f



ASA5510 with Cisco VPN client. No traffic over VPN tunnel

Hi all,

In the hopes anyone sees my error in my config (I'm almost sure it's a 
config error on my part but i can't find it).
I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the 
manual config way and the ASDM way through the wizard.

The problem is not that i can't get any ipsec connection. That works. But 
when the VPN connection is established i can't get any trafic from my Client 
VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24).
The logs in the ASDM keep giving me the same error (this is another error 
but the error for opening a RDP connection from src to dst is the same):

3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found 
for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found 
for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found 
for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found 
for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found 
for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found 
for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found 
for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53


This is the current config file i'm using (anonymised offcourse):

: Saved
:
ASA Version 8.0(3)
!
hostname asa5510
enable password 1mujhtmA4fcM3pOA encrypted
!
interface Ethernet0/0
description Interface connected to Internet
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description Interface connected to the Company-Holding LAN
speed 1000
duplex full
nameif Company-lan
security-level 100
ip address 172.16.100.1 255.255.255.0
!
interface Ethernet0/2
description Interface connected to the old OLDLAN-Lan
nameif OLDLAN-lan
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
description Interface for DMZ purposes
nameif DMZ
security-level 50
ip address 10.172.100.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group CompanyDNS
name-server 172.16.100.252
name-server 192.168.1.100
name-server 194.151.228.18
name-server 194.151.228.34
domain-name Company-holding.local
dns-group CompanyDNS
same-security-traffic permit inter-interface
access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0 
255.255.255.0 192.168.1.0 255.255.255.0
access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0 
255.255.255.0 172.16.101.0 255.255.255.0
access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0 
255.255.255.0 172.16.100.0 255.255.255.0
access-list outside-entry extended permit tcp any host x.x.x.x eq smtp
access-list outside_access_in remark SMTP permit line to the Exchange Server
access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh 
inactive
access-list outside_access_in extended permit ip 172.16.101.0 255.255.255.0 
172.16.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Company-lan 1500
mtu OLDLAN-lan 1500
mtu DMZ 1500
mtu management 1500
ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdn-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Company-lan) 0 access-list Company-lan_nat0_outbound
nat (Company-lan) 1 0.0.0.0 0.0.0.0
nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound
nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0
static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp netmask 
255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 77.61.155.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server IASadCompany protocol radius
aaa-server IASadCompany (Company-lan) host <host>
key <omitted>
aaa authentication http console IASadCompany LOCAL
aaa authentication ssh console LOCAL
http server enable 20443
http 172.16.100.0 255.255.255.0 Company-lan
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set 
ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA 
ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 172.16.100.0 255.255.255.0 Company-lan
ssh 10.10.10.0 255.255.255.0 management
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.10.10.100-10.10.10.200 management
dhcpd dns 194.151.228.18 194.151.228.34 interface management
dhcpd domain itmanagement.Company-holding.local interface management
dhcpd enable management
!
vpn load-balancing
interface lbprivate DMZ
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
webvpn
csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
csd enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ClientVPN internal
group-policy ClientVPN attributes
dns-server value 172.16.100.252
vpn-tunnel-protocol IPSec
password-storage disable
default-domain value secure.Company-holding.local
secure-unit-authentication enable
user-authentication enable
msie-proxy server value 172.16.100.250:8080
msie-proxy method use-server
msie-proxy local-bypass enable
username admin password <omitted> privilege 15
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
address-pool CompanySecure
default-group-policy ClientVPN
tunnel-group ClientVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname domain context
Cryptochecksum:25bc95a8279f59219e3d64b5129271c8
: end


Hope anyone can help....


0
Locutus
5/15/2008 8:53:24 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

4 Replies
3415 Views

Similar Articles

[PageSpeed] 45

On May 15, 4:53=A0am, "Locutus" <locutus@no-spam-email> wrote:
> Hi all,
>
> In the hopes anyone sees my error in my config (I'm almost sure it's a
> config error on my part but i can't find it).
> I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the=

> manual config way and the ASDM way through the wizard.
>
> The problem is not that i can't get any ipsec connection. That works. But
> when the VPN connection is established i can't get any trafic from my Clie=
nt
> VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24).=

> The logs in the ASDM keep giving me the same error (this is another error
> but the error for opening a RDP connection from src to dst is the same):
>
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53=

