ASA 5505 Anyconnect traversal nat error
Good afternoon gents,
I installed an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, then my LAN can access my laptop. In the newspapers, I see the following error message:
Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 refused because of the failure of path opposite of that of NAT.
I can't seem to figure this point and nothing I read to try worked. Here's the relevant config, any help would be GREATLY appreciated.
interface Vlan1
nameif inside
security-level 100
IP 10.201.180.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 67.200.133.107 255.255.255.248
!
access extensive list ip 10.139.50.0 inside_nat0_outbound allow 255.255.255.0 10.201.180.0 255.255.255.0
access extensive list ip 10.201.180.0 inside_nat0_outbound allow 255.255.255.0 10.139.50.0 255.255.255.0
mask 10.139.50.1 - 10.139.50.50 255.255.255.0 IP local pool SSLClientPool
Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound list of outdoor access
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Try the nat statement 0 without the keyword on the outside.
NAT (inside) 0-list of access inside_nat0_outbound
In addition,
sh run sysopt and stick out.
Manish
Tags: Cisco Security
Similar Questions
-
Issue of Cisco ASA 5505 Anyconnect Client NAT'ing
Hello
We have a split_tunnel RA Vpn configuration in a branch that works very well in all areas except the destinged of traffic for a specific website using https. This provider does not allow HTTPS connections to bring some outside IP addresses.
Essentially, this should work like this:
RAVPN_client (10.4.4.0/27)--> https request to the (208.x.x.x) vendor_ip---> ASA55XX--> NAT_to_outside_ip--> to the vendor_ip (208.x.x.x) https request
I need to understand how you would approach from ONLY this https traffic specific to the RA VPN without having to change the installer otherwise.
Internal hosts (aka behind the ASA physically) have not any question at this site, as would his nat ip address outside that we expect.
Here is what we use for the NAT Exemption it list 10.2.2.x, 192.168.100.x, and 172.23.2.x are other remote sites we have. The 10.4.4.0/27 RA VPN users don't have no problems connecting to them, regardless of the Protocol:
Note to inside_nat0_outbound access-list of things that should not be Nat would
access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 10.2.2.0 255.255.255.0
access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.100.0 255.255.255.0
access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 172.23.2.0 255.255.255.0
access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 10.4.4.0 255.255.255.224
access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 192.168.100.0 255.255.255.0
access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 10.2.2.0 255.255.255.0
access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 172.23.2.0 255.255.255.192
Here is the list of interesting traffic that we push to the customers through the tunnel of the VPN connection.
VPN_splitunnel to access extended list ip 192.168.100.0 allow 255.255.255.0 any
VPN_splitunnel of access list scope 10.2.2.0 ip allow 255.255.255.0 any
Access extensive list ip 10.12.1.0 VPN_splitunnel allow 255.255.255.0 any
Access extensive list ip 172.23.2.0 VPN_splitunnel allow 255.255.255.192 all
Access extensive list ip 10.4.4.0 VPN_splitunnel allow 255.255.255.224 all
VPN_splitunnel list extended access permit ip host 208.x.x.x any newspaper<- this="" is="" the="" vendors="" external="" ip="" address="" (obfuscated="" for="" security="" but="" you="" get="" the="">->
Here's the rest of the nat configuration:
NAT-control
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
Configuring VPN RA:
IP mask 255.255.255.224 local pool VPNPool 10.4.4.5 - 10.4.4.30
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-2.5.2001-k9.pkg.zip 2 image
enable SVC
tunnel-group-list activate
internal RAVPN group policy
RAVPN group policy attributes
value no unauthorized access to banner
value of banner that all connections and controls are saved
banner of value this system is the property of MYCOMPANY
banner value disconnect IMMEDIATELY if you are not an authorized user.
