ASA Cisco VPN question

Hi Mokhalil82,

It's pretty weird that the ASA will show phases 1 and 2 upward and the Watchguard show that phase 1 is not.

It is possible that the tunnel will appear next to the ASA but gets terminated in the same instant that thus we see the phase 1 and 2 momentarily upward.
Would you be able to share the outputs debug?

Kind regards
Dinesh Moudgil

PS Please rate helpful messages

Thanks for the update, Mokhalil82

For the last time, to simultaneously debug both sides and share issues, I think we can dig with that information.
In addition, if we can capture packet as well, that will be useful.

Make sure that the date and time is correct on both sides.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Tags: Cisco Security

Similar Questions

  • ASA Cisco VPN remote queries

    Hi all

    I have 2 queries - kindly assist

    1. for customer ipsec remote vpn ikev1, are there license restrictions?

    2. main differences between above and Anyconnect?

    ~ is so useful rate :)

    1. Yes, there is a restriction based on the number of concurrent users connected with VPN. You can see the number of licenses under "Other VPN peers" when you run the version show on your ASA.

    2. the main difference is that anyconnect can use SSL or IPsec (IKEv2) for the then the classic Client VPN tunnel works on IKEv1. Also note that the old VPN Client is no longer supported by Cisco.

    I hope this helps.

  • Multi frame ASA SSL VPN Question

    Hello

    We have a pair of firewalls, we do multiple contexts on clients.  We have recently updated their and have been using the newly Anyconnect customer support.  This all works fine but I feel I'm missing something.  If the customer does not have the anyconnect client already how do get?  Normally, you go to the web page and it will download the client, but all I get is "Clientless VPN is not supported in context mode Multiple." which is good, but how is the customer supposed to to get the customer in the first place?

    Any information would be helpful.

    Chris L.

    Hi Chris,

    The AnyConnect WebLaunch feature is not supported in ASA running on multi-contexte mode.

    There is a demand of improvement that has been opened to allow this as other characteristics while ASA in multi mode context. Here is the link, you can refer:

    https://Tools.Cisco.com/bugsearch/bug/CSCuw19758/?reffering_site=dumpcr

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • 8.3 (1) ASA Cisco VPN Client and IP Communicator - one-way communication

    Community salvation.

    I have a strange problem with my setup and I'm sure it's either some type of routing (or NAT) or just missing one rule allows traffic. But I'm now at a point where I would like to ask your help.

    I have a few users remote access that have the Cisco IP Communicator (CICC) application installed on their laptops. So:

    The VPN with CPIC user <> ASA Firewall <> router voice <> MAC <> IP phone

    The VPN works fine for all other traffic. The connection of basis for the IP Communicator works well. He get is connected to the CallManager, is shown as registered and you can even call an internal phone and also external phones. BUT: while you can hear the called party (if the phone internal) it does not work for the other direction. There is no sound from the remote/appellant.

    I already understood that it is also not possible to ping from the phone VPN to the internal subnet IP phone. While the VPN user can ping any other device in the network internal, he cannot do for Cisco IP phones. But if the VPN phone calls a phone no-internal (mobile...) - it works!

    My thought is that the call cannot be build up properly between the VPN phone and the internal phone.

    I found similar situations with google, but they are all for the reverse: call for internal works, but not for VPN.

    What do you think?

    Hello

    Usually ASA lists specific to the customer networks VPN Split Tunnel runs.

    This would mean that there is a Split Tunnel ACL used in configurations of the SAA for this VPN connection that needs to have the missing network added to the VPN connection traffic.

    -Jouni

  • ASA 5550 VPN question

    Dear Experts,


    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-marge-top : 0 ; mso-para-marge-droit : 0 ; mso-para-marge-bas : 10.0pt ; mso-para-marge-left : 0 ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : Arial ; mso-bidi-theme-font : minor-bidi ;}

    I configured Cisco ASA 5550 as a VPN server at the head office.

    I configured the material Cisco ASA5505 branch customer.

    Tunnel is up & I can access my local computer in the branch of LAN H.O. But I am unable to ping / LAN access machine from branch headquarters.

    It's just a communication face right now.


    Need help.


    Thank you


    I.A

    Is your customer/PAT ezvpn or NMS (network expansion Mode) mode?

    If the NEM, then you will need to add the following in your inside_nat0_outbound ACL:

    inside_nat0_outbound 10.10.10.0 ip access list allow 255.255.255.0

    Also, please add the following command on ASA5550:

    management-access inside

    And from the remote host, see if you can ping 10.10.10.1.

  • L2l using routers Cisco VPN question

    I can successfully configure an L2L IPSec VPN between two ASAs but using a similar configuration on Cisco routers, I can't establish a tunnel ping to the local LAN interface on the other, but two, NY and Burlington, routers can ping each and other WAN interface. Here is the configuration of routers and a version of the show; I have attached the config files complete and the screenshot of the topology.
    I appreciate all help.
    The f

    F0/0 - ISP - F0/0 Burlington NY

    See the version

    Cisco IOS Software, software 3600 (C3640-IK9S-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Updated Thursday, August 18, 10 06:59 by prod_rel_team

    ROM: ROMMON emulation Microcode
    ROM: 3600 Software (C3640-IK9S-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

    The availability of NY is 0 minutes
    System returned to ROM by unknown charge cause - suspect boot_data [BOOT_COUNT] 0 x 0, BOOT_COUNT 0, BOOTDATA 19
    System image file is "tftp://255.255.255.255/unknown".