>
> This is the current config file i'm using (anonymised offcourse):
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname asa5510
> enable password 1mujhtmA4fcM3pOA encrypted
> !
> interface Ethernet0/0
> description Interface connected to Internet
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.248
> !
> interface Ethernet0/1
> description Interface connected to the Company-Holding LAN
> speed 1000
> duplex full
> nameif Company-lan
> security-level 100
> ip address 172.16.100.1 255.255.255.0
> !
> interface Ethernet0/2
> description Interface connected to the old OLDLAN-Lan
> nameif OLDLAN-lan
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/3
> description Interface for DMZ purposes
> nameif DMZ
> security-level 50
> ip address 10.172.100.1 255.255.255.0
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 10.10.10.1 255.255.255.0
> management-only
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> boot system disk0:/asa803-k8.bin
> ftp mode passive
> dns server-group CompanyDNS
> name-server 172.16.100.252
> name-server 192.168.1.100
> name-server 194.151.228.18
> name-server 194.151.228.34
> domain-name Company-holding.local
> dns-group CompanyDNS
> same-security-traffic permit inter-interface
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 192.168.1.0 255.255.255.0
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 172.16.101.0 255.255.255.0
> access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 172.16.100.0 255.255.255.0
> access-list outside-entry extended permit tcp any host x.x.x.x eq smtp
> access-list outside_access_in remark SMTP permit line to the Exchange Serv=
er
> access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp=

> access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
> inactive
> access-list outside_access_in extended permit ip 172.16.101.0 255.255.255.=
0
> 172.16.100.0 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu outside 1500
> mtu Company-lan 1500
> mtu OLDLAN-lan 1500
> mtu DMZ 1500
> mtu management 1500
> ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 255.255.255=
..0
> ip verify reverse-path interface outside
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdn-611.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (Company-lan) 0 access-list Company-lan_nat0_outbound
> nat (Company-lan) 1 0.0.0.0 0.0.0.0
> nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound
> nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0
> static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp netmas=
k
> 255.255.255.255
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 77.61.155.73 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> aaa-server IASadCompany protocol radius
> aaa-server IASadCompany (Company-lan) host <host>
> key <omitted>
> aaa authentication http console IASadCompany LOCAL
> aaa authentication ssh console LOCAL
> http server enable 20443
> http 172.16.100.0 255.255.255.0 Company-lan
> http 10.10.10.0 255.255.255.0 management
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA=
P
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp ipsec-over-tcp port 10000
> telnet timeout 5
> ssh 172.16.100.0 255.255.255.0 Company-lan
> ssh 10.10.10.0 255.255.255.0 management
> ssh timeout 5
> ssh version 2
> console timeout 0
> dhcpd address 10.10.10.100-10.10.10.200 management
> dhcpd dns 194.151.228.18 194.151.228.34 interface management
> dhcpd domain itmanagement.Company-holding.local interface management
> dhcpd enable management
> !
> vpn load-balancing
> interface lbprivate DMZ
> threat-detection basic-threat
> threat-detection statistics port
> threat-detection statistics protocol
> threat-detection statistics access-list
> webvpn
> csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
> csd enable
> group-policy DfltGrpPolicy attributes
> vpn-tunnel-protocol l2tp-ipsec webvpn
> group-policy ClientVPN internal
> group-policy ClientVPN attributes
> dns-server value 172.16.100.252
> vpn-tunnel-protocol IPSec
> password-storage disable
> default-domain value secure.Company-holding.local
> secure-unit-authentication enable
> user-authentication enable
> msie-proxy server value 172.16.100.250:8080
> msie-proxy method use-server
> msie-proxy local-bypass enable
> username admin password <omitted> privilege 15
> tunnel-group ClientVPN type remote-access
> tunnel-group ClientVPN general-attributes
> address-pool CompanySecure
> default-group-policy ClientVPN
> tunnel-group ClientVPN ipsec-attributes
> pre-shared-key *
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> =A0 message-length maximum 512
> policy-map global_policy
> class inspection_default
> =A0 inspect dns preset_dns_map
> =A0 inspect ftp
> =A0 inspect h323 h225
> =A0 inspect h323 ras
> =A0 inspect rsh
> =A0 inspect rtsp
> =A0 inspect sqlnet
> =A0 inspect skinny
> =A0 inspect sunrpc
> =A0 inspect xdmcp
> =A0 inspect sip
> =A0 inspect netbios
> =A0 inspect tftp
> !
> service-policy global_policy global
> prompt hostname domain context
> Cryptochecksum:25bc95a8279f59219e3d64b5129271c8
> : end
>
> Hope anyone can help....

the error you listed indicates you have not setup nat for your
clients. You can fix it one of 2 ways either configure Nat for your
vpn clients or configure nat 0

use the the following command

nat 0 access-list vpnclients

then creat an acl called vpn clients with the ip address of your vpn
clients.