value of server WINS 10.12.1.11 10.2.2.11
value of 10.12.1.11 DNS server 10.2.2.11
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_splitunnel
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address pool VPNPool
authentication-server-group NHCGRPAD
Group Policy - by default-RAVPN
tunnel-group RAVPN webvpn-attributes
enable RAVPN group-alias
Can someone ' a Please direct me as to what I'm doing wrong? I was assuming that since I don't have Ip 208.x.x.x address in the list of inside_nat0_outbound that it would be NAT had, but appears not to be the case (out of packet - trace below)
Packet-trace entry outside tcp 10.4.4.6 34567 208.x.x.x detailed https
*****************************************************************************
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoors
Phase: 2
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group outside_access_in in interface outside
outside_access_in list extended access permitted ip VPN_ips 255.255.255.224 host 208.x.x.x Journal
Additional information:
Direct flow from returns search rule:
ID = 0xd7bd3b20, priority = 12, area = allowed, deny = false
Hits = 2, user_data is 0xd613bf80, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = VPN_ips, mask is 255.255.255.224, port = 0
IP = 208.x.x.x DST, mask = 255.255.255.255, port = 0, dscp = 0 x 0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd7df8fa0, priority = 0, sector = inspect-ip-options, deny = true
hits = 2256686, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd87c8fc8, priority = 12, area = ipsec-tunnel-flow, deny = true
hits = 550, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd7dfbd28, priority = 0, domain = host-limit, deny = false
hits = 1194, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xd7df8fa0, priority = 0, sector = inspect-ip-options, deny = true
hits = 2256688, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0
Phase: 7
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 2380213 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: outdoors
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
*****************************************************************************
Thank you
Jason
You are on the right track with you divided the tunnel configuration. You need to add is the pool of Client VPN to be coordinated to your external ip address, IE: same as your local users of the ASA when he tries to access the intellectual property of the provider (208.x.x.x), allowing more traffic in and out of the same interface for traffic of U-turn.
Here's what you need to set up:
permit same-security-traffic intra-interface
nat-to-vendor ip 10.4.4.0 access list permit 255.255.255.224 host 208.x.x.x
NAT (outside) 101-list of nat-to-vendor access
The foregoing will allow VPN pool to be coordinated to your ASA outside the ip address of the interface when accessing the seller (208.x.x.x).
1 small correction to your ACL split tunnel:
-The following line is incorrect and should be deleted in the tunnel of split ACL:
Access extensive list ip 10.4.4.0 VPN_splitunnel allow 255.255.255.224 all
(As 10.4.4.0/27 is your pool of Client VPN, you do not add these subnet to your list of split tunnel. List of Split tunnel are only the network that you are difficult to access and sent through your VPN tunnel).
Hope that helps.
-
ASA 5505 AnyConnect 8.2 connect other subnets from site to site
Hello
I'm somehwat new Cisco and routing. I have an installation of two ASA 5505 that are configured for the site to site vpn and AnyConnect. The AnyConnect subnet can connect to inside VLANs to the SiteA but I can't for the remote to Site B subnet when you use AnyConnect. Any ideas? I have to add the subnet of 10.0.7.0/24 to the site to site policy? Do I need to set up several NAT rules? Details below.
Site A: ASA 5505 8.2
Outside: 173.X.X.X/30
Inside: 10.0.5.0/24
AnyConnect: 10.0.7.0/24
Site b: ASA 5505 8.2
Outsdie: 173.X.X.X/30
Inside: 10.0.6.0/24
The AnyConnect subnet cannot access the network of 10.0.6.0/24.
Any help would be greatly appreciated! Thank you!
Hello Kevin,
You must go back to identity (outdoors, outdoor) identity NAT (essentially for two subnets (Anyconnect and Remote_IPSec).
And of course to include traffic in the ACL for IPSec crypto and (if used) split with the Anyconnect tunnel.
Note all useful posts!
Kind regards
Jcarvaja
Follow me on http://laguiadelnetworking.com
-
Hello world
I packed 2 VLAN (VLAN, VLAN B) on ASA 5505, in addition I VLAN 1. When I'm in the VLAN 1 I have access to all devices in VLAN A and B of VLAN (ping, ssh, etc.).
also I set up a VPN using Anyconnect as described below:
http://www.TechRepublic.com/blog/smbit/quick-guide-AnyConnect-client-VPN-on-Cisco-ASA-5505/387
everything works, I can connect, the tunnel is set up, but I have access to the devices in VLAN 1
could someone help me and tell me what I did wrong?
Thank you
Robert
Hello Robert,.
Given that your post is not clear on the question, when you wrote "everything works", I'll assume you have problems to access the VLAN A and B you customer annyconnect. It could be a problem with your NAT WITHOUT rules (sheep behavior depends on your Software ASA)
Please tell us which version of the software you're would be useful as well to help you correctly using and post with your config.
Jirka
-
ASA 5505 - crypto isakmp nat-traversal is missing?
