ASA 5510 worm. 8.2 (5) access through VPN without client management?

Hi all

I am completely new to networking Cisco and virtual private networks, I'm working on to the ASA 5510 8.2 (5) 46.  Currently, the unit is set up very very little.  Access to the administration are accessible from my home network to 192.168.2.1.  I'm trying to enable management access remotely by VPN.  I created a clientless SSL VPN, which, during the wizard process, access to the specified administration was the/admin adding to the VPN https url.  Add the/admin in the url for VPN is not me the VPN connection, and by using the/admin url from the portal returns a message "not available".  Also, from the portal I can't access the ASDM using inside IP network management, it also returns the message as "unavailable".  Again, I'm new to this, any help would be greatly appreciated.  Here is my config.  and thank you!

: Saved : ASA Version 8.2(5)46 ! hostname ALP5510 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 99.66.203.148 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-46-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 68.94.156.1 name-server 68.94.157.1 same-security-traffic permit inter-interface pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn 192.168.2.10 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 101 0.0.0.0 0.0.0.0 nat (management) 101 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.203.150 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http server session-timeout 20 http 192.168.1.0 255.255.255.0 management http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.2.3-192.168.2.10 inside dhcpd dns 68.94.156.1 68.94.157.1 interface inside dhcpd enable inside ! dhcpd address 192.168.1.3-192.168.1.10 management dhcpd dns 68.94.156.1 68.94.157.1 interface management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside enable inside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn webvpn   svc ask enable group-policy eng internal group-policy eng attributes vpn-tunnel-protocol webvpn webvpn   url-list value EngineerBookmarks username user1 password mbO2jYs13AXlIAGa encrypted privilege 15 username user1 attributes vpn-group-policy eng webvpn   url-list value EngineerBookmarks tunnel-group test type remote-access tunnel-group test general-attributes address-pool vpn tunnel-group Engineering type remote-access tunnel-group Engineering general-attributes default-group-policy eng ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:05f3afe3383542c8f62b1873421a7484 : end asdm image disk0:/asdm-714.bin asdm location 99.66.203.150 255.255.255.255 inside no asdm history enable 

I'm TAC if you give me a number I can help you, I think we will extend that if we continue on the support forum

Tags: Cisco Security

Similar Questions

  • Cisco VPN Client anything cannot access through VPN on an ASA5505 8.4

    Hello

    Completely new to Cisco ASA and the need to get this working ASAP.

    8.4 (1) ASA 5505 is the secondary FW and I need to authorize all out and block everything coming, but for the VPN clients.  Since a jerk of Cisco, I used the ASDM and it's sorcerers to make this work, which may explain my situation.

    192.168.101.0/24 is the local network

    192.168.101.5 is the IP of ASA

    192.168.101.2 is the primary FW (and the default gateway for servers, I have to access through the VPN)

    10.10.101.0/24 is the VPN IP range (this can be what you want, I'm not married to it somehow)

    My Cisco VPN Client connects to the ASA and receives 10.10.101.1 IP address, but I get no connectivity to the ASA or any other 192.168.101.x or service server (tried RDP, telnet, ping, etc.)

    Configuration file is attached.

    Help pretty please!

    Thank you.

    Did you add a route for the VPN Pool on the main firewall to the ASA?

    Best regards

    Peer

    Sent by Cisco Support technique iPad App

  • No internet access through VPN router

    Hi all

    I configure a Cisco 851 router do a VPN site-to site at ASA5510. The VPN works great. I can get to any host behind ASA5510. But the host behind Cisco 851 cannot go to the internet. I have only set up traffic to the subnet behind ASA5510 through the VPN tunnel. The rest of the traffic through 851 internet connection. The part of configuration is listed below. Except the nat by Fa4 VPN traffic. I miss something here?

