ACS 3.0 Windows, VPN, remote access and external databases
I'm trying to implement a VPN solution, and most are very good.
We have a VPN concentrator, which authenticates with CSACS and who, in turn, back off the coast of authentication with a Windows domain. Unknown user policy allows new users themselves create dynamically.
The VPN uses the Cisco VPN client. The hub is visible on the internet, and the bit works fine.
Bit difficult, but we are also trying to set up the access line by using a phone company for users who do not have their own internet access.
I have problems which to authenticate to the Windows domain.
If I manually create a user and add a chap password, this user can authenticate OK. If I manually add a password of chap user can authenticate.
If the user does not exist I get "user CS unknown', if I did not add a password manually, but the user is I get"Invalid password CS CHAP", so it seems that the problem is is interrupting this authentication against the field, but I don't see why.
The telephone company radius server in my network as a aaa client configuration and is almost the same configured as VPN concentrators (the difference is the Conc VPN is configured as 'RADIUS (Cisco VPN 3000)' and as 'RADIUS (IETF)' radius server)
Any thoughts?
You cannot use CHAP to authenticate a domain Windows, the way THAT CHAP requires the password must be stored is incompatible with the Windows passwords. You need to configure each connection Dial-Up Networking to dial-up users to use MSCHAP or PAP.
Tags: Cisco Security
Similar Questions
-
IP overlapping between VPN remote access and within the interface
Hi all
I tried to replace an ASA and configured vpn for remote access using cisco VPN client.
Remote access users are not able to access within the network, but have no problem accessing the network through a VPN site-to site.
One thing to note is that remote access VPN users are assigned an ip address of 10.X.3.1 - 10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0.
Remote access users will have no problem to access within the network if the pool of the vpn client is changed to 192.168.1.1 to 192.168.1.100.
ASA errors
6 January 7, 2012 16:25:08 302013 10.X.3.1 27724 3389 10.X.1.66 built of TCP connections incoming 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) at inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)
6 January 7, 2012 16:25:08 106015 10.X.1.66 3389 10.X.3.1 27724 Deny TCP 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on dmz interface (no link)
I understand that the overlap between access ip address range remote vpn network interface network and inside will cause routing problems, but why the syn - ack makes its appearance in the DMZ interface? The interface of the DMZ is on ip address 172.16.Y.1 255.255.255.0.
I intend to reduce the interface 10.X.0.0 255.255.254.0 inside if it is in fact a routing problem due to the IP address that overlap, but I understand why the syn - ack comes from the dmz interface and the diagnosis of the problem is correct. I check with the customer and was informed that the existing design works on an another ASA with no such problems.
I agree what you said and also tried, but it does not work.
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap
Solution, that you already know
Solution
Always ensure that the IP addresses in the pool should be assigned to VPN, network clients internal head unit and the internal network to the VPN Client must be in different networks. You can assign the same major network with different subnets, but sometimes the routing problems.
Thank you
Ajay
-
VPN remote access with router 2610
Guys,
A router Cisco 2610 series with IOS Version 11.3 (2) software version XA4 (fc1) will support a VPN remote access VPN Clients using standard Windows (LT2P on IPSec or PPTP) via a connection of Remote LAN-based access to wide band.
I have bought this device and need an answer fast if possible.
Thank you 1 million.
Vito
The navigation feature is the ideal tool for this:
http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp
Search by function and enter PPTP and you will see he came to 12.2 code.
Do the same for L2TP and you will see he came in 12.1 T code.
The short answer is no.
-
1841 as Concentrator VPN remote access with manual keying
Hi there and happy new year 2011 with best wishes!
I would use a router 1841 as VPN hub for up to 20 remote connections.
My remote (third party) clients have IPsec capacity supported by IKE and the Manual Keying, but I have not found information about simple configuration of Cisco VPN remote access (only on the easy VPN server).
I'd like to configure the VPN entry Server Manual (I think it's an easy way to start), no problem to do?
files:
-topology
-third party router Ethernet / 3G GUI IPsec with choice of algorithm auth
-third party router Ethernet / 3G GUI IPsec with choice of encryption algorithm
I feel so much better that someone help me!
Kind regards
Amaury
As the remote end is third-party routers, the only option you have will be LAN-to-LAN IPSec VPN. You can not run VPN easy because that is only supported on Cisco devices.
If your remote end has a static external ip address that ends the VPN, you can configure card crypto static LAN-to-LAN on the 1841 router, however, if your remote end has dynamic external ip address, you must configure card crypto dynamic LAN-to-LAN on the 1841 router. All remote LAN subnets must be unique.
-
Create different group with VPN remote access
Hello world
The last time, I ve put in place a VPN for remote access to my network with ASA 5510
I ve access to all my internal LAn helped with my VPN
But I want to set up a vpn group in the CLI for a different group of the user who accesses the different server or a different network on my local network.
Example: computer group - access to 10.70.5.X network
Group consultant network - access to 10.70.10.X
I need to know how I can do this, and if you can give me some example script to complete this
Here is my configuration:
ASA Version 8.0 (2)
!
ASA-Vidrul host name
vidrul domain name - ao.com
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/1
nameif inside
security-level 100
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Description Port_Device_Management
nameif management
security-level 99
address IP X.X.X.X 255.255.255.X
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
DNS server-group DefaultDNS
vidrul domain name - ao.com
access-list 100 scope ip allow a whole
access-list extended 100 permit icmp any any echo
access-list extended 100 permit icmp any any echo response
vpn-vidrul_splitTunnelAcl permit 10.70.1.0 access list standard 255.255.255.0
vpn-vidrul_splitTunnelAcl permit 10.70.99.0 access list standard 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 10.70.255.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 management
IP local pool clientvpngroup 10.70.255.100 - 10.70.255.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.70.0.0 255.255.0.0
Access-group 100 in the interface inside
Access-group 100 interface insideTimeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Protocol RADIUS AAA-server 10.70.99.10
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
Enable http server
http 192.168.1.2 255.255.255.255 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
outside access management
dhcpd manage 192.168.1.2 - 192.168.1.5
dhcpd enable management
!
a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
block-url-class of the class-map
class-map imblock
match any
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Policy-map IM_P2P
class imblock
class P2P
!
global service-policy global_policy
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.com
test 274Y4GRAbNElaCoV of encrypted password privilege 0 username
username admin privilege 15 encrypted password bTpUzgLxalekyhxQ
attributes of user admin name
Strategy-Group-VPN-vpn-vidrul
username, password suporte zjQEaX/fm0NjEp4k encrypted privilege 15
type tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:d84e64c87cc5b263c84567e22400591c
: endWhat you need to configure is to imitate the configuration on the tunnel-group and group strategy and to configure access to specific network you need.
Currently, you have configured the following:
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.comtype tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.What you need is to create new group policy and the new tunnel-group and configure the tunnel split ACL to allow access to specific access required.
The user must then connect with the new group name and the new pre-shared key (password).
Hope that helps.
-
Site to Site and together on ASA 5505 VPN remote access
Hello
I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.
After you add the new configuration lines, I received the following message when I debug:
04 Nov 07:06:06 [IKEv1]: group =
, IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0). 04 Nov 07:04:36 [IKEv1]: group =
, IP = , peer of drop table Correlator has failed, no match! Someone knows what's the problem? And what to change in the config?
Thanks in advance,
Ruben
Hello
If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"
Federico.
-
How to configure VPN remote access to use a specific Interface and the road
I add a second external connection to an existing system on a 5510 ASA ASA V8.2 with 6.4 AMPS
I added the new WAN using another interface (newwan).
The intention is to bring more internet traffic on the new road/interface (newwan), but keep our existing VPN using the old interface (outside).
I used the ASDM GUI to make changes and most of it works.
That is to say. The default route goes via (newwan)
Coming out of a VPN using a site to character the way previous (out) as they now have static routes to achieve this.
The only problem is that remote incomming VPN access Anyconnect do not work.
I put the default static route to use the new interface (newwan) and the default tunnel road be (outside), but that's the point is will not...
I can either ping external IP address from an external location.
It seems that the external interface doesn't send traffic to the - external interface (or at least that's where I think the problem lies). How can I force responses to remote VPN entering IPS unknown traffic to go back on the external interface?
The only change I have to do to make it work again on the external interface is to make the default static route to use external interface. Calling all internet traffic to the (external connection) original
Pointers appreciated.
William
William,
As it is right now that you will not use the same interface you have road to terminate remote access unless you know their IP addresses by default.
In one of the designs that I saw that we did something like that.
(ISP cloud) - edge router - ASA.
The edge router, you can make PAT within the interface for incoming traffic on port udp/500 and UDP/4500 (you may need to add exceptions to your L2L static) of the router. It's dirty, I would not say, it is recommended, but apparently it worked.
On routers, this kind of situation is easily solved using VRF-lite with crypto.
M.
-
Hello! I make a VPN with two clients, using the ASA5520 United Nations. Now I have to do what the customer has internet and the other does not. I can do using ACL? How?
The configuration is:
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 172.16.31.252 255.255.255.248
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.1.237 255.255.255.240
Access extensive list ip 172.16.1.224 ACLnonat allow 255.255.255.240 host 172.16.1.230
Standard access list Split_tunnel allow 172.16.1.224 255.255.255.240
IP local pool testpool 172.16.1.230 - 172.16.1.232 mask 255.255.255.240
NAT (inside) 0-list of access ACLnonat
Route outside 0.0.0.0 0.0.0.0 172.16.31.254 1
Crypto ipsec transform-set esp-3des esp-md5-hmac hw_trans
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map dyn_map 1 transform-set hw_trans
Crypto dynamic-map dyn_map 1 the value reverse-road
stat_map 10000 card crypto ipsec-isakmp dynamic dyn_map
stat_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 3600
Crypto isakmp nat-traversal 30
internal hw_policy group policy
attributes of the strategy of group hw_policy
value of server DNS 193.205.160.3
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_tunnel
Split-dns value 193.205.160.3
username User1 encrypted password privilege 0 pqA3EDHB1cfLxwWn
password username User2 FIQ1c02tX8lU1wHJ encrypted privilege 0
attributes of user User2 name
VPN-framed-ip-address 172.16.1.233 255.255.255.240
allow password-storage
type tunnel-group hwclients remote access
tunnel-group hwclients General-attributes
address testpool pool
Group Policy - by default-hw_policy
hwclients group of tunnel ipsec-attributes
pre-shared key *.
ISAKMP retry threshold 30 keepalive 5
Thanks in advance.
Hello Jose,.
I see that you use LOCAL authentication, what you can do is, you can create another political group and link this political group for the user name, example:
attributes of group PALLET policy
Split-tunnel-policy tunnelall
name of User1 user attributes
RANGE of VPN-group-policy
The other username will use hw_policy, since it is the default value for the tunnel-group hwclients.
HTH
AMatahen
-
Hi all
I read the http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html and following the steps to create a remote access VPN. At the end of this post is delivered to the FW config.
I test the connection on a Cisco VPN Client for Windows Remote with plans on the migration of the profile to my Linux laptop. What I see is an error message when you run 'debug cryptop isa 129' of
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntryWhat seems strange to me, is that I have a group policy and a configured connection IPSec 'RemoteHome' profile, but it is not referenced in the debug output. I searched through my config for DefaultRAGroup, but nothing helped. However I found it in the ASDM under IPSec connection profiles.
I configured the FW to use LOCAL authentication and have configured the VPN Client with the right user name and password.
So, basically, I'm at a loss on how to correct my mistake. Any help much appreciated.
After the config FW is the power output of debug crypto isa 129.
See you soon,.
Conor
RemoteHome_splitTunnelAcl list standard access allowed host 10.2.2.2
RemoteHome_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.0.0
RemoteHome_splitTunnelAcl standard access list allow 10.3.3.0 255.255.255.0
RemoteHome_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
access-list 1 permit line INSIDE_nat0_outbound extended ip host 10.2.2.2 192.168.2.64 255.255.255.192
allowed to Access - list INSIDE_nat0_outbound line 2 extended ip 172.16.0.0 255.255.0.0 192.168.2.64 255.255.255.192
permit for access list 3 INSIDE_nat0_outbound line scope ip 10.3.3.0 255.255.255.0 192.168.2.64 255.255.255.192
allowed to Access - list INSIDE_nat0_outbound line 4 extended ip 192.168.2.0 255.255.255.0 192.168.2.64 255.255.255.192
local pool VPN_REMOTE_POOL 192.168.2.90 - 192.168.2.99 255.255.255.0 IP mask
internal RemoteHome group strategy
Group Policy attributes RemoteHome
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RemoteHome_splitTunnelAcl
value of DNS server *.
cunningtek.com value by default-field
tunnel-group RemoteHome type remote access
attributes global-tunnel-group RemoteHome
Group Policy - by default-RemoteHome
address VPN_REMOTE_POOL pool
IPSec-attributes tunnel-group RemoteHome
pre-shared key *.
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
NAT (INSIDE) 0 access-list INSIDE_nat0_outbound tcp udp 0 0 0Firewall # Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) the SELLER (13) + the SELLER (13) + SOLD
OR (13) of the SELLER (13) + the SELLER (13) + (0) NONE total length: 849
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, SA payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ISA_KE
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, nonce payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing ID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received xauth V6 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, DPD received VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received Fragmentation VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, received NAT-Traversal worm 02 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, payload processing VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, the customer has received Cisco Unity VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, message received ISAKMP Aggressive Mode 1 with the name of Group of unknown tunnel "conor".
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA payload processing
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA proposal # 1, transform # 5 entry overall IKE acceptable matches # 1
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build the payloads of ISAKMP security
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, building nonce payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Generating keys for answering machine...
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of payload ID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of hash
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, calculation of hash for ISAKMP
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads of Cisco Unity VID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing payload V6 VID xauth
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing the payload of the NAT-Traversal VID ver 02
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT-discovery payload construction
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, NAT discovery hash calculation
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, construction of Fragmentation VID + load useful functionality
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, build payloads VID
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR (4) SA (1) + KE + NUNCIO (10) + ID (5) + HASH (8) the SELLER (13) + the SELLER (13) + SOLD
OR (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + (0) NONE total length: 424
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, case of mistaken IKE AM Responder WSF (struct & 0xd8d3bed8), : AM_DONE, EV_ERROR--> AM_SND_MSG2, EV_
SND_MSG--> AM_SND_MSG2, EV_START_TMR--> AM_BLD_MSG2, EV_BLD_MSG2_TRL--> AM_BLD_MSG2, EV_SKEYID_OK--> AM_BLD_MSG2, NullEvent--> AM_BLD_MSG2, EV_GEN_SKEYID--> AM_BLD_MSG2, EV_BLD_MSG2_HDR
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA AM:7ff48db9 ending: 0x0104c001, refcnt flags 0, tuncnt 0
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, sending clear/delete with the message of reason
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer to peer table does not, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, error: cannot delete PeerTblEntryI think this is the beginning of your question.
Message received ISAKMP aggressive Mode 1 with the name of the unknown group tunnel "conor".
In the vpn client, you must enter the name of the group, RemoteHome and pre shared key, NOT your username. You will be asked your username after login.
As the name conor group does not exist, it is failing in the DefaultRAGroup
-
Problem with ASA 5505 VPN remote access
After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?
Here is the cfg running of the ASA
----------------------------------------------------------------------------------------
: Saved
:
ASA Version 8.4 (1)
!
hostname NCHCO
enable encrypted password xxxxxxxxxxxxxxx
xxxxxxxxxxx encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
network of the NCHCO object
Subnet 192.168.2.0 255.255.255.0
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
network object obj - 192.168.2.64
subnet 192.168.2.64 255.255.255.224
network object obj - 0.0.0.0
subnet 0.0.0.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the Web server object network
the FINX object network
Home 192.168.2.11
rdp service object
source between 1-65535 destination eq 3389 tcp service
Rdp description
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0
inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224
outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
LAN_Access list standard access allowed 192.168.2.0 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
outside_access_in list extended access permit tcp any object FINX eq 3389
outside_access_in_1 list extended access allowed object rdp any object FINX
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 649.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0
NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64
NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
the FINX object network
NAT (inside, outside) interface static service tcp 3389 3389
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http *. **. ***. 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform
IKEv1 crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
Crypto ikev1 allow inside
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHCO group policy
NCHCO group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1
value by default-field NCHCO.local
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username NCHvpn99 password dhn. JzttvRmMbHsP encrypted
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
IKEv1 pre-shared-key *.
type tunnel-group NCHCO remote access
attributes global-tunnel-group NCHCO
address pool VPN_Pool
Group Policy - by default-NCHCO
IPSec-attributes tunnel-group NCHCO
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
ASDM image disk0: / asdm - 649.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
---------------------------------------------------------------------------------------------------------------
And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:
---------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7601 Service Pack 1
Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\
1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026
Try to find a certificate using hash Serial.
2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027
Found a certificate using hash Serial.
3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011
RELOADED successfully certificates in all certificate stores.
4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002
Start the login process
5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is NOT behind a NAT device
21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F
SPLIT_NET #1
= 192.168.2.0 subnet
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local
46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710
47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11
49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now
57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">
59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify is set to 28800 seconds
60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***
61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059
IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)
62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025
OUTGOING ESP SPI support: 0xAAAF4C1C
63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026
Charges INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001
Launch VAInst64 for controlling IPSec virtual card
66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.70/255.255.255.0
DNS = 192.168.2.1, 8.8.8.8
WINS = 0.0.0.0 0.0.0.0
Domain = NCHCO.local
Split = DNS names
67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A
A secure connection established
72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001
Did not find the smart card to watch for removal
75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0x1c4cafaa in the list of keys
78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0xc5bfbe3e in the list of keys
80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F
Assigned WILL interface private addr 192.168.2.70
81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037
Configure the public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046
Define indicator tunnel set up in the registry to 1.
