https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479484#M267547 <P>Your NAT statements overlap with each other.</P><P><SPAN style="font-size: 14px;">nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp</SPAN></P><P style="font-size: 14px;">nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup</P><P style="font-size: 14px;">change&nbsp;<STRONG>any</STRONG>&nbsp;on your NAT statements to a more specific interface, in this case it should be&nbsp;<STRONG>outside&nbsp;</STRONG>and add the route-lookup on it. Then remove the bottom NAT statement as you don't need it because the top NAT statement is doing the same thing.</P><P style="font-size: 14px;">please post the output of&nbsp;<STRONG>show run nat, show nat, show access-list </STRONG>and<STRONG> show ipsec sa&nbsp;</STRONG>commands if above steps hasn't solved your issue.</P> Wed, 16 Apr 2014 10:09:58 GMT Rudy Sanjoko 2014-04-16T10:09:58Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479475#M267536 <P>Hi,</P><P>The user can login with their valid AD account. The remote laptop receives a correct IP address from the ASA IP DHCP pool (192.168.210.231-192.168.210.250). However, the remote laptop CANNOT communicate with other internal networks (i.e.: PING).&nbsp;The remote laptop CAN PING the VPN interface (outside) of the ASA.&nbsp;There is a VPN remote connection established (IKEv1) when logging into the ASA (see codes below).</P><P>Note: The ASA configuration code is attached &nbsp;(Most of the configuration codes were configured with ADSM). I will really appreciate if any one could please have a look at it and let me know what I am doing wrong.</P><P>interface GigabitEthernet0/0</P><P>speed 1000</P><P>duplex full</P><P>nameif outside</P><P>security-level 0</P><P>ip address 200.190.70.66 255.255.255.248</P><P>!</P><P>object network NETWORK_OBJ_192.168.210.224_27</P><P>subnet 192.168.210.224 255.255.255.224</P><P>&nbsp;</P><P>access-list splittunnel standard permit 172.16.0.0 255.255.0.0</P><P>access-list splittunnel standard permit 192.168.1.0 255.255.255.0</P><P>&nbsp;</P><P>access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27</P><P>&nbsp;</P><P>nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup</P><P>&nbsp;</P><P>route outside 192.168.210.224 255.255.255.224 200.190.70.65 1</P><P>&nbsp;</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>&nbsp;</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>&nbsp;</P><P>crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map ASA-VPN-SITE interface outside</P><P>&nbsp;</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>&nbsp;</P><P>group-policy DefaultRAGroup internal</P><P>group-policy DefaultRAGroup attributes</P><P>dns-server value 172.16.5.31 172.16.5.32</P><P>vpn-tunnel-protocol ikev1 l2tp-ipsec</P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value splittunnel</P><P>default-domain value zzzzzz</P><P>&nbsp;</P><P>username user1 password zzzzzz encrypted</P><P>username user1 attributes</P><P>vpn-group-policy DefaultRAGroup</P><P>vpn-tunnel-protocol ikev1</P><P>&nbsp;</P><P>tunnel-group DefaultRAGroup general-attributes</P><P>address-pool remote-vpn-pool</P><P>default-group-policy DefaultRAGroup</P><P>&nbsp;</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P>ikev1 pre-shared-key *****</P><P>&nbsp;</P><P>tunnel-group DefaultRAGroup ppp-attributes</P><P>no authentication chap</P><P>authentication ms-chap-v2</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks &amp; Regards</P><P>Rohit.</P> Tue, 12 Mar 2019 04:04:40 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479475#M267536 Rohit Mangotra 2019-03-12T04:04:40Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479476#M267537 <P><SPAN style="font-size:14px;">Hi, is ping the only thing that is not working? if you can, post/attach the whole config here.