I can't understand it. I have an ASA5505 at home that I use for VPN access. Sometimes when I connect I can't ping anything. I check the config and it shows:
No encryption isakmp nat-traversal
I have configured "crypto isakmp nat-traversal" so many times before, and somehow it is still deleted. Seems to happen at random, as well as when the device is restarted. (Yes, the config has been saved). I would say that what is happening at least 2 - 3 times a week.
Any ideas? I am running the 8.0.2 version code.
This is a bug. Set the value on something other than the default value of 20. This will fix the problem.
Cryto isakmp nat-traversal 21
-
ASA 5505 AnyConnect Client issues
I have a client who is able to use ordinary VPN client, but one of the lawyers bought a new laptop with Windows 8 and must now AnyConnect. I opened the customer and you connect, but it says that it cannot open a session with the following messages:
AnyConnect was not able to establish a connection with the specified secure gateway. Please try again.
Then I click OK and I get:
The secure gateway rejected the connection attempt. A new connection attempt the same or another secure gateway is required, which requires authorization.
The following message was received from the secué Bridge: no address available for an SVC connection.
I have the config following running:
: Saved
:
ASA Version 8.2 (5)
!
ASA host name
domain.local domain name
activate 8Ry2Yjt7RRXU24 encrypted password
vCGdNOPVyz.a0N encrypted passwd
names of
name 10.10.10.10 DG-Commcast Commcast Default Gateway description
name 20.20.20.20 DG-FirstCom description first default gateway of Communications
name 10.10.10.11 ASA-outside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
Speed 100
full duplex
!
interface Ethernet0/3
switchport access vlan 22
Speed 100
full duplex
!
interface Ethernet0/4
switchport access vlan 22
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP ASA-outside 255.255.255.248
!
interface Vlan12
nameif backup
security-level 0
IP 168.93.174.130 255.255.255.248
!
interface Vlan22
nameif phones
security-level 100
address 192.168.3.1 IP 255.255.255.0
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
backup DNS domain-lookup
DNS domain-lookup phones
DNS server-group DefaultDNS
domain.local domain name
object-group service RDP tcp - udp
EQ port 3389 object
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service LogMeIn tcp
Globe description
port-object eq 2002
DM_INLINE_TCP_1 tcp service object-group
Group-object LogMeIn
port-object eq www
EQ object of the https port
outside_access_in list extended access allowed object-group TCPUDP any host 50,76
. 252.34 object group RDP
outside_access_in list extended access permit tcp any interface phones object-gr
OUP DM_INLINE_TCP_1
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host ASA-outside eq ssh
inside_access_in of access allowed any ip an extended list
VPNClient_splitTunnelAcl list standard access allowed 192.168.0.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255
.128
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 19
2.168.10.0 255.255.255.128
VPNClient_splitTunnelAcl_1 list standard access allowed 192.168.0.0 255.255.255.0
backup_access_in list extended access permit icmp any one
pager lines 24
Enable logging
list of logging message BackupLineAlert 622001
debug logging in buffered memory
exploitation forest asdm warnings
exploitation forest mail BackupLineAlert
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of information
exploitation forest-address recipient [email protected] / * / level of information
Within 1500 MTU
Outside 1500 MTU
backup of MTU 1500
MTU 1500 phones
local pool VPNDHCP 192.168.10.50 - 192.168.10.80 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ICMP allow any backup
ICMP allow all phones
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global 1 interface (backup)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 0 192.168.10.0 255.255.255.128
NAT (inside) 1 192.168.0.0 255.255.255.0
NAT (inside) 0 0.0.0.0 0.0.0.0
NAT (phones) 1 0.0.0.0 0.0.0.0
public static 50.76.252.34 (Interior, exterior) 192.168.0.254 netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group backup_access_in in the backup of the interface
Route outside 0.0.0.0 0.0.0.0 DG - Commcast 128 Track1
Backup route 0.0.0.0 0.0.0.0 DG-FirstCom 255
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
Enable http server
http 192.168.0.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
monitor SLA 123
type echo protocol ipIcmpEcho 8.8.8.8 outside interface
NUM-package of 3
Timeout 10000
frequency 15
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-AES-128
SHA - ESP - AES - 128 - MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
backup of crypto backup_map interface card
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032ebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto ISAKMP allow outside
ISAKMP crypto enable backup
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
VPN-addr-assign local reuse / time 5
Telnet 192.168.0.0 255.255.255.0 inside
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 20
SSH 192.168.0.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 backup
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.0.150 - 192.168.0.180 inside
dhcpd 192.168.0.254 dns 8.8.8.8 interface inside
lease interface 604800 dhcpd inside
dhcpd domain.local domain inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp intercept rate-interval 30 rate burst-400 averag
e-rate 200
NTP server 208.66.175.36 prefer external source
NTP server 173.14.55.9 source outdoors
WebVPN
allow outside
enable backup
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
SVC profiles AnyConnectProfile disk0: / anyconnectprofile.xml
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal VPNClient group strategy
attributes of VPNClient-group policy
value of DNS 192.168.0.254 Server 8.8.8.8
Protocol-tunnel-VPN IPSec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPNClient_splitTunnelAcl_1
domain.local value by default-field
WebVPN
profiles of SVC value AnyConnectProfile
username screams password encrypted BQd7EeZN.0hvT privilege 0
attributes of cries of username
type of service admin
tony U/UxEH5l0w5Q encrypted privilege 15 password username
nancy lAnhc/SvNNSSR password user name encrypted privilege 0
tunnel-group VPNClient type remote access
tunnel-group VPNClient-global attributes
address VPNDHCP pool
Group Policy - by default-VPNClient
tunnel-group VPNClient ipsec-attributes
pre-shared key *.
