«

Hi

i have a small problems with my new asa 5510:

I have configured a VPN IPSEC Service and no problems
at the connection but after, when i want ping the lan
i don't have a answer.

On one of my server, i see the packet with tcpdump, i see
the reply of the server but on the ASA i have a message of
the firewall ...

I have used the Wizard included into the 6.0 version.

Thanks for your help
Mag

"Mag" <> wrote in message
news:49607868$0$6704$...
> Hi
>
> i have a small problems with my new asa 5510:
>
> I have configured a VPN IPSEC Service and no problems
> at the connection but after, when i want ping the lan
> i don't have a answer.
>
> On one of my server, i see the packet with tcpdump, i see
> the reply of the server but on the ASA i have a message of
> the firewall ...
>
> I have used the Wizard included into the 6.0 version.
>
> Thanks for your help
> Mag
>

You need to post a santized config for us to be able to help you.

Brian V a écrit :
>
> You need to post a santized config for us to be able to help you.

Ho yes sorry ;=) :
Configuration (sh run) genered with Wizard of the ADSM:




Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(3)
!
hostname ASA5510-1
domain-name asa1.xxx.org
enable password XXX
names
name 10.100.5.0 IPSec
!
interface Ethernet0/0
nameif wan
security-level 0
ip address 62.XX.XX.XX 255.255.255.224
!
interface Ethernet0/1
nameif lan
security-level 0
ip address 10.100.7.242 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd XXXX encrypted
ftp mode passive
dns domain-lookup lan
dns server-group DefaultDNS
name-server 10.100.7.250
domain-name asa1.xxx.org
access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
ip local pool IpSec 10.100.5.10-10.100.5.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list lan_nat0_outbound
nat (lan) 101 0.0.0.0 0.0.0.0
route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 wan
http 62.XX.XX.XX 255.255.255.224 wan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access wan
threat-detection basic-threat
threat-detection statistics
group-policy ipsecvpn internal
group-policy ipsecvpn attributes
dns-server value 10.100.7.242
vpn-tunnel-protocol IPSec
default-domain value XXXX.fr
username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
username magalie attributes
vpn-group-policy ipsecvpn
tunnel-group ipsecvpn type remote-access
tunnel-group ipsecvpn general-attributes
address-pool IpSec
default-group-policy ipsecvpn
tunnel-group ipsecvpn ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
: end





and after connected, this is the log entry:

3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
dst wan:10.100.5.10 (type 0, code 0)

6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Buil t inbound
ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
10.100.7.248/0 (magalie)

6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Tear down ICMP
connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
10.100.7.248/0 (magalie)





Thanks for your help
Magalie

Anyone ?



Mag a écrit :
> Brian V a écrit :
>>
>> You need to post a santized config for us to be able to help you.
>
> Ho yes sorry ;=) :
> Configuration (sh run) genered with Wizard of the ADSM:
>
>
>
>
> Result of the command: "show running-config"
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname ASA5510-1
> domain-name asa1.xxx.org
> enable password XXX
> names
> name 10.100.5.0 IPSec
> !
> interface Ethernet0/0
> nameif wan
> security-level 0
> ip address 62.XX.XX.XX 255.255.255.224
> !
> interface Ethernet0/1
> nameif lan
> security-level 0
> ip address 10.100.7.242 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> nameif management
> security-level 0
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> passwd XXXX encrypted
> ftp mode passive
> dns domain-lookup lan
> dns server-group DefaultDNS
> name-server 10.100.7.250
> domain-name asa1.xxx.org
> access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu management 1500
> mtu lan 1500
> mtu wan 1500
> ip local pool IpSec 10.100.5.10-10.100.5.254
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-603.bin
> no asdm history enable
> arp timeout 14400
> global (wan) 101 interface
> nat (lan) 0 access-list lan_nat0_outbound
> nat (lan) 101 0.0.0.0 0.0.0.0
> route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
> route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
> route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
> route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 0.0.0.0 0.0.0.0 wan
> http 62.XX.XX.XX 255.255.255.224 wan
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
> crypto map wan_map interface wan
> crypto isakmp enable wan
> crypto isakmp policy 5
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 10
> authentication pre-share
> encryption des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> management-access wan
> threat-detection basic-threat
> threat-detection statistics
> group-policy ipsecvpn internal
> group-policy ipsecvpn attributes
> dns-server value 10.100.7.242
> vpn-tunnel-protocol IPSec
> default-domain value XXXX.fr
> username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
> username magalie attributes
> vpn-group-policy ipsecvpn
> tunnel-group ipsecvpn type remote-access
> tunnel-group ipsecvpn general-attributes
> address-pool IpSec
> default-group-policy ipsecvpn
> tunnel-group ipsecvpn ipsec-attributes
> pre-shared-key *
> !
> !
> prompt hostname context
> Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
> : end
>
>
>
>
>
> and after connected, this is the log entry:
>
> 3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
> dst wan:10.100.5.10 (type 0, code 0)
>
> 6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Buil t inbound
> ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
> 6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Tear down ICMP
> connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
>
>
>
>
> Thanks for your help
> Magalie

