Hello Jennifer,

Your link seems to have led me to some success.

Here is my config now...

ciscoasa# show run

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.199 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!            

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp identity hostname

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpnclient server 1.1.1.1

vpnclient mode network-extension-mode

vpnclient vpngroup Danny password ********

vpnclient username Dan password ********

vpnclient enable

!

class-map inspection_default

match default-inspection-traffic

!

prompt hostname context

Cryptochecksum:672d2b1d01af4dd38b2158f6d45548af

: end

Excellent, definitely a good sign so far.

I saw that you have changed the mode from Client mode to Network Extension mode on your configuration. Can you please confirm whether it should be client mode or Network Extension mode?

For Network Extension mode, 192.168.1.0/24 subnet needs to be unique from the headend perspective, ie: 192.168.1.0/24 should not exist on the headend LAN, or any other remote LAN. If it does, then you would need to change it to Client mode.

The command is the following:

Either: vpnclient mode client-mode OR/ vpnclient mode network-extension-mode

(Pls kindly configure it accordingly).

You also want to remove the following default gateway as it is not correct:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

If you decided to use Network Extension mode as 192.168.1.0/24 is unique within your topology, then on the head end, you would need to make sure that you configured NAT exemption for traffic sourcing from Headend LAN towards 192.168.1.0/24

Hope that helps.

Deleted the line that you advised. I use the 10.241.113.0 subnet at headquarters, and on the sites I would like to use something differnt. In this case 192.168.1.0. That is why I changed to net-work-extension mode. Let me know if you think that I am wrong in doing so.

Unofrunately, I am limited to the web interface for the VPN 3000 and would like to see if there is a way to set this up with just that.

Is there anything else that I need to change to make this work, it still does not seem to work. Thanks for your help as always!

Base on that output, the issue is on your VPN Concentrator, not on the ASA. You might want to check the VPN Concentrator configuration.

On the VPN Concentrator, check if you have route to 192.168.1.0/24 pointing towards the public interface, not private interface.

Can you also check the SA on the VPN Concentrator for this particular vpn tunnel? I am assuming that you will see traffic decrypt counter increasing but encrypt counter will be zero? Please double check the status on the Concentrator.

I think I have fixed the routing issues on the VPN. Here is my new show ipsec sa

ciscoasa# sh ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 0E64ABB5

    inbound esp sas:

      spi: 0x38CF9DA2 (953130402)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x0E64ABB5 (241478581)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 6E0E3359

    inbound esp sas:

      spi: 0xBE2A9BF7 (3190463479)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x6E0E3359 (1846424409)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110

      access-list _vpnc_acl permit ip host 192.168.1.110 host 1.1.1.1

      local ident (addr/mask/prot/port): (192.168.1.110/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 12BC9395

    inbound esp sas:

      spi: 0xD3E78BC2 (3555167170)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28780

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x12BC9395 (314348437)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28780

         IV size: 8 bytes

         replay detection support: Y

You mentioned that you can see your username with 512 bytes rx and I assume that you are seeing that on the VPN Concentrator. Base on that information and also the output of "show ipsec sa" on the ASA, the traffic does not seem to reach the ASA. Is there any firewall or access-list in front of the ASA or VPN Concentrator that might be blocking the IPSec tunnel? You would need to allow ESP protocol or UDP/4500.

I do not think so. It is behind a WRT600n with DDWRT firmware. I forwarded ports 4500, 500 and 50 through 53 to the ASA at the ip of 192.168.1.109 as that is the IP that was dynamically assigned to the ASA. (But I also tried 192.168.1.199, just to make sure) Also VPN passthrough is also enabled.

Yes, my username is on the concentrator and everytime that I ping 10.241.113.194 I can se the rx on my username on the concentrator increase. The tx still remains at 0.

Here is my show IPsec sas

ciscoasa# show ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 3FC451FD

    inbound esp sas:

      spi: 0x4E878CBB (1317506235)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3FC451FD (1069830653)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 17EDE630

    inbound esp sas:

      spi: 0xCF8A99CD (3481967053)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x17EDE630 (401466928)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109

      access-list _vpnc_acl permit ip host 192.168.1.109 host 1.1.1.1

      local ident (addr/mask/prot/port): (192.168.1.109/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 2B2AF1FA

    inbound esp sas:

      spi: 0x0790ABBD (126921661)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28144

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x2B2AF1FA (724234746)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28144

         IV size: 8 bytes

         replay detection support: Y

Here is my show run

ciscoasa# show run
: Saved
:ASA Version 7.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!            
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 1.1.1.1
vpnclient mode network-extension-mode
vpnclient vpngroup Danny password ********
vpnclient username Dan password ********
vpnclient enable
!
class-map inspection_default
match default-inspection-traffic
!
prompt hostname context
Cryptochecksum:bec0415f99c134868f817aed754c6c2b
: end

Thanks so much for your help Jennifer, I greatly appreciate it. Let me know if you have any other suggestions. Have a good day!