!
!
Server SMTP 192.168.0.254
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:de5e8aec62853af27945c52bf36
: end
The version of the client AnyConnect should be identical to the version that is loaded on the ASA? I use the 3.0.5080 client and the parameters of the client AnyConnect on the SAA's anconnect-win - 2.5.201 - kr.pkg
Thanks for the help!
Tony
The error message gives a clue:
No address available for SVC connection
The client cannot work without an assigned IP address. As you have assigned a pool to the tunnel group, I suppose that the customer is not to connect to the desired group, but for the default group. At least, I see nothing in the config that gives the customer the right group.
Try the following:
WebVPN
tunnel-group-list activate
tunnel-group VPNClient webvpn-attributes
enable Group VPNClient-alias
With it, you get a drop-down menu in the client to choose the right tunnel-group.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Cisco ASA and AnyConnect VPN certificate error
Hello
I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:
I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?
Hello
This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.Here is a document that you can refer to create a self-signed certificate.
https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPNKind regards
Dinesh MoudgilPS Please note the useful messages.
-
ASA 5505 AnyConnect 8.2 - Can't access and inside services
Hello
I have configured AnyConnect to use a subnet of 10.0.7.0/24 for its DHCP pool. I can connect to the ASA very well, but I can't access internal services on my subnet 10.0.5.0/24 which is my INNER interface vlan subnet. I configure NAT for exemption rule:
allowed to Access-list inside_nat0_outbound line 2 extended 10.0.5.0 ip 255.255.255.0 Any-Connect-Pool-10-0-7-0 object-group
AnyConnect is set to ignore all the ACL rules through the sysopt permit vpn connection.
I don't know if I'm supposed to create another path to the VPN subnet or what exactly. When I ping my VPN subnet to a client on the subnet of the INTERIOR, I see ICMP traffic flowing through the FW, but I didn't get any answer. I do not split-tunnleing and I can not connect to internet either after establishing a VPN connection.
Thanks in advance for the help.
Hello
You must ensure that the following setting is enabled
permit same-security-traffic intra-interface
You should also make sure PAT configured for your Pool of VPN Dynamics
If your current dynamic PAT for internal users would
Global 1 interface (outside)
NAT (inside) 1 10.0.5.0 255.255.255.0
Then you must add
NAT (outside) 1 10.0.7.0 255.255.255.0
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Hello
By train I got a remote access IPSec VPN, when I have all the performed configuration and try to access remote show software vpn client (cisco) the following message:
"The remote peer is no more answers.
I know where is the problem.