    Any help is appreciated.

    interface FastEthernet4
    IP address 24.xx.xx.xx 255.255.255.0
    NAT outside IP
    IP virtual-reassembly
    IP tcp adjust-mss 1400
    automatic duplex
    automatic speed
    crypto SITE map
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 24.xx.xx.1
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    IP nat inside source overload map route interface FastEthernet4 sheep
    Ganymede IP source interface Vlan1
    !
    IP extended SITE access list
    permit ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
    sheep extended IP access list
    deny ip 10.5.x.0 0.0.0.255 10.x.0.0 0.255.255.255
    allow an ip 10.5.x.0 0.0.0.255

    Lou

    Based on the subset of configuration, it looks correct, you should be able to browse the Internet with the NAT configuration.

    Do you have any ACL applied to your inside interface which may be blocking access? If you perform a traceroute, where the traffic stops?

  • No internet access through VPN

    Hi, I have the router Cisco 881 (MPC8300) with c880data-universalk9 - mz.153 - 3.M4.bin when users establish a VPN connection to the corporate network, had access to all the resources but no internet access, please help me what else I need to configure to achieve my goal. I don't want to split the tunnel, internet via VPN, users must have. In my opinion, I have put an additional configuration for NAT, but my router not recognize u-Turn and NAT commands on the object on the network.

    My config:

    Building configuration...

    Current configuration: 13562 bytes
    !
    ! Last configuration change at 09:52:38 PCTime Saturday, May 16, 2015, by admin
    version 15.3
    no service button
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    XXX host name
    !
    boot-start-marker
    start the flash system: c880data-universalk9 - mz.153 - 3.M4.bin
    boot-end-marker
    !
    !
    logging buffered 51200 warnings
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    AAA authentication login ciscocp_vpn_xauth_ml_1 local
    AAA authentication login ciscocp_vpn_xauth_ml_2 local
    AAA authorization exec default local
    AAA authorization ciscocp_vpn_group_ml_1 LAN
    AAA authorization ciscocp_vpn_group_ml_2 LAN
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    iomem 10 memory size
    clock timezone PCTime 1 0
    PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
    !
    Crypto pki trustpoint TP-self-signed-1751279470
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 1751279470
    revocation checking no
    rsakeypair TP-self-signed-1751279470
    !
    !
    TP-self-signed-1751279470 crypto pki certificate chain
    certificate self-signed 01
    XXXX
    !
    !
    Protocol-IP port-map user - 2 tcp 8443 port
    user-Protocol IP port-map - 1 tcp 3389 port
    !

    !
    !
    !
    IP domain name dmn.local
    8.8.8.8 IP name-server
    IP-server names 8.8.4.4
    IP cef
    No ipv6 cef
    !
    !
    license udi pid CISCO881-K9 sn FCZ174992C8
    !
    !
    username privilege 15 secret 5 xxxx xxxx
    username secret VPNUSER 5 xxxx
    !
    !
    !
    !
    !
    !
    type of class-card inspect sdm-nat-user-protocol--2-1 correspondence
    game group-access 105
    corresponds to the user-Protocol - 2
    type of class-card inspect entire game SDM_AH
    match the name of group-access SDM_AH
    type of class-card inspect entire game PAC-skinny-inspect
    Skinny Protocol game
    type of class-card inspect entire game SDM_IP
    match the name of group-access SDM_IP
    type of class-card inspect entire game PAC-h323nxg-inspect
    match Protocol h323-nxg
    type of class-card inspect entire game PAC-cls-icmp-access
    match icmp Protocol
    tcp protocol match
    udp Protocol game
    type of class-card inspect entire game PAC-h225ras-inspect
    match Protocol h225ras
    type of class-card inspect entire game SDM_ESP
    match the name of group-access SDM_ESP
    type of class-card inspect entire game PAC-h323annexe-inspect
    match Protocol h323-annex
    type of class-card inspect entire game PAC-cls-insp-traffic
    match Protocol pptp
    dns protocol game
    ftp protocol game
    https protocol game
    match icmp Protocol
    match the imap Protocol
    pop3 Protocol game
    netshow Protocol game
    Protocol shell game
    match Protocol realmedia
    match rtsp Protocol
    smtp Protocol game
    sql-net Protocol game
    streamworks Protocol game
    tftp Protocol game
    vdolive Protocol game
    tcp protocol match
    udp Protocol game
    type of class-card inspect the correspondence SDM_GRE
    match the name of group-access SDM_GRE
    type of class-card inspect entire game PAC-h323-inspect
    h323 Protocol game
    type of class-card inspect correspondence ccp-invalid-src
    game group-access 103
    type of class-card inspect entire game PAC-sip-inspect
    sip protocol game
    type of class-card inspect correspondence sdm-nat-https-1
    game group-access 104
    https protocol game
    type of class-card inspect all match mysql
    match the mysql Protocol
    type of class-card inspect correspondence ccp-Protocol-http
    http protocol game
    type of class-card inspect entire game CCP_PPTP
    corresponds to the SDM_GRE class-map
    inspect the class-map match PAC-insp-traffic type
    corresponds to the class-map PAC-cls-insp-traffic
    type of class-card inspect entire game SDM_EASY_VPN_SERVER_TRAFFIC
    match Protocol isakmp
    match Protocol ipsec-msft
    corresponds to the SDM_AH class-map
    corresponds to the SDM_ESP class-map
    type of class-card inspect correspondence ccp-icmp-access
    corresponds to the class-ccp-cls-icmp-access card
    type of class-card inspect the correspondence SDM_EASY_VPN_SERVER_PT
    corresponds to the SDM_EASY_VPN_SERVER_TRAFFIC class-map
    !
    type of policy-map inspect PCB - inspect
    class type inspect PCB-invalid-src
    Drop newspaper
    class type inspect mysql
    inspect
    class type inspect PCB-Protocol-http
    inspect
    class type inspect PCB-insp-traffic
    inspect
    class type inspect PCB-sip-inspect
    inspect
    class type inspect PCB-h323-inspect
    inspect
    class type inspect ccp-h323annexe-inspect
    inspect
    class type inspect ccp-h225ras-inspect
    inspect
    class type inspect ccp-h323nxg-inspect
    inspect
    class type inspect PCB-skinny-inspect
    inspect
    class class by default
    drop
    type of policy-card inspect sdm-license-ip
    class type inspect SDM_IP
    Pass
    class class by default
    Drop newspaper
    type of policy-card inspect sdm-pol-NATOutsideToInside-1
    class type inspect sdm-nat-https-1
    inspect
    class type inspect sdm-nat-user-protocol--2-1
    inspect
    class type inspect CCP_PPTP
    Pass
    class class by default
    Drop newspaper
    type of policy-card inspect PCB-enabled
    class type inspect SDM_EASY_VPN_SERVER_PT
    Pass
    class class by default
    drop
    type of policy-card inspect PCB-permits-icmpreply
    class type inspect PCB-icmp-access
    inspect
    class class by default
    Pass
    !
    safety zone-to-zone
    security of the area outside the area
    ezvpn-safe area of zone
    zone-pair security PAC-zp-self-out source destination outside zone auto
    type of service-strategy inspect PCB-permits-icmpreply
    zone-pair security PAC-zp-in-out source in the area of destination outside the area
    type of service-strategy inspect PCB - inspect
    source of PAC-zp-out-auto security area outside zone destination auto pair
    type of service-strategy inspect PCB-enabled
    sdm-zp-NATOutsideToInside-1 zone-pair security source outside the area of destination in the area
    type of service-strategy inspect sdm-pol-NATOutsideToInside-1
    in the destination box source sdm-zp-in-ezvpn1 ezvpn-pairs area security
    type of service-strategy inspect sdm-license-ip
    source of sdm-zp-out-ezpn1 of security area outside zone ezvpn-zone time pair of destination
    type of service-strategy inspect sdm-license-ip
    safety zone-pair sdm-zp-ezvpn-out1-source ezvpn-zone of destination outside the area
    type of service-strategy inspect sdm-license-ip
    safety zone-pair source sdm-zp-ezvpn-in1 ezvpn-area destination in the area
    type of service-strategy inspect sdm-license-ip
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 2
    BA aes 256
    preshared authentication
    Group 2
    !
    Configuration group customer crypto isakmp Domena
    key XXXXXX
    DNS 192.168.1.2
    Dmn.local field
    pool SDM_POOL_1
    Save-password
    Max-users 90
    netmask 255.255.255.0
    banner ^ Cwelcome ^ C
    ISAKMP crypto ciscocp-ike-profile-1 profile
    match of group identity Domena
    client authentication list ciscocp_vpn_xauth_ml_2
    ISAKMP authorization list ciscocp_vpn_group_ml_2
    client configuration address respond
    virtual-model 1
    !
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac ESP_AES-256_SHA
    tunnel mode
    !
    Profile of crypto ipsec CiscoCP_Profile1
    game of transformation-ESP_AES-256_SHA
    set of isakmp - profile ciscocp-ike-profile-1
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
    IP 192.168.9.1 255.255.255.0
    !
    interface FastEthernet0
    no ip address
    !
    interface FastEthernet1
    no ip address
    !
    interface FastEthernet2
    no ip address
    !
    interface FastEthernet3
    no ip address
    !
    interface FastEthernet4
    Description $ETH - WAN$ $FW_OUTSIDE$
    IP x.x.x.x 255.255.255.248
    NAT outside IP
    IP virtual-reassembly in
    outside the area of security of Member's area
    automatic duplex
    automatic speed
    !
    type of interface virtual-Template1 tunnel
    IP unnumbered Loopback0
    ezvpn-safe area of Member's area
    ipv4 ipsec tunnel mode
    Tunnel CiscoCP_Profile1 ipsec protection profile
    !
    interface Vlan1
    Description $ETH_LAN$ $FW_INSIDE$
    IP 192.168.1.1 255.255.255.0
    IP access-group 100 to
    IP nat inside
    IP virtual-reassembly in
    Security members in the box area
    IP tcp adjust-mss 1452
    !
    local IP SDM_POOL_1 192.168.10.10 pool 192.168.10.100
    IP forward-Protocol ND
    IP http server
    23 class IP http access
    local IP http authentication
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    The dns server IP
    IP nat inside source list 3 interface FastEthernet4 overload
    IP nat inside source static tcp 192.168.1.3 interface FastEthernet4 443 443
    IP nat inside source static tcp 192.168.1.2 8443 interface FastEthernet4 8443
    IP route 0.0.0.0 0.0.0.0 X.x.x.x
    !
    SDM_AH extended IP access list
    Note the category CCP_ACL = 1
    allow a whole ahp
    SDM_ESP extended IP access list
    Note the category CCP_ACL = 1
    allow an esp
    SDM_GRE extended IP access list
    Note the category CCP_ACL = 1
    allow a gre
    SDM_IP extended IP access list
    Note the category CCP_ACL = 1
    allow an ip
    !
    not run cdp
    !
    Note access-list 3 INSIDE_IF = Vlan1
    Note CCP_ACL category in the list to access 3 = 2
    access-list 3 Let 192.168.1.0 0.0.0.255
    Note access-list 23 category CCP_ACL = 17
    access-list 23 permit 192.168.1.0 0.0.0.255
    access-list 23 allow 10.10.10.0 0.0.0.7
    Note access-list 100 Auto generated by SDM management access feature
    Note access-list 100 category CCP_ACL = 1
    access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
    access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
    access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
    access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
    access-list 100 tcp refuse any host 192.168.1.1 eq telnet
    access-list 100 tcp refuse any host 192.168.1.1 eq 22
    access-list 100 tcp refuse any host 192.168.1.1 eq www
    access-list 100 tcp refuse any host 192.168.1.1 eq 443
    access-list 100 tcp refuse any host 192.168.1.1 eq cmd
    access-list 100 deny udp any host 192.168.1.1 eq snmp
    access ip-list 100 permit a whole
    Note access-list 101 category CCP_ACL = 1
    access-list 101 permit ip 192.168.1.0 0.0.0.255 any
    Note access-list 102 CCP_ACL category = 1
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    Note access-list 103 CCP_ACL category = 128
    access-list 103 allow the ip 255.255.255.255 host everything
    access-list 103 allow ip 127.0.0.0 0.255.255.255 everything
    access-list 103 allow ip 93.179.203.160 0.0.0.7 everything
    Note 104 CCP_ACL category = 0 access-list
    IP access-list 104 allow any host 192.168.1.3
    Note access-list 105 CCP_ACL category = 0
    IP access-list 105 allow any host 192.168.1.2

    -----------------------------------------------------------------------
    ^ C
    !
    Line con 0
    no activation of the modem
    line to 0
    line vty 0 4
    access-class 102 in
    transport input telnet ssh
    line vty 5 15
    access class 101 in
    transport input telnet ssh
    !
    !
    end

    I'd be grateful for help

    concerning

    Hello

    Enter the subnet pool VPN to access-list 3 for source NAT

    You may need to check the firewall also rules to allow the connection based on areas you

    HTH,

    Averroès

  • ASA 5510 - SSL VPN without CLIENT - remote desktop

    Is it possible to make a desktop connection remote clientless SSL VPN with a browser? I know that I can do with client anyconnect SSL but I can do without a customer?

    Yes it is possible, you must first make sure that you have transferred to the ASA RDP plugin. When you are editing you bookmarks, you will see an option for RDP.

  • Chrombook L2TP/IPSec for ASA 5510

    Hello

    I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.

    Run a debug crypto isakmp 5 I see the following logs (ip changed...)

    Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

    Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4

    Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

    Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes

    06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

    Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

    Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

    06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

    Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

    Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2

    Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0

    Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).

    Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

    Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

    1.1.1.1 = address remote chromebook NAT

    2.2.2.2 = ASA 5510 acting as distance termintaion access point

    3.3.3.3 = Chromebook private address

    I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address.  Not sure if this is the cause or how to solve this problem, if it is.

    Can someone advise please

    Thank you

    Ryan

    7.2 is old code.  You can re - test with 9.0.x or 9.1.x.

    https://support.Google.com/Chromebook/answer/1282338?hl=en

  • ASA 5510 routing issue.

    Forgive me if this get confused.

    I have a new ASA 5510, I set it up to use VPN. I can via IPSEC vpn and connect to 2 of my et.64 sous-reseaux.0 (we have 4 subnets in our range) I can ping, http, connect to the shares, SSH, etc. I use the ACL of our outgoing VPN module, so I have nothing here should be bad. The problem I have is learning to our network of laboratories located on the sous-reseau.128. I can't ping, connect, http anything.

    Is there some special routing I need to do so that people that VPN in to see this subnet? (For test purposes the ASA is located behind the firewall and connected directly to the sous-reseau.0 so I know this isn't the firewall and everything else on that subnet can see our lab).

    Thanks for helping on the new guy.

    Shawn

    Shawn-

    Your sous-reseaux.0 &.64 is considered to be "interesting traffic" (by an ACL) and they are not NAT had sent through the VPN tunnel. You must add the sous-reseau.128 two the ACL that says no NAT and that specifies traffic interesting. If you encounter some snags, post a sanitized config and we will be able to give a more detailed response.

    HTH

  • False claims RADIUS of customer VPN Cisco ASA 5510

    Hello world

    I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

    Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

    What is the source of such behavior?

    The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

    Debugging of ASA:

    -First application-

    RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

    RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

    RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

    RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

    RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

    RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

    -The second request-

    RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

    RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

    RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

    RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

    GBA debug:

    -First application-

    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

    -The second request-
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

    The ASA config:

    Crypto ikev1 allow outside
    Crypto ikev1 allow inside
    IKEv1 crypto ipsec-over-tcp port 10000
    life 86400
    IKEv1 crypto policy 65535
    authentication rsa - sig
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    internal Cert_auth group strategy
    attributes of Group Policy Cert_auth
    client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list aclVPN2
    the address value vpnpool pools
    rule of access-client-none

    !

    attributes global-tunnel-group DefaultRAGroup
    address (inside) vpnpool pool
    address vpnpool pool
    authentication-server-group RADIUS01
    authorization-server-group RADIUS01
    authorization-server-group (inside) RADIUS01
    Group Policy - by default-Cert_auth

    !

    RADIUS protocol AAA-server RADIUS01
    AAA-server host 10.2.9.224 RADIUS01 (inside)
    key *.
    RADIUS-common-pw *.
    AAA-server host 10.4.2.223 RADIUS01 (inside)
    key *.

    Hello

    It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

    If you remove this line:

    authorization-server-group RADIUS01

    you will see that it starts to work properly

    In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

    This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

    Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

    HTH

    Herbert

  • ASA 5510 limit Session 2 Error Message

    In ASDM I am trying to set the maximum number of SSL Sessions.  According to the documentation by my Cisco ASA 5510 Cisco should withstand 250 concurrent SSL VPN sessions.  But if you check my screen shot you will see that my ASA does not allow more than 1 or 2!  What is happening with this?

    http://www-search.Cisco.com/en/us/docs/security/ASDM/6_1/user/guide/vpn_web.PDF

    What Miss me?  I'm under SMDA 6.2 and the image is 8.21.

    Hello

    All ASA models (including the 5510), is compatible with only 2 connections VPN SSL factory.

    Indeed, the SAA can support up to 250 VPN SSL connections, but for that, you must purchase an additional license.

    Check out more information on the data sheet:

    www.Cisco.com/go/ASA

    Federico.

  • IKEv2 VPN without using licensed SSL? (ASA-5512)

    Hi all

    I enabled Cisco 'Anyconnect Premium peers' for customer less connections vpn ssl, the obvious snag is that for Anyconnect ikev2 sessions he wants to use the SSL license pool instead of the IPSEC pool (which I have a lot of connection for 'peers VPN Total: 250' licenses.

    * Is it possible to configure Anyconnect to connect through IPSEC and use licensed IPSEC (while keeping Premium Anyconnect active peers)?

    * Should I consider 3rd third-party vpn outside Anyconnect clients?

    CyA

    Craig

    Remote access to sessions with IKEv2 will always consume a Premium license. Change for another customer will not help unless you change to a customer that uses the legacy technology with EasyVPN. But this should not be the solution.

    If you enable AnyConnect Essentials, you can use AnyConnect with IPSec the platform limit, but you cannot use the features award (as a clientless) more at the same time.

    In a situation like that where many AnyConnect-Sessions are necessary and only a couple of sessions without client, I installed AnyConnectEssentials on the ASA principal and deployed an another ASA only for VPN without client. Due to the high cost of premium VPN licenses, is much cheaper then buying the Premium licenses for all VPN users.

    Sent by Cisco Support technique iPad App

  • URL for access without client on SAA

    Hello

    I have an ASA with anyconnect configured profiles.

    In one of these profiles, I want to activate VPN without client.

    When I go to https://[asa address] get the instalation Anyconnect page.

    How to make in the portal for client access?

    Based on the above information, you can't clientless SSL VPN that you have active AnyConnect Essentials.

    I saw that you have a license 2 (AnyConnect Essentials and AnyConnect Premium (10)), however, you can only activate one or the other, not both at the same time.

    based on your webvpn configuration:

    WebVPN

    allow outside

    AnyConnect essentials

    You anyconnect essentials enabled, so you cannot have the premium activated anyconnect.

    If you want to test the premium for clientless ssl vpn license, you will need to temporarily disable the anyconnect essentials.

    to disable:

    WebVPN

    No anyconnect essentials

    Hope that clears up the confusion.

  • Allow specific access through the Interfaces ASA 5510

    Hi all

    In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

    I have an ASA 5510:

    WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

    Connected to the port E0/0 is a 2811 router

    Connected to the port E0/1 is the (external) Internet

    Connected to the port E0/2 is a 2821

    (I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

    I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

    I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

    How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

    Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

    I think it is best that I put the links to the files of text here.

    Thank you!

    You must remove the following statements on the two routers:
    -# ip nat inside source... overload
    -for each # ip nat inside/outside interface, if they have configured.

    Remove ads rip of the networks that are not directly connected:
    -2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
    -2811: 199.195.xxx.0
    -ASA: 128.0.0.0

    No way should be added to the routers, since he is the one by default, put in scene to ASA.

    Check the tables of routing on routers and the ASA.

    On ASA:

    -Remove:
    object-group network # PAT - SOURCE
    # nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

    -create objects of the networks behind the LAN router and enable dynamic NAT:
    network object #.
    subnet
    NAT (inside, outside) dynamic interface

    -review remains NAT rules.

    -to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

    -Disable rip on the outside interface.

  • ASA 5510 VPN multiple tunnels through different interfaces

    Is it possible to create VPN tunnels on more than one interface to an ASA (specifically 5510 with 8.4), or I'm doing the impossible?

    We have 2 public interfaces on our ASA connected to 2 different suppliers.

    We must work L2L tunnels of the SAA for remote offices through the interface that is our ISP 'primary' and also used as our default gateway for internet traffic.

    We are trying to install a remote office use our secondary connection for its tunnel (office of high traffic we would prefer separate away from the rest of our internet and VPN traffic).

    I can create the tunnel with the ACL appropriate for traffic tunnel, card crypto, etc., put in place a static route to force ASA to use the secondary interface for traffic destined for the public of the remote gateway IP address, and when I finished, traffic initiated by the remote site will cause the tunnel to negotiate and find - I can see the tunnel in Show crypto ikev1 his as L2L answering machine MM_ACTIVE , Show ipsec his with the right destination and correct traffic local or remote identities for interesting, but the ASA local never tries to send traffic through the tunnel.  If I use tracers of package, it never shows a VPN that is involved in the trafficking of the headquarters in the remote desktop, as if the SAA is not seeing this as for the corresponding VPN tunnel traffic.

    If I take the exact same access and crypo card statements list and change them to use the primary ISP connection (and, of course, change the remote desktop IP connects to), then the connection works as expected.

    What Miss me?

    Here is a sample of the VPN configuration: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice 192.168.3.0/24 is FieldOffice)

    permit access list range 192.168.0.0 PUBLIC_B_map 255.255.254.0 192.168.3.0 255.255.255.0

    NAT (Inside, PUBLIC_B) static source MainOffice MainOffice static FieldOffice FieldOffice

    card crypto PUBLIC_B_map 10 corresponds to the address PUBLIC_B_map

    card crypto PUBLIC_B_map 10 set counterpart x.x.x.x

    card crypto PUBLIC_B_map 10 set transform-set ESP-3DES-SHA ikev1

    PUBLIC_B_map PUBLIC_B crypto map interface

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group ipsec-attributes x.x.x.x

    IKEv1 pre-shared-key *.

    Route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1

    If I take this same exact configuration and change it to use PUBLIC (our primary connection) instead of PUBLIC_B, remove the instruction PUBLIC_B route and change the desktop to point to the ip address of the PUBLIC, then everything works, so my access list and crypto map statements must be correct.

    What I don't understand is why the ASA Head Office does not seem to recognize interesting for the tunnel traffic when the tunnel is for the second ISP connection, but works when it is intended for the main ISP.  There is no problem of connectivity with the ISP Internet B - as mentioned previously, the tunnel will come and negotiate properly when traffic is started from the desktop, but the traffic of main office is never sent to the bottom of the tunnel - it's as if the ASA does not think that traffic of 192.168.0.x to 192.168.3.x should pass through the VPN.

    Any ideas?

    Hello

    I think your problem is that there is no route for the actual remote network behind the VPN L2L through ISP B connection

    You could try adding add the following configuration

    card crypto PUBLIC_B_map 10 the value reverse-road

    This should automatically add a static route for all remote networks that are configured in the ACL Crypto, through the interface/link-ISP B.

    If this does not work, you can try to manually add a static route to the ISP B link/interface for all remote networks VPN L2L in question, and then try again.

    The route to the remote VPN peer through the ISP B does not to my knowledge.

    I would like to know if it works for you.

    It may be useful

    -Jouni

  • Remote access VPN with ASA 5510 by using the DHCP server

    Hello

    Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?

    I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:

    !

    ASA Version 8.2 (5)

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP 10.6.0.12 255.255.254.0

    !

    IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)

    !

    Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic dyn1 1jeu transform-set FirstSet

    dynamic mymap 1 dyn1 ipsec-isakmp crypto map

    mymap map crypto inside interface

    crypto ISAKMP allow inside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 43200

    !

    VPN-addr-assign aaa

    VPN-addr-assign dhcp

    !

    internal group testgroup strategy

    testgroup group policy attributes

    DHCP-network-scope 10.6.192.1

    enable IPSec-udp

    IPSec-udp-port 10000

    !

    username testlay password * encrypted

    !

    tunnel-group testgroup type remote access

    tunnel-group testgroup General attributes

    strategy-group-by default testgroup

    DHCP-server 10.6.20.3

    testgroup group tunnel ipsec-attributes

    pre-shared key *.

    !

    I got following output when I test connect to the ASA with Cisco VPN client 5.0

    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO

    4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID

    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID

    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440

    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID

    Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

    [OK]

    KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload

    Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm

    Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72

    Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable

    Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

    Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64

    Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

    Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes

    Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.

    Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.

    Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!

    Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!

    Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

    Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

    Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

    Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

    Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address

    Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048) , : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740) , : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE

    Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

    Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

    Kind regards

    Lay

    For the RADIUS, you need a definition of server-aaa:

    Protocol AAA - NPS RADIUS server RADIUS

    AAA-server RADIUS NPS (inside) host 10.10.18.12

    key *.

    authentication port 1812

    accounting-port 1813

    and tell your tunnel-group for this server:

    General-attributes of VPN Tunnel-group

    Group-NPS LOCAL RADIUS authentication server

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • IPS in ASA 5510 killing upload speed

    I've recently updated by a circuit of ethernet metro 20 MB for a 100 Mb connection.  My ASA 5510 severely limits the my download speed.  I narrowed down it to the IPS module.  If I stop to send traffic to the IPS, I get speeds of download between 50-85 Mbps.  If I start sending through again, my download speeds are between 3-7 Mbps.  In both cases, my speeds range between 70-92 MB/s, so it's really affecting only my upload speed.  Is there anything I can do for my traffic IPS, so I can still use my modules and still take advantage of the speed upload huge we pay for?

    Here is some info from my ASA:

    I am matching all traffic:

    allow traffic_for_ips to access extensive ip list a whole

    Here is my policy and class parameters:

    class-map inspection_default
    match default-inspection-traffic
    class-map-botnet-DNS
    match eq field udp port
    class-map ips_class_map
    corresponds to the traffic_for_ips access list
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the ftp
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the preset_dns_map dns
    class ips_class_map
    IPS inline help
    botnet-policy policy-map
    botnet-DNS class
    inspect the snoop-filter-dynamic dns
    !
    global service-policy global_policy
    service-policy botnet-policy to the outside interface

    If anyone has any ideas, I'd love to hear them.  Thank you.

    Created: May 13, 2011 18:49 created by: Chevrel, customer Aastha(AACHAUDH,265429) was experiencing slow download speeds (3-7 Mbps) on in ASA 5510 IPS module. Download the range of speeds between 70-92 MB/s

    Used the workaround for the bug No. CSCsv69844 , i.e. to set the depth of Regex to 800000 (Please note that this workaround should not serve with the recommendation and approval of the ATC.)

Maybe you are looking for

  • Pavilion Notebook g130nr 17: WLAN Driver for Win7 Pro 64-bit

    This laptop came w/Win10 installed, but downgraded for Win7 64 bit. Now can't find driver to run WLAN with the operating system. I tried driver updated, other ideas, nothing works. Seems that HP is no drivers for early OS programs run in their new PC

  • Need to access Code for an old hotmail account

    Hi guys,. I have an old hotmail account which I had linked to my new. But recently its been hacked (sad, I know), but when I initially set up another email address, it's a friend - this account is now closed and cancelled, and now I can not on my acc

  • The crash dumped and lost the home screen.

    Ideas: I'm working on a Vista Premium Pc. The client was downloading episodes of shows online tv and said what they crashdumped of PC and when they restarted the Office disappeared and is the only way they can move through the menu of the control pan

  • Display a dialog thread not event

    I need to display a dialog of another point of entry (arrival of a push message). To do this, I need to create an instance of the Application on the other entry point and listen to push enter. The problem is when I express my application calls enterE

  • Appeal of scam of the person who claims to be from Microsoft

    I just got a phone call from a foreign-sounding man, claiming he was from Microsoft and that if I did not comply with certain procedures on my keyboard, I drop windows 7 within a period of days. To start I found it very difficult to understand and se