</SPAN></P><P><SPAN style="font-size:14px;">If it's only ping that is not working then couple things to check are:</SPAN></P><P><SPAN style="font-size:14px;">- if you have enabled<STRONG> inspect icmp </STRONG>command</SPAN></P><P><SPAN style="font-size:14px;">- if you have configured&nbsp;<STRONG>management-access inside</STRONG> command</SPAN></P> Tue, 15 Apr 2014 08:47:12 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479476#M267537 Rudy Sanjoko 2014-04-15T08:47:12Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479477#M267538 <P>Hi Rudy,</P><P>Thanks for your reply but I already have these commands in my ASA and it is still the same. I cannot ping the inside interface of ASA 5525 while connected to vpn and cannot ping from inside network to connected vpn. Any suggestion would be really appreciated.</P><P>Thanks &amp; Regards</P><P>Rohit.</P> Wed, 16 Apr 2014 02:45:42 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479477#M267538 Rohit Mangotra 2014-04-16T02:45:42Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479478#M267539 <P><SPAN style="font-size:14px;">Hi, so is ping the only thing that is not working? are others protocol work fine? try checking the ACL, make sure that the VPN pool ip address are allowed to access the inside network.&nbsp;<SPAN style="background-color: rgb(247, 247, 247);">If you can, post/attach the whole config here.</SPAN></SPAN></P> Wed, 16 Apr 2014 07:26:35 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479478#M267539 Rudy Sanjoko 2014-04-16T07:26:35Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479479#M267540 <P>Hi Rudy,</P><P>Thanks for you reply. I can not access internal network at all. Please see the attached code below</P><P>&nbsp;</P><P>interface GigabitEthernet0/0</P><P>speed 1000</P><P>duplex full</P><P>nameif outside</P><P>security-level 0</P><P>ip address 200.190.70.66 255.255.255.248</P><P>!</P><P>object network NETWORK_OBJ_192.168.210.224_27</P><P>subnet 192.168.210.224 255.255.255.224</P><P>&nbsp;</P><P>access-list splittunnel standard permit 172.16.0.0 255.255.0.0</P><P>access-list splittunnel standard permit 192.168.1.0 255.255.255.0</P><P>&nbsp;</P><P><STRONG>access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27</STRONG></P><P>&nbsp;</P><P>nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup</P><P>&nbsp;</P><P>route outside 192.168.210.224 255.255.255.224 200.190.70.65 1</P><P>&nbsp;</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>&nbsp;</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>&nbsp;</P><P>crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map ASA-VPN-SITE interface outside</P><P>&nbsp;</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>&nbsp;</P><P>group-policy DefaultRAGroup internal</P><P>group-policy DefaultRAGroup attributes</P><P>dns-server value 172.16.5.31 172.16.5.32</P><P>vpn-tunnel-protocol ikev1 l2tp-ipsec</P><P>split-tunnel-policy tunnelspecified</P><P>split-tunnel-network-list value splittunnel</P><P>default-domain value zzzzzz</P><P>&nbsp;</P><P>username user1 password zzzzzz encrypted</P><P>username user1 attributes</P><P>vpn-group-policy DefaultRAGroup</P><P>vpn-tunnel-protocol ikev1</P><P>&nbsp;</P><P>tunnel-group DefaultRAGroup general-attributes</P><P>address-pool remote-vpn-pool</P><P>default-group-policy DefaultRAGroup</P><P>&nbsp;</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P>ikev1 pre-shared-key *****</P><P>&nbsp;</P><P>tunnel-group DefaultRAGroup ppp-attributes</P><P>no authentication chap</P><P>authentication ms-chap-v2</P><P>&nbsp;</P><P>Thanks &amp; Regards</P><P>Rohit</P> Wed, 16 Apr 2014 07:52:32 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479479#M267540 Rohit Mangotra 2014-04-16T07:52:32Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479480#M267541 <P><SPAN style="font-size:14px;">What's your LAN network address? is it one of these,&nbsp;172.16.0.0 255.255.0.0 /&nbsp;192.168.1.0 255.255.255.0? If not one of those, you will need to modify your split tunnel ACL.</SPAN></P><P style="font-size: 14px;">&nbsp;</P> Wed, 16 Apr 2014 08:30:57 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479480#M267541 Rudy Sanjoko 2014-04-16T08:30:57Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479481#M267542 <P>Hi Rudy,</P><P>The LAN network Address is 172.16.0.0 255.255.0.0</P><P>192.168.1.0 / 24 -- DMZ</P><P>192.168.210.224 /27 -- VPN client address</P><P>&nbsp;</P><P>Thanks &amp; Regards</P><P>Rohit</P> Wed, 16 Apr 2014 08:38:00 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479481#M267542 Rohit Mangotra 2014-04-16T08:38:00Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479482#M267543 <P>post your config.