Network information:
ASA TO LAN - 1:
192.168.1.0 - 255.255.255.0
the interface vlan 1:
IP: 192.168.1.1 - 255.255.255.0
the interface vlan 2:
IP: 100.100.100.1 - 255.255.255.252
REMOTE LAN ACCESS:
192.168.10.0 - 255.255.255.0
ASA-1 configuration:
* IP address pool
local IP VPNPOOL 192.168.20.1 pool - 192.168.20.254
* Split tunneling
splittunnel list standard access allowed 192.168.1.0 255.255.255.0
* NAT configuration
object obj LAN
subnet 192.168.1.0 255.255.255.0
object obj-vpnpool network
subnet 192.168.20.0 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination static obj-vpnpool obj-vpnpool no-proxy-arp* Group Policy
internal group company-vpn-policy policy
attributes of vpn-company-policy-group policy
VPN-idle-timeout 30Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnelConfigure the IPSec
IKEv1 crypto policy 10
3des encryption
sha hash
preshared authentication
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity addressCrypto ipsec transform-set esp-3des esp-sha-hmac RA - TS ikev1
Dynamic crypto map DYN_MAP 10 set transform-set RA - TS ikev1
card crypto VPN_MAP 30-isakmp dynamic ipsec DYN_MAP
VPN_MAP interface card crypto outsideCreate tunnels
tunnel-group vpnclient type remote access
tunnel-group vpnclient-global attributes
address VPNPOOL pool
by default-group-company-vpn-policy
tunnel-group vpnclient ipsec-attributes
IKEv1 pre-shared-key groupkey123Where is the problem?
Hello
Configuration seems almost perfect. Please share the result of the following of the ASA when you try to connect.Debug crypto isakmp 200
Debug crypto ipsec 200You can take snapshots on the external interface of the firewall to confirm if the packets are reaching the firewall or don't use do not:
capture capx off match ip hosthost interface Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Ikev1 ASA 5505 VPN connection error
Hello
I had previously defined our VPN using IPsec on our ASA 5505 via the ASDM. It was workign fine until an outtage power loses my settings on the device. (possibly a recording of order is not pressed)
Now when I try and put in place, once again I am recieveing an error to port binding. I have configured as normal using the wizard and activate split defintion and exempt the network inside.
The isssue when you apply the settings that I get is:
"[ERROR] crypto ikev 1 activate outdoors.
IkevReceiverInit, cannot bind the port. "
When I try to connect to the VPN I then get an error "the server cannot be reached" or something similar to that...
Could someone please shed some light on what can cause this problem?
Best regards, the Paris
William.
Hello
Thanks for the information!
We will need to know why this host using UDP 4500 and if this host really needs to use this port.
What type of application is running on this host?
What is a host internal or external?
You may also block the host on the SAA on the incoming interface to avoid the use of the UDP 4500 port using a group of access (outside or inside). Don't forget that you will need a ip to allow a at the end of the ACL to avoid any problems. Another option would be to use IKEv1/IPsec over TCP
IKEv1/IPsec over TCP allows a Cisco VPN client operate in an environment in which IKEv1 or standard ESP may not work or may work only with the change of the existing firewall rules. IPsec over TCP encapsulates IPsec protocols both IKEv1 in a TCP packet as and allows a tunnel secure two firewalls and NAT and PAT devices. This feature is disabled by default.
The default port is 10000.
HostName (config) # ikev1 crypto ipsec-over-tcp
You also need to activate on the VPN client under the profile.
Change > Transport > IPSec over TCP.
I hope this helps.
Luis.
-
Unable to connect to ASA 5505 with AnyConnect after upgrade to 8.2
I just bought a license of VPN AnyConnect Essentials for my ASA 5505. I had to spend to 8.2 ASA.
Now that I updated and installed the license, the AnyConnect client will connect is no longer. It gives the following error: "failed to process the response.
You can provide any help would be appreciated. I am pleased to provide you with the configuration information that might be useful if you can provide the CLI commands, you want that I run.
Looks like he doesn't like THEM too, you can change the encryption algorithm to 'not' include in your strategy:
3des-sha1-aes128-sha1 sha1 aes256 encryption SSL
In general is not very safe anyway, and the choice of encryption above will provide you with the best encryption strategy.
Hope that helps.
-
Strange behavior of NAT ASA 5505
Hello
We have an ASA 5505 version 9.1 (5) and we need to open port TCP 55055 firewall that redirect to TCP port 80 on ip QNAP Viostor 192.168.11.254
I added a network object in this way:
The Viostor object network
Home 192.168.11.54
Description QNAP_Viostor
NAT rule:
NAT (inside, outside) interface static service tcp 80 55055
Firewall rule:
access-list outside_access_in line 8 Note Viostor
allowed to Access-list outside_access_in line 9 extended tcp any Viostor eq 55055 object
When I try to connect with the application Android Vmobile I see that notify the journal of the ASA:
Request TCP and eliminated from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055
The ASA has no server UDP which serves the UDP request
I don't understand why UDP instead of TCP.
Please help me!