like so
access-list vpnclients extended permit ip any host {enter your host
ips here}
0
Newbie72
5/16/2008 2:22:14 PM
On May 15, 4:53=A0am, "Locutus" <locutus@no-spam-email> wrote:
> Hi all,
>
> In the hopes anyone sees my error in my config (I'm almost sure it's a
> config error on my part but i can't find it).
> I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the=

> manual config way and the ASDM way through the wizard.
>
> The problem is not that i can't get any ipsec connection. That works. But
> when the VPN connection is established i can't get any trafic from my Clie=
nt
> VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24).=

> The logs in the ASDM keep giving me the same error (this is another error
> but the error for opening a RDP connection from src to dst is the same):
>
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53=

> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53=

>
> This is the current config file i'm using (anonymised offcourse):
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname asa5510
> enable password 1mujhtmA4fcM3pOA encrypted
> !
> interface Ethernet0/0
> description Interface connected to Internet
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.248
> !
> interface Ethernet0/1
> description Interface connected to the Company-Holding LAN
> speed 1000
> duplex full
> nameif Company-lan
> security-level 100
> ip address 172.16.100.1 255.255.255.0
> !
> interface Ethernet0/2
> description Interface connected to the old OLDLAN-Lan
> nameif OLDLAN-lan
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/3
> description Interface for DMZ purposes
> nameif DMZ
> security-level 50
> ip address 10.172.100.1 255.255.255.0
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 10.10.10.1 255.255.255.0
> management-only
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> boot system disk0:/asa803-k8.bin
> ftp mode passive
> dns server-group CompanyDNS
> name-server 172.16.100.252
> name-server 192.168.1.100
> name-server 194.151.228.18
> name-server 194.151.228.34
> domain-name Company-holding.local
> dns-group CompanyDNS
> same-security-traffic permit inter-interface
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 192.168.1.0 255.255.255.0
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 172.16.101.0 255.255.255.0
> access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 172.16.100.0 255.255.255.0
> access-list outside-entry extended permit tcp any host x.x.x.x eq smtp
> access-list outside_access_in remark SMTP permit line to the Exchange Serv=
er
> access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp=

> access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
> inactive
> access-list outside_access_in extended permit ip 172.16.101.0 255.255.255.=
0
> 172.16.100.0 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu outside 1500
> mtu Company-lan 1500
> mtu OLDLAN-lan 1500
> mtu DMZ 1500
> mtu management 1500
> ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 255.255.255=
..0
> ip verify reverse-path interface outside
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdn-611.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (Company-lan) 0 access-list Company-lan_nat0_outbound
> nat (Company-lan) 1 0.0.0.0 0.0.0.0
> nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound
> nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0
> static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp netmas=
k
> 255.255.255.255
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 77.61.155.73 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> aaa-server IASadCompany protocol radius
> aaa-server IASadCompany (Company-lan) host <host>
> key <omitted>
> aaa authentication http console IASadCompany LOCAL
> aaa authentication ssh console LOCAL
> http server enable 20443
> http 172.16.100.0 255.255.255.0 Company-lan
> http 10.10.10.0 255.255.255.0 management
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA=
P
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp ipsec-over-tcp port 10000
> telnet timeout 5
> ssh 172.16.100.0 255.255.255.0 Company-lan
> ssh 10.10.10.0 255.255.255.0 management
> ssh timeout 5
> ssh version 2
> console timeout 0
> dhcpd address 10.10.10.100-10.10.10.200 management
> dhcpd dns 194.151.228.18 194.151.228.34 interface management
> dhcpd domain itmanagement.Company-holding.local interface management
> dhcpd enable management
> !
> vpn load-balancing
> interface lbprivate DMZ
> threat-detection basic-threat
> threat-detection statistics port
> threat-detection statistics protocol
> threat-detection statistics access-list
> webvpn
> csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
> csd enable
> group-policy DfltGrpPolicy attributes
> vpn-tunnel-protocol l2tp-ipsec webvpn
> group-policy ClientVPN internal
> group-policy ClientVPN attributes
> dns-server value 172.16.100.252
> vpn-tunnel-protocol IPSec
> password-storage disable
> default-domain value secure.Company-holding.local
> secure-unit-authentication enable
> user-authentication enable
> msie-proxy server value 172.16.100.250:8080
> msie-proxy method use-server
> msie-proxy local-bypass enable
> username admin password <omitted> privilege 15
> tunnel-group ClientVPN type remote-access
> tunnel-group ClientVPN general-attributes
> address-pool CompanySecure
> default-group-policy ClientVPN
> tunnel-group ClientVPN ipsec-attributes
> pre-shared-key *
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> =A0 message-length maximum 512
> policy-map global_policy
> class inspection_default
> =A0 inspect dns preset_dns_map
> =A0 inspect ftp
> =A0 inspect h323 h225
> =A0 inspect h323 ras
> =A0 inspect rsh
> =A0 inspect rtsp
> =A0 inspect sqlnet
> =A0 inspect skinny
> =A0 inspect sunrpc
> =A0 inspect xdmcp
> =A0 inspect sip
> =A0 inspect netbios
> =A0 inspect tftp
> !
> service-policy global_policy global
> prompt hostname domain context
> Cryptochecksum:25bc95a8279f59219e3d64b5129271c8
> : end
>
> Hope anyone can help....

or in your case just add the address to this access list nat (Company-
lan) 0 access-list Company-lan_nat0_outbound
0
Newbie72
5/16/2008 2:24:25 PM
Hi thanks for the quick answer ..
I tried those yesterday. Unfortunately  to effect.
It did however bring me to the solution.

There is a bug in the ASA "IOS" image i was using (i know it's not IOS but 
don't know another name for it).
It caused the rules i added to the ACL to be entered but they where never 
applied.
The issue is described in 
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl46310.
I never thought about restarting the device and therefore never got the 
rules applied to the Nonat acl0 interface.
I finally updated to an interim release of the asa firmware and this issue 
seems to be resolved.

Locutus



"Newbie72" <sdj30@hotmail.com> wrote in message 
news:52120299-4497-4627-928f-25e4b362d9ad@56g2000hsm.googlegroups.com...
On May 15, 4:53 am, "Locutus" <locutus@no-spam-email> wrote:
> Hi all,
>
> In the hopes anyone sees my error in my config (I'm almost sure it's a
> config error on my part but i can't find it).
> I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the
> manual config way and the ASDM way through the wizard.
>
> The problem is not that i can't get any ipsec connection. That works. But
> when the VPN connection is established i can't get any trafic from my 
> Client
> VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24).
> The logs in the ASDM keep giving me the same error (this is another error
> but the error for opening a RDP connection from src to dst is the same):
>
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group 
> found
> for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group 
> found
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group 
> found
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group 
> found
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group 
> found
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group 
> found
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53
> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group 
> found
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53
>
> This is the current config file i'm using (anonymised offcourse):
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname asa5510
> enable password 1mujhtmA4fcM3pOA encrypted
> !
> interface Ethernet0/0
> description Interface connected to Internet
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.248
> !
> interface Ethernet0/1
> description Interface connected to the Company-Holding LAN
> speed 1000
> duplex full
> nameif Company-lan
> security-level 100
> ip address 172.16.100.1 255.255.255.0
> !
> interface Ethernet0/2
> description Interface connected to the old OLDLAN-Lan
> nameif OLDLAN-lan
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/3
> description Interface for DMZ purposes
> nameif DMZ
> security-level 50
> ip address 10.172.100.1 255.255.255.0
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 10.10.10.1 255.255.255.0
> management-only
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> boot system disk0:/asa803-k8.bin
> ftp mode passive
> dns server-group CompanyDNS
> name-server 172.16.100.252
> name-server 192.168.1.100
> name-server 194.151.228.18
> name-server 194.151.228.34
> domain-name Company-holding.local
> dns-group CompanyDNS
> same-security-traffic permit inter-interface
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 192.168.1.0 255.255.255.0
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 172.16.101.0 255.255.255.0
> access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 172.16.100.0 255.255.255.0
> access-list outside-entry extended permit tcp any host x.x.x.x eq smtp
> access-list outside_access_in remark SMTP permit line to the Exchange 
> Server
> access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp
> access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
> inactive
> access-list outside_access_in extended permit ip 172.16.101.0 
> 255.255.255.0
> 172.16.100.0 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu outside 1500
> mtu Company-lan 1500
> mtu OLDLAN-lan 1500
> mtu DMZ 1500
> mtu management 1500
> ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 
> 255.255.255.0
> ip verify reverse-path interface outside
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdn-611.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (Company-lan) 0 access-list Company-lan_nat0_outbound
> nat (Company-lan) 1 0.0.0.0 0.0.0.0
> nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound
> nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0
> static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp 
> netmask
> 255.255.255.255
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 77.61.155.73 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> aaa-server IASadCompany protocol radius
> aaa-server IASadCompany (Company-lan) host <host>
> key <omitted>
> aaa authentication http console IASadCompany LOCAL
> aaa authentication ssh console LOCAL
> http server enable 20443
> http 172.16.100.0 255.255.255.0 Company-lan
> http 10.10.10.0 255.255.255.0 management
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic 
> SYSTEM_DEFAULT_CRYPTO_MAP
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp ipsec-over-tcp port 10000
> telnet timeout 5
> ssh 172.16.100.0 255.255.255.0 Company-lan
> ssh 10.10.10.0 255.255.255.0 management
> ssh timeout 5
> ssh version 2
> console timeout 0
> dhcpd address 10.10.10.100-10.10.10.200 management
> dhcpd dns 194.151.228.18 194.151.228.34 interface management
> dhcpd domain itmanagement.Company-holding.local interface management
> dhcpd enable management
> !
> vpn load-balancing
> interface lbprivate DMZ
> threat-detection basic-threat
> threat-detection statistics port
> threat-detection statistics protocol
> threat-detection statistics access-list
> webvpn
> csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
> csd enable
> group-policy DfltGrpPolicy attributes
> vpn-tunnel-protocol l2tp-ipsec webvpn
> group-policy ClientVPN internal
> group-policy ClientVPN attributes
> dns-server value 172.16.100.252
> vpn-tunnel-protocol IPSec
> password-storage disable
> default-domain value secure.Company-holding.local
> secure-unit-authentication enable
> user-authentication enable
> msie-proxy server value 172.16.100.250:8080
> msie-proxy method use-server
> msie-proxy local-bypass enable
> username admin password <omitted> privilege 15
> tunnel-group ClientVPN type remote-access
> tunnel-group ClientVPN general-attributes
> address-pool CompanySecure
> default-group-policy ClientVPN
> tunnel-group ClientVPN ipsec-attributes
> pre-shared-key *
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> prompt hostname domain context
> Cryptochecksum:25bc95a8279f59219e3d64b5129271c8
> : end
>
> Hope anyone can help....