</P> Wed, 16 Apr 2014 08:47:26 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479482#M267543 Rudy Sanjoko 2014-04-16T08:47:26Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479483#M267545 <P>Hi Rudy,</P><P>Please see the complete configuration of ASA.</P><P>ASA Version 8.6(1)2<BR />!<BR />hostname ciscoasa<BR />names<BR />!<BR />interface GigabitEthernet0/0<BR />&nbsp;speed 1000<BR />&nbsp;duplex full<BR />&nbsp;nameif outside<BR />&nbsp;security-level 0<BR />&nbsp;ip address 200.190.70.66 255.255.255.248<BR />!<BR />interface GigabitEthernet0/1<BR />&nbsp;speed 1000<BR />&nbsp;duplex full<BR />&nbsp;nameif inside<BR />&nbsp;security-level 100<BR />&nbsp;ip address 172.16.3.254 255.255.255.0<BR />!<BR />interface GigabitEthernet0/2<BR />&nbsp;speed 1000<BR />&nbsp;duplex full<BR />&nbsp;nameif dmz<BR />&nbsp;security-level 50<BR />&nbsp;ip address 192.168.1.254 255.255.255.0<BR />!<BR />interface GigabitEthernet0/3<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet0/4<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet0/5<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet0/6<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet0/7<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface Management0/0<BR />&nbsp;nameif management<BR />&nbsp;security-level 0<BR />&nbsp;ip address 10.1.95.11 255.255.255.0<BR />&nbsp;management-only<BR />!<BR />interface GigabitEthernet1/0<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet1/1<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet1/2<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet1/3<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet1/4<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet1/5<BR />&nbsp;shutdown<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />ftp mode passive<BR />dns server-group DefaultDNS<BR />&nbsp;domain-name zzzzzz<BR />object network obj-172.16.0.0-nonat<BR />&nbsp;subnet 172.16.0.0 255.255.0.0<BR />object network obj-192.168.1.0-nonat<BR />&nbsp;subnet 192.168.1.0 255.255.255.0<BR />object network obj-192.168.0.0-nonat<BR />&nbsp;subnet 192.168.0.0 255.255.0.0<BR />object network obj-192.168.1.0-nonatdmz<BR />&nbsp;subnet 192.168.1.0 255.255.255.0<BR />object network obj-192.168.201.0-nonatdmz<BR />&nbsp;subnet 192.168.1.0 255.255.255.0<BR />object network obj-172.16.0.0-nonatdmz<BR />&nbsp;subnet 172.16.0.0 255.255.0.0<BR />object network obj-192.168.1.0-dmz-vpn_private<BR />&nbsp;subnet 192.168.1.0 255.255.255.0<BR />object network NETWORK_OBJ_192.168.210.224_27<BR />&nbsp;subnet 192.168.210.224 255.255.255.224<BR />object network internal-radius<BR />&nbsp;host 172.16.5.67<BR />object-group network inside-subnet-source<BR />&nbsp;network-object 172.16.1.0 255.255.255.0<BR />&nbsp;network-object 172.16.2.0 255.255.255.252<BR />&nbsp;network-object 172.16.3.0 255.255.255.0<BR />&nbsp;network-object 172.16.5.0 255.255.255.0<BR />&nbsp;network-object 172.16.10.0 255.255.255.0<BR />&nbsp;network-object 172.16.11.0 255.255.255.0<BR />&nbsp;network-object 172.16.13.0 255.255.255.0<BR />&nbsp;network-object 172.16.20.0 255.255.255.0<BR />&nbsp;network-object 172.16.21.0 255.255.255.0<BR />&nbsp;network-object 172.16.23.0 255.255.255.0<BR />&nbsp;network-object 172.16.30.0 255.255.255.0<BR />&nbsp;network-object 172.16.31.0 255.255.255.0<BR />&nbsp;network-object 172.16.35.0 255.255.255.0<BR />&nbsp;network-object 172.16.40.0 255.255.255.0<BR />&nbsp;network-object 172.16.109.0 255.255.255.0<BR />&nbsp;network-object 172.16.118.0 255.255.255.0<BR />&nbsp;network-object 172.16.128.0 255.255.255.0<BR />&nbsp;network-object 172.16.129.0 255.255.255.0<BR />&nbsp;network-object 172.16.130.0 255.255.255.0<BR />&nbsp;network-object 172.16.131.0 255.255.255.0<BR />&nbsp;network-object 172.16.132.0 255.255.255.0<BR />&nbsp;network-object 172.16.192.0 255.255.255.0<BR />&nbsp;network-object 172.16.193.0 