VPN Problems


I am having trouble with my VPNs. I have them set up and I can connect fine. Everything is to be tunneled (including Internet traffic). I am using Cisco VPN

Client on a Win XP SP2 machine to a Cisco ASA 5510. When I connect, it hits the RADIUS server fine (Windows IAS on WIndows 2003 server) and

authenticates. Once I am connected, I can get anywhere in the corporate LAN via IP address, but not any other way. If I want to get to the path

\\\\servername\\files\\IT I have to type in \\\\\\files\\IT. And the tunnel is supposed to support Internet traffic and yet no internet traffic is coming through


Also, in the Cisco VPN Client Log I am getting:

1 11:28:14.062 11/08/06 Sev=Warning/2 CVPND/0xA3400011 Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: NICs MAC (DRVIFACE:1199).

In the Cisco VPN Client Statistics I also see under Route Details ->

Secured Routes Network Subnet Mask and that's it. Is that normal?

Also, how do i know what group-policy is being applied to my VPN users?

Here are some show commands from the ASA followed by the running config. These are edited of course

ASA# sh crypto ipsec sa interface: outside Crypto map tag: RemoteVPNDynmap, seq num: 10, local addr: ASA PUBLIC IP

local ident (addr/mask/prot/port): ( remote ident (addr/mask/prot/port): ( current_peer:, username: kholleran dynamic allocated peer ip:

#pkts encaps: 480, #pkts encrypt: 480, #pkts digest: 480 #pkts decaps: 559, #pkts decrypt: 559, #pkts verify: 559 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 480, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0

local crypto endpt.: ASA PUBLIC IP/PORT, remote crypto endpt.: 3/61509 path mtu 1500, ipsec overhead 68, media mtu 1500 current outbound spi: 7425EFE0

inbound esp sas: spi: 0x6072CF2F (1618136879) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, UDP-Encaps, } slot: 0, conn_id: 2, crypto-map: RemoteVPNDynmap sa timing: remaining key lifetime (sec): 28716 IV size: 8 bytes replay detection support: Y

ASA# sh crypto isakmp sa

Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1

1 IKE Peer: Type : user Role : responder Rekey : no State : AM_ACTIVE

ASA# sh run

ASA Version 7.0(5) ! hostname ASA domain-name DOMAIN enable password MsKIE8kJNDmkdKIi encrypted names dns-guard ! interface Ethernet0/0 description INside interface. NAT to private IPs nameif inside security-level 100 ip address ASA PRIVATE IP ! interface Ethernet0/1 description Outside Interface. nameif outside security-level 0 ip address ASA PUBLIC IP ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address management-only ! passwd SisLvDjB/rijelPS encrypted banner exec # You are logging into a corporate device. Unauthorized access is prohibited. banner motd # "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle # ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns name-server DNS SERVER INTERNAL IP object-group service NecessaryServices tcp port-object eq echo port-object eq www port-object eq domain port-object eq ssh port-object eq smtp port-object eq ftp-data port-object eq pop3 port-object eq aol port-object eq ftp port-object eq https object-group service UDPServices udp port-object eq nameserver port-object eq www port-object eq isakmp port-object eq domain object-group service TCP-UDPServices tcp-udp port-object eq echo port-object eq www port-object eq domain

ACLs - Nothing is wrong here

access-list 110 extended permit ip pager lines 24 logging enable logging timestamp logging list ASALog level notifications logging monitor notifications logging trap notifications logging asdm informational logging device-id hostname logging host inside SYSLOG SERVER mtu management 1500 mtu inside 1500 mtu outside 1500 ip local pool vpnclient ip verify reverse-path interface inside ip verify reverse-path interface outside icmp permit any inside icmp permit any outside asdm image disk0:/asdm505.bin asdm history enable arp timeout 14400 nat-control global (outside) 2 interface nat (inside) 0 access-list 110 nat (inside) 2 static (inside,outside) MAIL SERVER access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside ISP GATEWAY 1 ! router ospf 1 NETWORK COMMANDS area 0 log-adj-changes ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server vpn protocol radius aaa-server vpn host IAS SERVER key * group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port PORT split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy vpnUsers internal group-policy vpnUsers attributes banner value You are remotely accessing a corporate network. Any unauthorized use is strictly prohibited. dns-server value DNS SERVER INTERNAL IP
Reply to
K.J. 44
Loading thread data ...

If you get a dhcp address, your dhcp server needs to set the WINS server address in the scope. If your address is static, you need to manually add the WINS server. That will let you browse by name.

Reply to
Joe Beasley

That worked great for getting around inside my network. All drives are being mapped and everything perfectly. I want to tunnel all internet traffic to but none is coming through.

I can see the DNS query, DNS Response, and the request for the page to the correct IP when I run ethereal on my remote PC. But nothing comes back. And I see nothing in my ASA for the IP Address when I do a show xlate. The firewall rules are allowing traffic from these IPs. It appears to request the page over the tunnel and then simply disappear.

Any ideas on that?

Thank you very much for your help.

Joe Beasley wrote:

Reply to
K.J. 44

I'm no expert on ASAs, but if your crypto map is applied to the outside interface, and the nat happens as packets traverse (inside -> outside), would you expect packets coming in to the outside through the VPN tunnel, and going back out again on that interface to the Internet, to actually get NAT'd...?

If you want simultaneous Internet access / vpn access why not use split-tunnelling, or use a proxy server that is inside your network?

Reply to

!--- Command that permits IPsec traffic to enter and exit the same interface.

same-security-traffic permit intra-interface


K.J. 44 wrote:

Reply to
Kevin Widner

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.