or in your case just add the address to this access list nat (Company-
lan) 0 access-list Company-lan_nat0_outbound 

0
Locutus
5/18/2008 9:03:12 PM
In article <483099a3$0$3044$e4fe514c@dreader21.news.xs4all.nl>,
Locutus <locutus@no-spam-email> wrote:

>There is a bug in the ASA "IOS" image i was using (i know it's not IOS but 
>don't know another name for it).

ASA 7 kernel is "Finesse". ASA 8's kernel is Linux (according to
wikipedia.)
0
roberson
5/19/2008 12:47:19 AM
Reply:

Similar Artilces:

Trying to access the PDM of a Cisco pix over a Remote Access VPN with Cisco VPN Client
I am trying to configure the cisco pix (501) to allow access to the PDM over a Cisco VPN Client IPSEC tunnel. I found a situation for accessing the PDM ove a site-site tunnel but am not able to configure it for remote access VPN http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml I setup VPN by the wizard and enable split tunnel and excempt complete LAN from nat, so not the outside interface ip. Tried with management-access none, inside and outside I am running Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4)...

Cant establish a VPN tunnel between PIX 501 and Cisco VPN Client
As mentioned the subject, the tunnel wont work, the user authentication via Radius grants the user access, but then the Client stops with the message: "Secure VPN connection terminated locally by the client. Reason 403: Unable to connect to the security gateway". I added the config of my setup, and the result of "debug crypto isakmp". Software Versions: PIX: 6.3.3 VPN Client: 4.0.3 (A) Maybe someone can help. -- Martin PIX - Config: ------------------------- : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside securi...

Trouble Installing Linux/Cisco VPN Client Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1
Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1 Wed Apr 21 20:19:18 EDT 2004 x86_64 x86_64 GNU/Linux ../vpn_install Cisco Systems VPN Client Version 4.0.3 (B) Linux Installer Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved. By installing this product you agree that you have read the license.txt file (The VPN Client license) and will comply with its terms. Directory where binaries will be installed [/usr/local/bin] Automatically start the VPN service at boot time [yes] In order to build the VPN kernel module, you must have the kernel headers for the version of the kernel you are running. For RedHat 6.x users these files are installed in /usr/src/linux by default For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by de fault Directory containing linux kernel source code [/lib/modules/2.4.22-1.2188.nptl/b uild] * Binaries will be installed in "/usr/local/bin". * Modules will be installed in "/lib/modules/2.4.22-1.2188.nptl/CiscoVPN". * The VPN service will be started AUTOMATICALLY at boot time. * Kernel source from "/lib/modules/2.4.22-1.2188.nptl/build" will be used to bui ld the module. Is the above correct [y] y Making module In file included from Cniapi.h:15, from linuxcniapi.c:24: GenDefs.h...