Hi Dan,

Based on the output on the ASA, ie: " #pkts encaps: 10" and 0 pkts decaps, and same on the VPN Concentrator, ie: encaps are increasing however decaps are still 0, that means that both ends are encrypting the traffic, however, both ends do not receive the encrypted packets therefore the decaps counter remain zero, ie: nothing to be decrypted because both end did not receive the encrypted packet.

As advised, it is definitely not the VPN end point issue (not the ASA nor the VPN Concentrator), however, the network device in between. Please check if your WRT600n are forwarding traffic out and in correct, especially on UDP port 4500. Please kindly make sure that port being forwarded has UDP being forwarded for port 4500. The rest of the other ports are OK so please don't make any changes on other ports.

Jennifer,

Thanks for all of your help. I was just checking to see if port 4500 was open and it is on my router, but i tried using an online port scanner to see if udp 4500 is open, and it seems to be closed. I am going to try at a different location tomorow.

Thanks for your help Jennifer, I really appreciate your help! Have a good night!

So I tried it at my business connection and it did the same thing. Still able to connect, the vpn light still illuminates, but still not able to ping 10.241.113.194. I can, however still connect with the vpnclient software, and still can ping 10.241.113.194 when connected with the client software. I tried forwarding port 4500 and that did not change the result. Is there a way that I could verify that port 4500 is open?

This was in the show ipsec sa, Could this have something to do with our issue?

dynamic allocated peer ip: 0.0.0.0

ciscoasa# ping 10.241.113.194

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Great, thanks for posting the ping from ASA.

You would need to ping from the inside interface on the ASA as follows:

ciscoasa# ping inside 10.241.113.194

You can't just perform: "ping 10.241.113.194" because it's sourcing the ping from the outside interface of the ASA which is not part of crypto ACL.

Hello Jennifer,

Thanks for your reply. Unfortunately that did not work for me.

ciscoasa# ping inside 10.241.113.194

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa#

I found it odd that when I ping 10.241.113.194 the  " #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4" increases, but when I go ping inside 10.241.113.194 those numbers remain the same.

I also tried to ping the concentrators internal ip with the same result.

I am adding these just incase they are of any help..

ciscoasa# sh crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 1.1.1.1

    Type    : user            Role    : initiator

    Rekey   : no              State   : AM_ACTIVE

ciscoasa# show ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.103

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.103/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 2E4E764C

    inbound esp sas:

      spi: 0xCFC253FE (3485619198)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27728

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x2E4E764C (776894028)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27728

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.103

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.103/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 75352F6A

    inbound esp sas:

      spi: 0x9F57847E (2673312894)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27786

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x75352F6A (1966419818)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27786

         IV size: 8 bytes

         replay detection support: Y

ciscoasa# show vpnclient

LOCAL CONFIGURATION

vpnclient server 1.1.1.1

vpnclient mode network-extension-mode

vpnclient vpngroup Danny password ********

vpnclient username Dan password ********

vpnclient enable

DOWNLOADED DYNAMIC POLICY

Current Server                     : 1.1.1.1

Primary DNS                        : 8.8.8.8

Secondary DNS                      : 4.2.2.2

PFS Enabled                        : No

Secure Unit Authentication Enabled : No

User Authentication Enabled        : No

Split Tunnel Networks              : 10.241.113.0/255.255.255.0 192.0.0.0/255.0.0.0

Backup Servers                     : None

ciscoasa# show interface

Interface Vlan1 "inside", is up, line protocol is up

  Hardware is EtherSVI

MAC address 001e.be9e.592a, MTU 1500

IP address 192.168.1.199, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

17646 packets input, 2877146 bytes

24 packets output, 2112 bytes

13850 packets dropped

      1 minute input rate 1 pkts/sec,  134 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  217 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

  Hardware is EtherSVI

MAC address 001e.be9e.592a, MTU 1500

IP address 192.168.1.103, subnet mask 255.255.0.0

  Traffic Statistics for "outside":

17996 packets input, 2906644 bytes

1905 packets output, 88273 bytes

16729 packets dropped

      1 minute input rate 1 pkts/sec,  136 bytes/sec

      1 minute output rate 0 pkts/sec,  18 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  219 bytes/sec

      5 minute output rate 0 pkts/sec,  9 bytes/sec

      5 minute drop rate, 1 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 001e.be9e.5922, MTU not set

IP address unassigned

18020 packets input, 3233635 bytes, 0 no buffer

Received 1672 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

9 switch ingress policy drops

1905 packets output, 151219 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

        MAC address 001e.be9e.5923, MTU not set

IP address unassigned

17661 packets input, 3196956 bytes, 0 no buffer

Received 1674 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

24 packets output, 2616 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops