ASA 5510 & Windows XP VPN Client
I want to use the VPN in Windows XP client to connect to the ASA
VPN access
. I read the document after document, and I just can't get to work. It seems what Phase 1 but I can't get the Phase 2. In the logs ASDM, it shows that I get some QM WSF Errorsand on the Windows XP computer, I get an error 789. I put the pre-shared on the XP machine as a result and another j.4 measures.
I am quite new to the method of L2TP VPN, I've always used Windows Server for the VPN and now I am to find out why. In any case, I'm sure I'm missing some info that is needed to diagnose, but here's a copy of my config.
I hope someone can point me in the right direction to understand this because I am pulling my hair out!
Thanks in advance!
This set of transformation is fixed for the transport mode but not used.
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
First, it must ensure that it is used in the list of games to turn in 'dynamic crypto-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set... ». L2TP/IPSec requires this mode.
If it still fails, try to get him debugs following during the connection to your customer.
Debug crypto isa 127
Debug crypto ipsec
Debug aaa 127 Commons
SPSP
Tags: Cisco Security
Similar Questions
-
Error of tunneling to ASA 5505 using "Software VPN Client"
Here's my current network:
I'm VPN tunnel in the ASA using the Cisco VPN Client software.
Here is my config ASA config: http://pastebin.com/raw.php?i=ad6p1Zac
Here's my entry for the VPN Client connection information:
(Password: cisco)
When I try to connect, I get the message error "the received HASH load cannot be verified.
What is this error and how can I solve it?
I think you need to enter this information in the fields of group authentiation:
(Just below "Group authentication")
Name: vpnclientgroup
Password: [just what you entered as a pre shared key below]
tunnel-group vpnclientgroup ipsec-attributes pre-shared-key *****
After the establishmet tunnel you will get a password pop up, that you enter "David" and the associated password.
-
ASA problem inside the VPN client routing
Hello
I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.
Here are a few relevant config:
network object obj - 192.168.245.0
192.168.245.0 subnet 255.255.255.0
192.168.245.1 - 192.168.245.50 vpn IP local pool
NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary
Out of Packet trace:
Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access list
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.245.33 255.255.255.255 outside
Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group acl-Interior interface inside
access list acl-Interior extended icmp permitted an echo
Additional information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 5
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
Additional information:
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source any any destination static obj - 192.168.245.0
obj - 192.168.245.0 no-proxy-arp-search to itinerary
Additional information:
Definition of static 0/x.x.x.x-x.x.x.x/0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 277723432 id, package sent to the next module
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.
Check if the firewall is enabled on your host from the client ravpn and blocking your pings.
-
Cisco VPN Client and Windows XP VPN Client IPSec to ASA
I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.
PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?
Config is:
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. 1 255.255.255.0
!
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0
flow-export destination inside-Bct 192.168.1.27 9996
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
NAT (inside-Bct) 0 access-list sheep-vpn
NAT (inside-Bct) 1 access list nat
NAT (inside-Bct) 2-nat-ganja access list
Access-group rdp on interface outside-Ganja
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
dynamic-access-policy-registration DfltAccessPolicy
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
life crypto ipsec security association seconds 214748364
Crypto ipsec kilobytes of life security-association 214748364
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
crypto isakmp identity address
ISAKMP crypto enable vpntest
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
No encryption isakmp nat-traversal
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.1.0 255.255.255.192 outside Baku
SSH 10.254.17.26 255.255.255.255 outside Baku
SSH 10.254.17.18 255.255.255.255 outside Baku
SSH 10.254.17.10 255.255.255.255 outside Baku
SSH 10.254.17.26 255.255.255.255 outside-Ganja
SSH 10.254.17.18 255.255.255.255 outside-Ganja
SSH 10.254.17.10 255.255.255.255 outside-Ganja
SSH 192.168.1.0 255.255.255.192 Interior-Bct
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
BCT.AZ value by default-field
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Hello
For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.
Please see configuration below:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
or
Please see the section of tunnel-group config of the SAA.
There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.
So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.
Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.
"crypto isakmp nat-traversal.
Thirdly, change the transformation of the value
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
Let me know the result.
Thank you
Gilbert
-
Between asa 5510 and router VPN
Hello
I configured ASA 5510 to vpn LAN to LAN with router 17 857. and between the routers.
between vpn routers works very well.
from the local network behind the ASA I can ping the computers behind routers.
but computers behind routers, I cannot ping PSC behind ASA.
I have configured the remote access with vpn cisco 4.X client, it works well with routers, but cannot work with asa.
the asa is connected to the wan via zoom router (adsl)
Are you telnet in the firewall?
Follow these steps to display the debug output:
monitor terminal
farm forestry monitor 7 (type this config mode)
Otherwise if its console, do "logging console 7'.
can do
Debug crypto ISAKMP
Debug crypto ipsec
and then generate a ping from one device to the back of the ASA having 192.168.200.0 address towards one of the VPN subnets... and then paste the result here
Concerning
Farrukh
-
Our ASA 5510 can provide VPN to our LAN cloud?
Hi people,
We have a number of (1 7 or if virtual, dedicated) servers hosted in a cloud provider well known on the West coast of the USA.
They just put an ASA5510 across our LAN Server to help protect the servers.
I was wondering if it is possible that the ASA5510 can provide VPN access to our LAN cloud? At the moment we have the firewall block - all - ports except 80/443/3389 (RDP for our Windows servers).
I was actually hoping to block port 3389, so nobody can RDP on all servers. BUT... VPN in our LAN cloud, then we can connect to a server via RDP or any software / port. Indeed, the VPN opens all ports... you have created a VPN tunnel has provided
So is this possible? The ASA5510 this offer?
Last question-> and it's a ballast: gulp:...
We cannot install any client software 3rd party... including any cisco vpn client software. We must use the built in software Windows7 VPN... making PPTP, SSTP, L2TP-IPSEC.
So... now the ASA5510 can offer that? If so... is there any special scripts or configs I need to give to the Cloud hosting provider, so they can set the machine to work?
Help, please!
-Jussy-
Two possibilities come to mind.
-Built-in L2tp over Ipsec client.
ASA config Guide:
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/l2tp_ips.html
-Clientless webvpn (if RDP and other plugins, but requires java/activeX for some features...
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/WebVPN.html
These options should work except ASA is in mode multi-conext.
M.
-
Cisco ASA 5510 - restrictions of VPN (AnyConnect) based on the AD user or IP address
Hello
I want to test how to restrict access user on an ASA 5510 AnyConnect. In politics, I can define what networks will go through the VPN tunnel and which not (split tunneling). The ASA has a LDAP connection and only AD users with a special security group can connect over AnyConnect.
On the other hand I would like to restrict access for special users within a VPN policy.So my question:
What are your recommendations to implement this szenario?My two ideas would be:
1. the access rules based on the user of the AD.
2. special reserve IP addresses in the pool of addresses AnyConnect for some users, so I can limit access to the normal firewall rules base based on the source IP address.What are your recommendations and is it possible to realize my ideas (and how)?
Thanks in advance
Best regards
Hello
I will suggest that you configure a second ad group in the server and another group strategy in the ASA, you can configure certain access on each group policy "the installer of the filters, assign different split political tunnel, different ACL' and in the ad server, you can assign users for example to the AD Group A and AD Group B based on the access you want to give them now , you must configure LDAP mapping to assign the user specific group policy that you want based on the AD group that they belong.
You can follow this documentation that will help you configure the LDAP Mapping:
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Best regards, please rate.
-
CISCO ASA 5505 no cisco VPN Client
Hello
I'm looking for after a firewall Cisco ASA 5505 and want to watch all the owners of it with remote access in but none of us have a support contract with Cisco.
Is it possible to set up a VPN client not as Microsoft built the client to connect to the ASA?
Thank you
Alamb200
Hello
Looking for a PPTP on ASA connection?
The following document provides the following:
ASA q support PPTP client?
A. number of the
But we can configure ASA to allow the PPTP connection:
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your request is answered. Note the useful messages.
-
Split DNS on ASA 5510 access remote vpn works not
I connect successfully to the tunnel and can ping hosts remotely by IP but am unable to browse the internet from the VPN client. Also, the resolution of host name on the remote end does not work... can only connect through the IP address. Ideas? Thanks again!
Your group policy will SUFFER a good split tunneling and divide the dns settings. But I think that you are awarded the DfltGrpPolicy rather than your group policy will SUFFER because group policy is not set in your group of tunnel, nor be transmitted from authentication.
Make a vpn-sessiondb distance 'show' to confirm what group policy is assigned to fix it, assign your group policy will BE to your group of tunnel as follows:
global-tunnel-group attributes
Will BE by default-group-policy
-heather
-
With the help of ASA 5510 L2L and VPN L2TP
I would let my remote users access to all resources bhind the ASA and my remote branches.
Here's my setup. ASA5510 as a hub to the data center.
172.21.x.x of internal network directly connected
DMZ directly connected 172.22.1.x.x
L2L branch1 VPN 10.47.x.x
L2L branch2 VPN 10.47.y.x
172.21.y.x remote users L2TP Windows Client
I can access my internal resources related to the ASA but not the DMZ or branch offices. I need injection road routing and reverse?
You also need to configure crossed. http://goo.GL/vLqAR
-
Hi all
I have a VPN of n-star with 5510 boxes in several places.
Users complaining that s2s links are beat from time to time for both places.
Here's the log output for the moments where the links are torn down:
First spoke:
07/07/2010-20:17:09 Local4.Notice
% 713259-5-ASA: group = , IP = , Session is to be demolished. Reason: The user has requested
07/07/2010-20:17:09 Local4.Notice% 5-ASA-713050: group = , IP = , missed connection for peer . Reason: terminate Peer Remote proxy 10.3.0.0 Proxy Local 172.16.100.0 Second spoke:
07/07/2010-18:34:45 Local4.Notice
% 713259-5-ASA: group = , IP = , Session is to be demolished. Reason: Idle Timeout 07/07/2010-18:34:45 Local4.Notice
% 5-ASA-713050: group = , IP = , missed connection for peer . Reason: IPSec SA time-out Remote proxy 10.5.0.0, Proxy Local 172.16.100.0 I think the bold text is the reason. But I don't know why a connection stop remote site1 and why to site2 is timeouts.