It's not only the ICMP that deny:

Inbound TCP connection denied from 10.100.7.245/22 to 10.100.5.10/1953
flags SYN ACK on interface lan

what is the acl at put for accept all traffic between Lan to Ipsec and
Ipsec to lan

i see to that on my pc connected in IPSEC, the subnet are 255.0.0.0 and
not 255.255.255.0 ..





Mag a écrit :
> Brian V a écrit :
>>
>> You need to post a santized config for us to be able to help you.
>
> Ho yes sorry ;=) :
> Configuration (sh run) genered with Wizard of the ADSM:
>
>
>
>
> Result of the command: "show running-config"
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname ASA5510-1
> domain-name asa1.xxx.org
> enable password XXX
> names
> name 10.100.5.0 IPSec
> !
> interface Ethernet0/0
> nameif wan
> security-level 0
> ip address 62.XX.XX.XX 255.255.255.224
> !
> interface Ethernet0/1
> nameif lan
> security-level 0
> ip address 10.100.7.242 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> nameif management
> security-level 0
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> passwd XXXX encrypted
> ftp mode passive
> dns domain-lookup lan
> dns server-group DefaultDNS
> name-server 10.100.7.250
> domain-name asa1.xxx.org
> access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu management 1500
> mtu lan 1500
> mtu wan 1500
> ip local pool IpSec 10.100.5.10-10.100.5.254
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-603.bin
> no asdm history enable
> arp timeout 14400
> global (wan) 101 interface
> nat (lan) 0 access-list lan_nat0_outbound
> nat (lan) 101 0.0.0.0 0.0.0.0
> route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
> route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
> route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
> route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 0.0.0.0 0.0.0.0 wan
> http 62.XX.XX.XX 255.255.255.224 wan
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
> crypto map wan_map interface wan
> crypto isakmp enable wan
> crypto isakmp policy 5
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 10
> authentication pre-share
> encryption des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> management-access wan
> threat-detection basic-threat
> threat-detection statistics
> group-policy ipsecvpn internal
> group-policy ipsecvpn attributes
> dns-server value 10.100.7.242
> vpn-tunnel-protocol IPSec
> default-domain value XXXX.fr
> username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
> username magalie attributes
> vpn-group-policy ipsecvpn
> tunnel-group ipsecvpn type remote-access
> tunnel-group ipsecvpn general-attributes
> address-pool IpSec
> default-group-policy ipsecvpn
> tunnel-group ipsecvpn ipsec-attributes
> pre-shared-key *
> !
> !
> prompt hostname context
> Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
> : end
>
>
>
>
>
> and after connected, this is the log entry:
>
> 3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
> dst wan:10.100.5.10 (type 0, code 0)
>
> 6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Buil t inbound
> ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
> 6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Tear down ICMP
> connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
>
>
>
>
> Thanks for your help
> Magalie

Brian V a écrit :
>
> "Mag" <> wrote in message
> news:49607868$0$6704$...
>> Hi
>>
>> i have a small problems with my new asa 5510:
>>
>> I have configured a VPN IPSEC Service and no problems
>> at the connection but after, when i want ping the lan
>> i don't have a answer.
>>
>> On one of my server, i see the packet with tcpdump, i see
>> the reply of the server but on the ASA i have a message of
>> the firewall ...
>>
>> I have used the Wizard included into the 6.0 version.
>>
>> Thanks for your help
>> Mag
>>
>
> You need to post a santized config for us to be able to help you.

Hi,

i add this:

sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list lan_nat0_outbound; 1 elements
access-list lan_nat0_outbound line 1 extended permit ip any IPSec
255.255.255.0 (hitcnt=0) 0xf555dd22
access-list All; 1 elements
access-list All line 1 extended permit ip any IPSec 255.255.255.0
(hitcnt=0) 0x71dc000e

On Jan 5, 11:02*pm, Mag <m...@laposte.net> wrote:
> Brian V a écrit :
>
>
>
>
>
>
>
> > "Mag" <m...@laposte.net> wrote in message
> >news:49607868$0$6704$...
> >> Hi
>
> >> i have a small problems with my new asa 5510:
>
> >> I have configured a VPN IPSEC Service and no problems
> >> at the connection but after, when i want ping the lan
> >> i don't have a answer.
>
> >> On one of my server, i see the packet with tcpdump, i see
> >> the reply of the server but on the ASA i have a message of
> >> the firewall ...
>
> >> I have used the Wizard included into the 6.0 version.
>
> >> Thanks for your help
> >> Mag
>
> > You need to post a santized config for us to be able to help you.
>
> Hi,
>
> i add this:
>
> sh access-list
>
> * access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
> * * * * * * *alert-interval 300
> access-list lan_nat0_outbound; 1 elements
> access-list lan_nat0_outbound line 1 extended permit ip any IPSec
> 255.255.255.0 (hitcnt=0) 0xf555dd22
> access-list All; 1 elements
> access-list All line 1 extended permit ip any IPSec 255.255.255.0
> (hitcnt=0) 0x71dc000e- Hide quoted text -
>
> - Show quoted text -

Are you trying to do a L2L ipsec or a remote access? You currently
have a remote access vpn setup according to your config

tunnel-group ipsecvpn type remote-access
tunnel-group ipsecvpn general-attributes
address-pool IpSec
default-group-policy ipsecvpn
tunnel-group ipsecvpn ipsec-attributes
pre-shared-key *

Before I tell you anything I just want to be sure.

here is the link from Cisco on how to do it via command line. I am
personally not a fan of the gui for anything other than watching logs
and cpu load.
http://www.cisco.com/en/US/docs/secu.../site2sit.html

Techno_Guy a écrit :
> On Jan 5, 11:02 pm, Mag <m...@laposte.net> wrote:
>> Brian V a écrit :
>>
>>
>>
>>
>>
>>
>>
>>> "Mag" <m...@laposte.net> wrote in message
>>> news:49607868$0$6704$...
>>>> Hi
>>>> i have a small problems with my new asa 5510:
>>>> I have configured a VPN IPSEC Service and no problems
>>>> at the connection but after, when i want ping the lan
>>>> i don't have a answer.
>>>> On one of my server, i see the packet with tcpdump, i see
>>>> the reply of the server but on the ASA i have a message of
>>>> the firewall ...
>>>> I have used the Wizard included into the 6.0 version.
>>>> Thanks for your help
>>>> Mag
>>> You need to post a santized config for us to be able to help you.
>> Hi,
>>
>> i add this:
>>
>> sh access-list
>>
>> access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
>> alert-interval 300
>> access-list lan_nat0_outbound; 1 elements
>> access-list lan_nat0_outbound line 1 extended permit ip any IPSec
>> 255.255.255.0 (hitcnt=0) 0xf555dd22
>> access-list All; 1 elements
>> access-list All line 1 extended permit ip any IPSec 255.255.255.0
>> (hitcnt=0) 0x71dc000e- Hide quoted text -
>>
>> - Show quoted text -
>
> Are you trying to do a L2L ipsec or a remote access? You currently
> have a remote access vpn setup according to your config
>
> tunnel-group ipsecvpn type remote-access
> tunnel-group ipsecvpn general-attributes
> address-pool IpSec
> default-group-policy ipsecvpn
> tunnel-group ipsecvpn ipsec-attributes
> pre-shared-key *
>
> Before I tell you anything I just want to be sure.
>
> here is the link from Cisco on how to do it via command line. I am
> personally not a fan of the gui for anything other than watching logs
> and cpu load.
> http://www.cisco.com/en/US/docs/secu.../site2sit.html

Hi

Thanks for your answer, it's Remote Access IPSEC with the Cisco IPSEC
Client.

i read your link
mag

Mag a écrit :
> Hi
>
> i have a small problems with my new asa 5510:
>
> I have configured a VPN IPSEC Service and no problems
> at the connection but after, when i want ping the lan
> i don't have a answer.
>
> On one of my server, i see the packet with tcpdump, i see
> the reply of the server but on the ASA i have a message of
> the firewall ...
>
> I have used the Wizard included into the 6.0 version.
>
> Thanks for your help
> Mag
>



Snifff anyone can help me ?

Mag

Mag a écrit :
> Hi
>
> i have a small problems with my new asa 5510:
>
> I have configured a VPN IPSEC Service and no problems
> at the connection but after, when i want ping the lan
> i don't have a answer.
>
> On one of my server, i see the packet with tcpdump, i see
> the reply of the server but on the ASA i have a message of
> the firewall ...
>
> I have used the Wizard included into the 6.0 version.
>
> Thanks for your help
> Mag
>




arg ... no answer !!! very thanks for your help :=<