83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205276
85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276
88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019
Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205277
91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277
94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205278
96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278
---------------------------------------------------------------------------------------------------------------
Any help would be appreciated, thanks!
try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.
-
Cannot Ping across the VPN remote access
Hello world
I hope I posted this in the right place!
I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!
We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.
When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.
I'm sure it's something stupid I've done (or not done).
I have attached my config and would be grateful if someone could take a look and point me in the right direction.
Thanks in advance for your help,
Peter.
Hi Peter,.
You must add a line to the inside_access_in access list:
Enable
conf t
access-list inside_access_in allow icmp a whole
output
write members
Kind regards
Cathy
-
Windows disabled remote access to my wireless printer
My printer is connected wireless to the computer at home (so a 'network', I guess). But the recent problems led me to authorize remote technicians, and apparently, as collateral damage, my printer does not print now. At one time gave a convenience store, I found a statement that "Windows has denied access to distance", but I can't find out how to restore remote access. Printer is now installed, and the work and watch as the default printer, with options for "start printing immediately.
Anyone know how to force Windows to restore remote access to my computer to the printer?
Thanks in advance
Rich
Hi rich,
Follow these methods.
Method 1: Follow the steps in the article.
Resources for the resolution of the printer in Windows XP problems
http://support.Microsoft.com/kb/308028
How to troubleshoot a network home in Windows XP
http://support.Microsoft.com/kb/308007
Method 2: Uninstall and reinstall the network drivers.
How to manage devices in Windows XP
http://support.Microsoft.com/kb/283658
For reference: printer in Windows problems
-
Hello
I'd like to set up remote access VPN on an 1861 for teleworkers who use the Cisco VPN client to access head office, where the 1861.
I was hoping to use SDM or CCA to point and click my way through the installer because I'm not a security guru, but the 1861 is not supported it is still. Someone at - it a Setup to configure guide these on IOS. I don't know how to configure them on a PIX, but the config is not 'translate '.
Hi, this could be useful for you:
NOTE: regardless of a "different" platform, it applies to all ios routers.
-
Mapping strategies for VPN remote access to specific accounts
I have an ASA firewall with the Anyconnect VPN configuration on it. For this VPN policies are below:
internal SSLClientPolicy group strategy
attributes of Group Policy SSLClientPolicy
value x.x.x.x DNS server
client ssl-VPN-tunnel-Protocol
by default-field x.x.x.x
the address value SSLClientPool pools
attributes of Group Policy DfltGrpPolicy
value x.x.x.x DNS server
by default-field x.x.x.x
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
Ikev1 VPN-tunnel-Protocoltype tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
Group Policy - by default-SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-aliasI want to activate tunneling split for one user, but current policy restricts it. Is there a way to create a separate policy for a user and map it to him somehow? I do not see where I'd
Hello
Yes, you can create a separate group for this user name policy, and then assign this group policy under the attribute of the user. For example:
SPLIT_ACL standard access list allow X.X.X.0 255.255.255.0
internal group USER_POLICY strategy
USER_POLICY-group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLIT_ACLusername splituser password Cisco
vpnuser username attributes
VPN-group-policy USER_POLICY -
Hi guys
I have a few questions regarding vpn and vpn traffic record remote access. Please can someone advise how I can capture traffic decrypted for client vpn for remote access on the firewall. now, firewall has any source any dest and list of service associated with Group tunnel (no interface access list) but the default one group policy. I don't know what kind of traffic comes from the remote vpn machine, and I want to capture and create more specfic acl and who associate Group via vpn tunnel filter so no all are allowed.
I also configured for load balancing vpn and I know not if I add vpn filter via Group Policy and add it to the default group that can cause interruptions of service, but since I have vpn load balancing configured shoudnt remote customer affect. Am I wrong?
concerning
F
There is no balancing load with active / standby (standby really means "only watch"!). And it's not even RA - VPN with active/active.
Maybe you are looking for
-
Not the custom control based on existing controls
For my UI I need a directional Panel control 8, somewhat like a D - Pad or a digital arcade stick, as seen on the left side here: Or this: His output would ideally be an Enum, identifying the direction in which it is proposed: 0: Center 1: left 2: ri
-
I forgot the password and the need to create a new password
Original title: need to change the password in the configuration when I start my computer, but I forgot my password? forgotten password, how can I get away with it or what?
-
Need help
-
in regards to windows 10 update
I can not able to upgrade to windows 10 after that I gave to run... Why?
-
How can I change the appearance of the right click Menu
I am running: Windows 7 Home Premium 64 Bit I was messing around in the control panel and I changed a setting that has changed the right click menu and how it comes on the screen. Now when I right click on it slide in but before she fainted at now I