 27.54.43.209
ip access-list extended RA_SING
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny   ip any any log
access-list 1 remark Local Network
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 192.168.151.0 0.0.0.255
access-list 2 remark VPNClient-range
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.168.6.0 0.0.0.255
access-list 10 permit 192.168.102.0 0.0.0.255
access-list 10 permit 192.168.151.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
access-list 101 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 120 deny   ip any any log
access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 120 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 120
control-plane
alias isakmp-profile sh crypto isakmp sa
alias exec ipsec sh crypto ipsec sa
banner motd ^CC^C

I did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.

ASA 5505 VPN and Sprint Mobile Broadband clients.

I have a strange problem, it's something that just started recently when we had a user try to gain access with a Sprint Mobile Broadband card. We have quite a few remote users, probably not more than 6 ever connected to the VPN at once, and I have not heard of any issues until recently. We are starting to require more travel to remote locations, so the use of the hotel internet, as well as Sprint mobile broadband is becoming more important.
There are a few issues here. Everything is IPsec.
Mac OSX with VPN client version 4.9.01 will connect to the VPN when connected to a normal internet connection, but as soon as it gets on the Sprint Mobile Broadband device, it connects for exactly 5 seconds and disconnects.
Windows XP Pro, has no problems with normal internet, on the wireless broadband modem, it will connect to the VPN, but have no access to internal resources or access to the internet.
Windows Vista, has issues all the way around, but mainly when connected to the wireless it has the same issues as XP minus the internet browsing.
Strange thing is, all these problems seem to been different, but they all started around the same time. I have been testing everything I can think of. Talked to Sprint, which the lady there was actually very helpful...just have to get to the right person. But nothing we tried did any good.
Does anyone know of any settings on my ASA that I need to change in order to get these types of connections to work?
The best part of all this is that my Linux machine can connect/surf/and browse the internal network through the VPN just like it normally would work.
Something has to be wrong with my client config settings that is causing this to happen.

Have you enabled NAT Traversal? (Both on the Client and ASA)
That would be the first thing to check.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
Regards
Farrukh

ASA 5505 & VPN Cellular connection

We have a ASA 5505 setup with VPN and using Cisco client 5.0. The VPN works without a problem if we use normal internet access (from home, motel, etc). However if we use a cellular wi-fi hotspot or tether a phone it will connect to the vpn but will not allow us to get on the office network. Anyone have this problem or know a solution

Hello greentw1972,
I have ran in to this issue several times. This is mainly caused by Cisco VPN client's compatibility issues with the 3G-Dongle/Tethering-device. I have seen several workarounds for this but the best one I have found is to use a Open source vpn client.
I have used Shrewsoft VPN client and it has worked nicely without any issues so far
Find the links below for further information.
The 3rd link will show you how exactly you need to transfer information from Cisco VPN client to Shrewsoft client.
Shrewsoft latest VPN client download link : www.shrew.net/download/vpn/vpn-client-2.2.0-rc-2.exe
Shrewsoft Web site : www.shrew.net
Installation instruction as Cisco VPN alternative : http://superuser.com/questions/312947/how-to-configure-shrewsoft-vpn-to-connect-to-cisco-vpn-server
Plese rate this post if helpful

Cisco ASA Site to Site IPSEC VPN and NAT question

Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.

Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni

WRT54G V7.0 VPN and Connection

Similar Messages

Maybe you are looking for