Thank you
Ahmed, thanks for your replies... However're missing you something important (sw ASA version). Tracer package shows THAT NAT is not affected; and on this sw version ACL does not use external_IP or mapped IP, but the real_IP instead.
s.be00001, follow these steps:
object service 55055 service tcp source eq 55055object service www service tcp source www!nat (inside,outside) 1 source static Viostor interface service www 55055!access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
Run the packet - trace and send us the results:packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
-
ASA 5505 as internet gateway (must reverse NAT)
Hi all the Cisco guru
I have this diet:
Office-> Cisco 877-> Internet-> ASA 5505-> remote network
Office network: 192.168.10.0/24
Cisco 877 IP internal: 192.168.10.200
Cisco 877 external IP: a.a.a.a
ASA 5505 external IP: b.b.b.b
ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3
Remote network: 192.168.17.0/24 and 192.168.1.0/24
VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.
But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:
305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT
Ping of OLD-private interface to google result:
110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0
Result of traceroute
How can I fix reverse NAT and make ASA as internet gateway?
There is my full config
!
ASA Version 8.2 (2)
!
hostname ASA2
domain default.domain.invalid
activate the encrypted password password
encrypted passwd password
names of
!
interface Vlan1
Description INTERNET
1234.5678.0002 Mac address
nameif WAN
security-level 100
IP address b.b.b.b 255.255.248.0
OSPF cost 10
!
interface Vlan2
OLD-PRIVATE description
1234.5678.0202 Mac address
nameif OLD-private
security-level 0
IP 192.168.17.3 255.255.255.0
OSPF cost 10
!
interface Vlan6
Description MANAGEMENT
1234.5678.0206 Mac address
nameif management
security-level 0
192.168.1.3 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
Shutdown
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2.6
switchport mode trunk
!
interface Ethernet0/7
Shutdown
!
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd * W A R N I N G *.
Banner motd unauthorised access prohibited. All access is
Banner motd monitored and trespassers will be prosecuted
Banner motd to the extent of the law.
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS domain-lookup WAN
DNS server-group DefaultDNS
Server name dns.dns.dns.dns
domain default.domain.invalid
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
RDP description
EQ port 3389 object
Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
WAN_access_in list of allowed ip extended access all any debug log
WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
MANAGEMENT_access_in list of allowed ip extended access all any debug log
access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
Capin list extended access permit ip host 192.18.17.155 192.168.10.7
Capin list extended access permit ip host 192.168.10.7 192.168.17.155
LAN_access_in list of allowed ip extended access all any debug log
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
Enable logging
recording of debug trap
logging of debug asdm
Debugging trace record
Debug class auth record trap
MTU 1500 WAN
MTU 1500 OLD-private
MTU 1500 management
mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP permitted host a.a.a.a WAN
ICMP deny any WAN
ICMP permitted host 192.168.10.7 WAN
ICMP permitted host b.b.b.b WAN
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (OLD-private) 1 interface
Global interface (management) 1
NAT (WAN) 1 0.0.0.0 0.0.0.0inside_nat0_outbound (WAN) NAT 0 access list
WAN_access_in access to the WAN interface group
Access-group interface private-OLD OLD-PRIVATE_access_in
Access-group MANAGEMENT_access_in in the management interface
Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
card crypto WAN_map 1 set peer a.a.a.a
WAN_map 1 transform-set ESP-DES-SHA crypto card game
card crypto WAN_map WAN interface
ISAKMP crypto enable WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 1
life 86400
Telnet timeout 5
SSH a.a.a.a 255.255.255.255 WAN
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd auto_config management
!a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 129.6.15.28 source WAN prefer
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal admin group strategy
group admin policy attributes
DNS.DNS.DNS.DNS value of DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LAN_IP
privilege of encrypted password password username administrator 15
type tunnel-group admin remote access
tunnel-group admin general attributes
address pool VPN_Admin_IP
strategy-group-by default admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
strategy-group-by default admin
a.a.a.a group of tunnel ipsec-attributes
pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!Thank you for your time and help
Why you use this NAT type?
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
NAT (OLD-private) 0-list of access WAN_nat0_outboundYou are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.
If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:
NAT (OLD-private) 1 0.0.0.0 0.0.0.0
Global (WAN) 1 interface
-
ASA - 5505 / good S2S / RemoteAccess with slow AnyConnect
Hi all
I use two ASA 5505 to sites. VPN between two works fine and fast that allows our ISP (~ 10MBit up/down).
At home, I have normal ADSL (~ 600kbit up / down 6 Mbit)
Downloading files from home on the internal server is fast, but when I connect through AnyConnect it is horrible slow.
Both with the same zipfile on http server:
The download speed with AnyConnect: 90 - 120 KB/s
Download without AnyConnect speed: 660 KB/s
Download the same file on the client to the other site of the Site 2 Site VPN server works quickly with 945 KB/s.
I thought that maybe it's a ServicePolicyRule with QoS, but there are only the default rule where the QoS tab is not available and only ProtocolInspections are selectable.
ASA 9.1.2
ASDM 7.1.3
AnyConnect Client 3.1.04063
Any idea or suggestion?
Well cordially
Chris
Hi Chris,
Try lowering the value of mtu anyconnect 'anyconnect mtu 1300' in the group policy, and then test the question.
You experience slowness for the internet traffic or for accessinng servers behind the ASA?
Using fractionation on SAA tunnel?
Kind regards
NGO
-
Error of customer Cisco VPN connection ASA 5505
I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.
CISCO VPN CLIENT LOG
Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7600
Config files directory: C:\Program Cisco Systems Client\
1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002
Start the login process
2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "71.xx.xx.253".
4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 71.xx.xx.253.
5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253
7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253
16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055
Sent a keepalive on the IPSec Security Association
17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194
18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253
23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1
26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0
27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250
28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251
29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000
30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA
31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45
33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0
37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253
38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047
This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now
42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253
45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049
IPsec security association negotiation made scrapped, MsgID = 89EE7032
46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED
47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058
Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8
49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED
51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
----------------------------------------------------------------------------------------
ASA 5505 CONFIG
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain masociete.com
activate tdkuTUSh53d2MT6B encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 172.26.0.252 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP address 71.xx.xx.253 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain masociete.com
access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA
Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp
outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389
inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240
inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255
static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 172.26.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server WINS 172.26.0.250 172.26.0.251
value of 172.26.0.250 DNS server 172.26.0.251
Protocol-tunnel-VPN IPSec l2tp ipsec svc
value by default-field TLCUSA
internal LIMUVPNPOL1 group policy
LIMUVPNPOL1 group policy attributes
value of 172.26.0.250 DNS server 172.26.0.251
VPN-idle-timeout 30
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LIMU_Split_Tunnel_List
the address value VPN_POOL pools
internal TLCVPNGROUP group policy
TLCVPNGROUP group policy attributes
value of 172.26.0.250 DNS server 172.26.0.251
Protocol-tunnel-VPN IPSec l2tp ipsec svc
Re-xauth disable
enable IPSec-udp
value by default-field TLCUSA
barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0
username barry.julien attributes
VPN-group-policy TLCVPNGROUP
Protocol-tunnel-VPN IPSec l2tp ipsec
bjulien bhKBinDUWhYqGbP4 encrypted password username
username bjulien attributes
VPN-group-policy TLCVPNGROUP
attributes global-tunnel-group DefaultRAGroup
address VPN_POOL pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
ms-chap-v2 authentication
type tunnel-group TLCVPNGROUP remote access
attributes global-tunnel-group TLCVPNGROUP
address VPN_POOL pool
Group Policy - by default-TLCVPNGROUP
IPSec-attributes tunnel-group TLCVPNGROUP
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group TLCVPNGROUP ppp-attributes
PAP Authentication
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b94898c163c59cee6c143943ba87e8a4
: end
enable ASDM history
can you try to change the transformation of dynamic value ESP-3DES-SHA map.
for example
remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5
and replace with
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Maybe you are looking for
-
I just responded to this and won't again. Registration page of Firefox has been a pain to register, and this page seems to be defective. Tired of crap does not work with computers.Forget what I'm going to get rid of Firefox!
-
Satellite A10-S403D - new compatibility with WLAN cards
Hello My sister has a quite old but still good job * Satellite A010-laptop S403D *, which has been upgraded a bit during the time. The only problem we have is the Mini-PCI Wireless card, it seems that the chip Intel 802. 11 b is dead, the card is not
-
M.2 Slot for a connection Y510p and trackpad
Hello 2 days ago, I opened my laptop and the trackpad is not detected, no idea what connection I could have disconnected by mistake? And where can I get the m2 slot and install it from my laptop doesn't have one? Thank you Hush
-
Whaen is this upcoming update to this great phone Edited for the uppercase shouting in violation of our site rules. Post edited by: Matt (Forums Manager)