I have HIS lifitime for 24h\4Gb to each ASA and the volume of traffic or time never pass in this case, KeepAlive is enabled to the ASA hub as well. I see a number or a "spacing" all day with the same reasons for termination that I presented above. Anyone has a suggestion or idea why s2s VPN are hinged and how make them more stable even if the traffic is not flowing throughout.
Thanks in advance.
Sergey,
No matter how lucky you have vpn time-out configured on one of the sides (it may be in default group policy perhaps?) (see the race from all political group | I vpn)
"IPSec SA time-out"
HTH,
Marcin
-
Remote RDP client VPN access on ASA 5510
Hello.
We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?
Thank you
Hi Salsrinivas,
so to summarize:
the VPN client connects to the ASA offshore
the VPN client can successfully RDP on a server at the offshore location
the VPN client cannot NOT RDP on a server at the location of the customer
offshore and the location of the customer are connected by a tunnel L2L
(and between the 2 sites RDP works very well)
is that correct?
Things to check:
-the vpn in the ACL crypto pool?
-you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?
-you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?
If you need help more could you put a config (sterilized) Please?
HTH
Herbert -
ASA VPN server and vpn client router 871
Hi all
I have ASA 5510 as simple VPN server and 871 router as simple VPN client. I want to have the user ID and permanent password on 871 and not to re - enter username and password since 871 uses dynamic IP address and every time I have to ' cry ipsec client ezvpn xauth "and type user name and password.
any suggestions would be much appreciated.
Thank you
Alex
Do "crypto ipsec client ezvpn show ' on 871, does say:
...
Save password: refused
...
ezVPN server dictates the client if it can automatically connect with saved password.
Set "enable password storage" under the group policy on the ASA.
Kind regards
Roman
-
Cisco AnyConnect VPN Client 3.0 - could not load preferences
Hello
I have the problem that when I want to connect to the VPN (ASA 5510) with the AnyConnect Client 3.0 Gateway I get the error "Could not load preferences" when I try to connect via SSL of the SAA Portal, everthing works fine... I tried to reinstall the Client - without success... can someone tell me what is wrong with my client?
THX
Concerning
Robert
Hi Robert,.
Follow these steps:
-Allow a group alias or group-url for groups of tunnel.
-Delete the profile XML of ASA (please export it all first to keep a backup).
On the computer assigned:
-Remove the Preferences.xml.
-Remove the preferences_global.xml.
-Delete the XML profile in the Profiles folder.
Then reconnect the client.
Let me know.
Please rate this post if you find it useful.
-
Dear all,
I applied ASA 5510 in my network,
I configured 3 DMZ, inside and outside interfaces
ASA, I can access the Interior, DMZ and outside (Internet)
Inside users can communicate with the servers in the DMZ
Inside users goto Internet via the external interface
DMZ servers can goto Internet via the external interface
The DMZ servers cannot Ping inside the network
I've been using IpSec VPN on my router,
clients connect to the router using the Cisco VPN Client software,
NOW, when I understood ASA in the network, VPN clients are unable to communicate with the servers in the DMZ
security level 0 for outside
DMZ 50
100 for the inside
NAT is disabled with no command nat control
What I need to ON the NAT and some ACL must be put in place...
Please advise me what ACL I should implement, interface? Direction?
Which statement NAT should I include?
I want to access my network via VPN...
Help, please
Kind regards
Junaid
ICMP pings are not stateful. The firewall needs special treatment to dynamically allow pings back, this is done through the "ICMP inspection." The ICMP inspection is disabled by default. You can activate the inspection or use an ACL to allow ICMP traffic. Here is a useful link:
Please rate if useful.
Concerning
Farrukh
Maybe you are looking for
-
I have associated my pencil to Apple for the iPad Pro; But how to make the Widget of batteries displayed on the notification Center 'today '?
-
How ot use second monitor on Satellite P305-S8838
I have Satellite P305-S8838 and you want to use as a desktop computer.I have the LCD monitor and I thought that wouild simply plug into the external video port, change my display settings and that it would be. But when I go to personalize > display s
-
Hello world... I am a student and I started using labview. Please, could someone help me with a problem? I runs tests in the load waveforms and discharging of a capacitor, and I want to stay, collecting data for a week without interruption. The block
-
Popup under VI closing before user input
Hello people, I develop a VI where it generates a pop-up (subvis) according to the values of control, to alert users. Normally these pop-up windows should remain on the screen until the user rejects their (push a button on the pop-up window); However
-
I can't find the wireless network
When I open him "set up a connection or network" and go to "connect to the Internet. It shows this: I can not find wireless... someone can help?