Cisco VPN Client vs MS VPN Client
I have to install vpn clients on 6 laptops. They will connect to PIX 515. What is the difference, whether I use Cisco or MS vpn clients ? regards Jarek Carnowski ...

Cisco VPN client OK
Hi, I have my PIX set up allowing VPN clients in. A Cisco VPN client (v4.0.3D) can get in OK but a Checkpoint client (R56 Build 311) can't. The Checkpoint client never appears to hit the outside interface of the PIX as no debug info appears when he tries to connect. I hardly need to deinstall my Cisco client sw beofre firing up the Checkpoint - do I? TIA, Ned ...

VPN from Cisco to VPN
Does anyone know how to create a VPN (ANy type) from a Cisco 1601 to a Netscreen 100? Or where to get the information. I have emailed you a stepthrough Dave Sinclair NCSA NetScreen Certified Security Associate NCSI NetScreen Certified Security Instructor Equip Technology.com NetScreen Authrorised Training Centre in the UK ...

Cisco vpn client to Cisco 837 problem
hi, I have trouble to solve this issue and would like to get your help. I try to set up remote access vpn with cisco client software to a cisco 837 vpn server but I can only get the tunnel up but d'ont be able to ping router ethernet interface nor all computer in the LAN site. cisco client 4.0.2b--------Internet--------ADSL_Cisco 837_vpn_server-------LAN_Windows2003_terminal_server Building configuration... Current configuration : 3499 bytes version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ho...

Cisco 837 and Cisco VPN client wierdness.. any ideas?
With my current configuration I can VPN connect from anywhere on the web and authenticate as a local user with an 837 router. Once auth'd the VPN client is allocated an IP from the vpn pool. From a VPN connected laptop I can ping any address on the LAN and any other machine on the LAN can ping the IP the VPN client has been allocated. However I can't access all resources via all protocols on all machines. This part is inconsistent and has me baffled. e.g. from a VPN client I can mount SMB shares on 192.168.16.250 but I can't see the webserver (:80) on the same IP). From a LAN connected laptop I can see the webserver running on the VPN client (192.168.17.x:80). However the VPN client can't see a webserver on the same LAN connected laptop (192.168.16.10:80). This is my first ever contact with Cisco gear and while i'm quite chuffed with getting as far as I have on setting this box up.. i'm now way out of my depth on working out what the problem is. Any suggestions would be greatly appreciated! Client s/w is v4.6 (0045) on Mac OS 10.3.9 sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4 Router config (security edited) is cut/pasted below: ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname xxxx ! logging queue-limit 100 no logging buffered enable secret 5 xxxx ! username xxxx password 7 xxxx username xxxx password 7 xxx...

asa 5505 + l2l vpn + cisco client vpn
Hi, I'm trying to replace PIX 506[working ok] with asa 5505. But just after swaping them some of the vpn links doesn't work. I can't ping sites. Cisco vpn client access doesn't work too. I was following few cisco manuals but I can't figure out what is missing in my config. Could you pls have a look at my config maybe sth obvious - I hope so. Many thanks. : Saved : Written by enable_15 at 01:48:02.989 UTC Tue Jan 13 2009 ! ASA Version 8.0(4) ! hostname pb domain-name zzzzzzz enable password zzzzzzzzzzzzzz encrypted passwd zzzzzzzzzzzz encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address zzzzzzzzzzzzz 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name zzzzzz access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0 access-list inside_nat0_outbound ...

cisco asa 8.4 + cisco vpn client
explain that I did not do so. need to arrange a remote connection, for those who do not know, much has changed in 8.4. this configuration of the docks from the site cisco.com hostname(config)# interface ethernet0 hostname(config-if)# ip address 10.10.4.200 255.255.0.0 hostname(config-if)# nameif outside hostname(config-if)# no shutdown hostname(config)# crypto ikev1 policy 1 hostname(config-ikev1-policy)# authentication pre-share hostname(config-ikev1-policy)# encryption 3des hostname(config-ikev1-policy)# hash sha hostname(config-ikev1-policy)# group 2 hostname(config-ikev1-policy)# lifetime 43200 hostname(config)# crypto ikev1 outside hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 hostname(config)# username testuser password 12345678 hostname(config)# crypto ipsec ikev1 transform set FirstSet esp-3des esp-md5-hmac hostname(config)# tunnel-group testgroup type remote-access hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool hostname(config)# tunnel-group testgroup ipsec-attributes hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet hostname(config)# crypto dynamic-map dyn1 1 set reverse-route hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1 hostname(config)# crypto map mymap interface outside nat (inside,outside) source static any any destination static 192.168.0.0 192.168.0.0 route-lookup hostname(...

Cisco VPN Client <-> XP VPN
Hello, I'm a little bit confused about the differences between Microsoft's build-in VPN Client (for XP) and Cisco's VPN client. I wanna set up a connection to a network using Cisco's client (which I'm using for other networks as well). For the new network detailed instructions for the XP client are given, but nothing for the Cisco client. I thought - please correct me, if I'm wrong - that XP and Cisco both use the L2TP technique, so I should be able to use any client for those connections. But Cisco's client needs much more information than the IP of the...

Cisco VPN client through a Hotbrick VPN 600/2
Hi If i setup a vpn using the Cisco client on a pc behind the Hobrick it's not possible to start a remote desktop session. If i setup a vpn using the Cisco client on a pc NOT behind the Hobrick it is possible to start a remote desktop session. If i setup a vpn using Microsoft Windows XP network connection on a pc behind the Hobrick it is possible to start a remote desktop session. What could be the problem? Why isn't it possible to run a remote desktop session on a Cisco vpn behind the Hotbrick firewall? Thank's Perry ...

W2K vpn client to Cisco 3005 VPN concentrator
I've got a project to configure a Cisco 3005 vpn concentrator to allow connections from the w2k builtin vpn client. The concentrator currently has users connecting via the Cisco client using IPSec, and authenticating against an Active Directory server. The way I understand things is, PPTP is supported, but only without encryption when authentication against Active Directory. And the only other option is L2TP/IPSec, which is mutually exclusive with the IPsec-only that's currently in use. (Have I got this all correct?) So, the only option open here is PPTP without encryption, correct?...

VPN - Cisco IOS <-> VPN Client
Hello everybody, I have tried to set up a VPN connection from Cisco VPN Client to Cisco Router 2621 (64MB RAM/ 16MB Flash) - with enterprise IOS 12.2. When I map a crypto map to the interface ( crypto map CRYPTOMAP to serial 0/0.1 ) - the nat stopped working and I havn't got a remonte connection to my router and other services behind the router. When I got to the LAN I was able to connect to router via ssh. I don't know what is wrong. I have studied Cisco materials and some other configs without any ideas. Would You be so kind and help me with this configuration ? Than...

Cisco VPN Client stopping RDP, Citrix working on other VPN
Hi Hope someone can help with this problem. I work for a support comapny and we have several VPN connections into different customers. These connections are configured on each of the support users PC's. All worked fine. We have a combination of Citrix, RDP, PCAnywhere and Netmeeting as our remote access clients. We use the standard Microsoft VPN where possible but have also got SonicWall and Netscreen Remote installed. On of our customers has switched from Netscreen Remote to Cisco VPN client ( 4.8.00.0440) and this works fine after uninstalling the Netscreen Remote. Howev...

routing traffic through off-machine Cisco VPN client
Situation: * SPARC machine connected on hme1 to DSL modem and thence to Internet * hme2 on said SPARC machine connects to x86 OpenSolaris box * SPARC machine runs Cisco VPN client for secure connection over the Internet to offsite network Desire: Allow the OpenSolaris box to securely connect through the SPARC box and over the Cisco VPN client connection to the offsite network. What FM do I need to read to set this up? Is it even possible? Has anyone done this kind of routing before? I fear the Cisco VPN client will try to block said traffic, though I cannot pin down where I got that impr...

CISCO VPN client blocks DCOM communication
Hi I installed the CISCO VPN client on my windows 2000 professional edition. After that, the applcation using DCOM communications is not working any more. I uninstalled the VPN but afterwards, the DCOM application is still not working. Just wonder if you can provide any advise on how to fix that problem. Thanks a lot ...

Easy VPN Server and Cisco VPN Client 4.0.3
Hi: I am using an 827 configured as an Easy VPN Server (running 12.3). I am successfully able to establish a VPN client running on my laptop. I am also using split tunneling and while the tunnel is up, I am able to browse the internet and talk with my local LAN without any problems. The problem is that I cannot ping any client on the inside (192.168.1.x) when the VPN connection is established. The client gets an ip from the pool i have configured on 827 (192.168.1.240-247). On the 827, the reverse-route injection is also enabled. Once the tunnel is up, I can see the /32 route to the client...

Can a Cisco 831 establish a VPN tunnel via a Cisco 2620?
We have a situation where we want to be able to use VoIP phones in a remote office and have them able to connect to our 3Com NBX. We were told by 3Com that if we added a router in the remote office (we have DSL) and established a VPN tunnel to our network, then phones (also 3Com) could work with our NBX and act as though they were in the local network. We already have a 2620 router configured between our network and the internet. We can connect to the network on workstations by using a DUN object that our consultants created that connects through the router and verifies access via AD. We bou...

Connecting with Cisco VPN Client to Check Point VPN Endpoint / FW
I am Using the Cisco VPN Client to connect to various Networks over a VPN. Now I am forced to connect to a network which uses Check Point as VPN endpoint. They tell me to install the 'Secure Client' from Check Point. I am not verry happy with the idea of having two VPN Clients installed on my (Windows XP) Machine so here are my questions: - Can a Cisco VPN Client connetc to a Check Point VPN Endpoint - Can I have a Check Point VPN Endpoint and a Cisco VPN Client on a Windows XP machine at without haveing tem biting each other ? Thanks Fritz ...

Vpn site to site + vpn cisco client access list problem.
Hi I have problem to get vpn site to site tunnel and the vpn client tunnel to work at the same time. How can I join access list 80 and 100 so i can add them to nat "(inside) 0 access-list 80" I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco VPN client. The config on the pix 501: : Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password g4JAhKwvQDnczMDZ encrypted passwd g4JAhKwvQDnczMDZ encrypted ...

Cisco!! Cisco!! Cisco!!
From http://groups.google.com/group/comp.dcom.sys.cisco/about Top posters This month 18 mer...@geeks.org 11 alagmy 10 bo...@hotmail.co.uk 9 galt...@hotmail.com 9 nom...@example.com 8 troffa...@hotmail.com 8 igor.mamuzicmakni_...@zg.t-com.hr 7 pfisterf...@gmail.com 7 darfun....@gmail.com 6 jfmezei.spam...@vaxination.ca All time 4799 rober...@ibd.nrc-cnrc.gc.ca 2930 aaron@cisco.com 2813 Merv 2370 t...@cisco.com 2356 vcjo...@networkingunlimited.com 1984 b...@cisco.com 1959 bar...@genuity.net 1898 hb...@_nyc.rr.com.remove_ 1745 u...@alp.ee.pbz 1670 bar...@bbnplanet.com -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.myspace.com/502748630 Born 29 Jan 1969 Redhill,Surrey,England UK ...

PIX 501 :VPN client traffic does not pass down VPN tunnel to remote subnet..
Dear All, I have two identical PIX 501 6.3(3) units that operate a VPN Tunnel between two sites, Paris (192.168.1.0) and Berlin (192.168.2.0). The tunnel is fine and works like a charm. Any device on the 1.0 subnet can ping any device on the 2.0 subnet and vice-versa. My problem is VPN clients that connect in to the 'primary' VPN in Paris. You can connect, that works, you get an IP address from the Paris VPN pool (192.168.254.240/), say 192.168.254.241, auth works, you can ping devices on the Paris subnet (192.168.1.0) but you can't ping devices on the Berlin subnet. I...

MAC OS X using Cisco VPN Client through CISCO PIX 501
Hi, I have a bit of an issue driving me completely nuts here... I have a small home network using a Catalyst 1900 switch, PIX 501 and Window and Mac OS X laptops. All computers have the latest update in regards to OS's and Cisco VPN Client, and my PIX config allows any any connection to inside interface (access-list inside_out permit ip any any) Now, I can connect to my office's PIX using the windows laptop just fine, but when I try it with the MAC OS X, I do connect but no traffic passes through, and on top of it internet access o the mac dies instantly (there is a split tunnel a...

Web resources about - ASA5510 with Cisco VPN client. No traffic over VPN tunnel - comp.dcom.sys.cisco

Good Gear Guide
Technology news and reviews for business and home.

PC World Australia
Technology news and reviews for business and home.

Cisco ASA5500 Price, Buy ASA5505 ASA5510 ASA5520 ASA5540 Firewalls: 3Anetwork.com
3Anetwork.com wholesales Cisco ASA 5500 firewalls, Cisco ASA5505 ASA5510 ASA5520 ASA5540 firewalls at very good price and ship to worldwide. ...

Cisco ASA 5500-X Series Next-Generation Firewalls
Find software and support documentation to design, install and upgrade, configure, and troubleshoot Cisco ASA 5500 Series Adaptive Security Appliances. ...

FAQ - Router-switch.com
Help Submit a Request Knowledge base Contact Us Email: cisco@router-switch.com Call Sales: +1-626-239-8066 (USA) +852-9795-4940 (HK) +852-3174-6166 ...

Cisco Firewalls
Cisco ASA 5500 & ASA 5500-X configuration articles: Firewall Setup, DMZ zone, Access Lists, NAT, Object Groups, VPN, Crypto IPSec tunnels, User ...

Resources last updated: 3/28/2016 6:33:52 PM