255.255.255.0<BR />&nbsp;network-object 172.16.194.0 255.255.255.0<BR />&nbsp;network-object 172.16.195.0 255.255.255.0<BR />&nbsp;network-object 172.16.196.0 255.255.255.0<BR />object-group network dmz-subnet-source<BR />&nbsp;network-object 192.168.1.0 255.255.255.0</P><P>access-list o_inside extended permit ah any any<BR />access-list o_inside extended permit esp any any<BR />access-list o_inside extended permit icmp any any<BR />access-list o_inside extended permit icmp any any echo<BR />access-list o_inside extended permit tcp any any eq imap4<BR />access-list o_inside extended permit udp any any eq 143</P><P>***access-list o_inside extended permit tcp/udp SPECIFIC inside network/pc device to access host in DMZ network (none related to VPN)</P><P>access-list outside extended permit icmp any any echo-reply<BR />access-list outside extended permit icmp any any</P><P>***access-list outside extended permit tcp/udp SPECIFIC from outside network/pc device to access host in DMZ/inside network (none related to VPN)</P><P><BR />access-list o_dmz extended permit icmp any any echo-reply</P><P>***access-list o_dmz extended permit tcp/udp SPECIFIC from dmz network/pc device to access host in inside network (none related to VPN)</P><P>access-list splittunnel standard permit 172.16.0.0 255.255.0.0<BR />access-list splittunnel standard permit 192.168.1.0 255.255.255.0</P><P>access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27<BR />&nbsp;<BR />pager lines 24<BR />logging enable<BR />logging buffer-size 1048576<BR />logging buffered debugging<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside 1500<BR />mtu dmz 1500<BR />mtu management 1500<BR />ip local pool remote-vpn-pool 192.168.210.231-192.168.210.250 mask 255.255.255.224<BR />no failover<BR />icmp unreachable rate-limit 1 burst-size 1<BR />icmp permit any outside<BR />icmp permit any dmz<BR />icmp permit any vpn_private<BR />icmp permit any vpn_public<BR />icmp permit any optusapn_temp<BR />asdm image disk0:/asdm-66114.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp<BR />nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp<BR />nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp<BR />nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp<BR />nat (dmz,any) source static obj-192.168.1.0-nonatdmz obj-192.168.1.0-nonatdmz destination static obj-172.16.0.0-nonatdmz obj-172.16.0.0-nonatdmz no-proxy-arp</P><P>nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup</P><P>!<BR />nat (inside,outside) after-auto source dynamic inside-subnet-source outside-host-global<BR />nat (inside,dmz) after-auto source dynamic inside-subnet-source dmz-host-global<BR />nat (dmz,outside) after-auto source dynamic dmz-subnet-source outside-host-global<BR />access-group outside in interface outside<BR />access-group o_inside in interface inside<BR />access-group o_dmz in interface dmz<BR />route outside 0.0.0.0 0.0.0.0 200.190.70.65 1<BR />route inside 172.16.0.0 255.255.0.0 172.16.3.1 1<BR />route inside 172.20.1.0 255.255.255.0 172.16.3.1 1<BR />route inside 172.30.1.0 255.255.255.0 172.16.3.1 1<BR />route inside 192.168.0.0 255.255.0.0 172.16.3.1 1<BR />route outside 192.168.210.0 255.255.255.224 200.190.70.65 1<BR />route outside 192.168.210.32 255.255.255.224 200.190.70.65 1<BR />route outside 192.168.210.64 255.255.255.224 200.190.70.65 1<BR />route outside 192.168.210.96 255.255.255.224 200.190.70.65 1<BR />route outside 192.168.210.128 255.255.255.224 200.190.70.65 1<BR />route outside 192.168.210.224 255.255.255.224 200.190.70.65 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />aaa-server internal-radius protocol radius<BR />aaa-server internal-radius (inside) host 172.16.5.67<BR />&nbsp;key zzzzzz<BR />&nbsp;radius-common-pw zzzzzz<BR />user-identity default-domain LOCAL<BR />aaa authentication ssh console LOCAL<BR />aaa authentication telnet console LOCAL<BR />http server enable<BR />http 172.16.0.0 255.255.0.0 inside<BR />http 172.16.0.0 255.255.0.0 management<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map ASA-VPN-SITE interface outside</P><P>crypto ikev2 policy 10<BR />&nbsp;encryption aes-256 aes-192 aes<BR />&nbsp;integrity sha<BR />&nbsp;group 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400</P><P>crypto ikev2 enable outside<BR />crypto ikev1 enable outside</P><P>crypto ikev1 policy 10<BR />&nbsp;authentication pre-share<BR />&nbsp;encryption 3des<BR />&nbsp;hash sha<BR />&nbsp;group 2<BR />&nbsp;lifetime 86400<BR />telnet 172.16.1.0 255.255.255.0 inside<BR />telnet 172.16.3.0 255.255.255.0 inside<BR />telnet 172.16.0.0 255.255.0.0 management<BR />telnet timeout 20<BR />ssh 172.16.0.0 255.255.0.0 inside<BR />ssh 172.16.3.0 255.255.255.0 inside<BR />ssh 0.0.0.0 0.0.0.0 management<BR />ssh timeout 30<BR />ssh version 2<BR />console timeout 30<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />ntp server 172.16.3.1<BR />webvpn<BR />&nbsp;enable outside<BR />&nbsp;anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1<BR />&nbsp;anyconnect enable</P><P>group-policy DefaultRAGroup internal<BR />group-policy DefaultRAGroup attributes<BR />&nbsp;dns-server value 172.16.5.31 172.16.5.32<BR />&nbsp;vpn-tunnel-protocol ikev1 l2tp-ipsec<BR />&nbsp;split-tunnel-policy tunnelspecified<BR />&nbsp;split-tunnel-network-list value splittunnel<BR />&nbsp;default-domain value ZZZZZZ</P><P>username user1 password zzzzzz encrypted<BR />username user1 attributes<BR />vpn-group-policy DefaultRAGroup<BR />vpn-tunnel-protocol ikev1</P><P>tunnel-group DefaultRAGroup general-attributes<BR />&nbsp;address-pool remote-vpn-pool<BR />&nbsp;default-group-policy DefaultRAGroup<BR />tunnel-group DefaultRAGroup ipsec-attributes<BR />&nbsp;ikev1 pre-shared-key ZZZZZZ<BR />tunnel-group DefaultRAGroup ppp-attributes<BR />&nbsp;no authentication chap<BR />&nbsp;authentication ms-chap-v2<BR />!<BR />class-map inspection_default<BR />&nbsp;match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />&nbsp;parameters<BR />&nbsp; message-length maximum client auto<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect ip-options<BR />&nbsp; inspect netbios<BR />&nbsp; inspect rsh<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect skinny &nbsp;<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect tftp<BR />&nbsp; inspect sip &nbsp;<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect icmp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />call-home<BR />&nbsp;profile CiscoTAC-1<BR />&nbsp; no active<BR />&nbsp; destination address http <A href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A><BR />&nbsp; destination address email callhome@cisco.com<BR />&nbsp; destination transport-method http<BR />&nbsp; subscribe-to-alert-group diagnostic<BR />&nbsp; subscribe-to-alert-group environment<BR />&nbsp; subscribe-to-alert-group inventory periodic monthly 7<BR />&nbsp; subscribe-to-alert-group configuration periodic monthly 7<BR />&nbsp; subscribe-to-alert-group telemetry periodic daily<BR />Cryptochecksum:a225df4d313cd95bb3662bd3d70733fe<BR />: end</P><P><BR />Thanks &amp; Regards</P><P>Rohit.</P><P>&nbsp;</P> Wed, 16 Apr 2014 09:37:49 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479483#M267545 Rohit Mangotra 2014-04-16T09:37:49Z https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479484#M267547 <P>Your NAT statements overlap with each other.</P><P><SPAN style="font-size: 14px;">nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp</SPAN></P><P style="font-size: 14px;">nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup</P><P style="font-size: 14px;">change&nbsp;<STRONG>any</STRONG>&nbsp;on your NAT statements to a more specific interface, in this case it should be&nbsp;<STRONG>outside&nbsp;</STRONG>and add the route-lookup on it. Then remove the bottom NAT statement as you don't need it because the top NAT statement is doing the same thing.</P><P style="font-size: 14px;">please post the output of&nbsp;<STRONG>show run nat, show nat, show access-list </STRONG>and<STRONG> show ipsec sa&nbsp;</STRONG>commands if above steps hasn't solved your issue.</P> Wed, 16 Apr 2014 10:09:58 GMT https://community.cisco.com/t5/network-security/vpn-connection-problem/m-p/2479484#M267547 Rudy Sanjoko 2014-04-16T10:09:58Z