    Cisco 3640 (R4700) Prozesseur (revision 0xFF) 124928K / 6144K bytes of memory.
    Card processor ID FF1045C5
    R4700 CPU at 100 MHz, 33, Rev 1.2 implementation
    2 FastEthernet interfaces
    Configuration of DRAM is wide with parity 64-bit capable.
    125K bytes of NVRAM memory.
    8192 K bytes of processor onboard flash system (read/write)

    Configuration register is 0 x 2102

    NY router

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    address of ThisIsAWeekKey key crypto isakmp 172.16.2.2
    !
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac L2L
    !
    Burlington 1-isakmp ipsec crypto map
    defined peer 172.16.2.2
    game of transformation-L2L
    match address Burlington-NW
    !
    !
    interface FastEthernet0/0
    address 172.16.1.2 IP 255.255.255.252
    automatic duplex
    automatic speed
    card crypto Burlington
    !
    interface FastEthernet1/0
    IP 10.0.1.1 255.255.255.0
    automatic duplex
    automatic speed
    !
    no ip address of the http server
    no ip http secure server
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 172.16.1.1
    !
    !
    Burlington-NW extended IP access list
    ip licensing 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

    Burlington router

    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    address of ThisIsAWeekKey key crypto isakmp 172.16.1.2
    !
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac L2L
    !
    NY 1 ipsec-isakmp crypto map
    defined peer 172.16.1.2
    game of transformation-L2L
    match address NY - NW
    !
    !
    interface FastEthernet0/0
    IP 172.16.2.2 255.255.255.252
    automatic duplex
    automatic speed
    card crypto NY
    !
    interface FastEthernet1/0
    IP 10.0.2.1 255.255.255.0
    automatic duplex
    automatic speed
    !
    no ip address of the http server
    no ip http secure server
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 172.16.2.1
    !
    !
    NY - NW extended IP access list
    IP 10.0.2.0 allow 0.0.0.255 10.0.1.0 0.0.0.255

    No problem, we learn every day

    Please kindly marks the message as answered while others can also learn from your post. Thank you.

  • ASA Cisco VPN remote access

    Hi guys

    I have a few questions regarding vpn and vpn traffic record remote access. Please can someone advise how I can capture traffic decrypted for client vpn for remote access on the firewall. now, firewall has any source any dest and list of service associated with Group tunnel (no interface access list) but the default one group policy. I don't know what kind of traffic comes from the remote vpn machine, and I want to capture and create more specfic acl and who associate Group via vpn tunnel filter so no all are allowed.

    I also configured for load balancing vpn and I know not if I add vpn filter via Group Policy and add it to the default group that can cause interruptions of service, but since I have vpn load balancing configured shoudnt remote customer affect. Am I wrong?

    concerning

    F

    There is no balancing load with active / standby (standby really means "only watch"!). And it's not even RA - VPN with active/active.

  • IPhone and cisco vpn question

    All, I have an IPhone and I'm VPN'ing in a SAA with IOS 8.2.2.  I do not have vpn'ing of issues, but I have a question that is causing quite a stir here.  When I try to use names rather than IP addresses (trying to access a server or an internal Web site), the client does not receive DNS answers.  I can get to the servers via IP, but not by the name of the server.  I can use the same PCF file for my laptop, and it works fine.  Someone at - it a resolution to this scenario?  Any help appreciated.

    Add the domain name in the attributes of Group Policy: -.

    value by default-domain MYDOMAIN.COM

    Manish

  • Cisco ASA 5510 VPN Site to Site with Sonicwall

    I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

    Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

    Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

    NAT (inside) 0 access-list sheep

    ..

    IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

    access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

    ..

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set counterpart x.x.x.x

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    ..

    crypto ISAKMP allow outside

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    lifetime 28800

    ..

    internal SiteToSitePolicy group strategy

    attributes of Group Policy SiteToSitePolicy

    VPN-idle-timeout no

    Protocol-tunnel-VPN IPSec

    Split-tunnel-network-list no

    ..

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group x.x.x.x General attributes

    Group Policy - by default-SiteToSitePolicy

    tunnel-group ipsec-attributes x.x.x.x

    pre-shared key *.

    ..

    Added some excerpts from the configuration file

    Hello Manjitriat,

    Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

    Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

    Now the packet tracer must be something like this:

    entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

    Please provide us with the result of the following instructions after you run the packet tracer.

    See the crypto Isakamp SA

    See the crypto Ipsec SA

    Kind regards

    Julio

  • All necessary licenses on ASA 5510 for old Cisco VPN Client

    We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with?  No matter what special config that needs to be done on the 5510?

    Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).

    You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.

  • Cisco VPN Client and Windows XP VPN Client IPSec to ASA

    I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

    PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

    Config is:

    !

    interface GigabitEthernet0/2.30

    Description remote access

    VLAN 30

    nameif remote access

    security-level 0

    IP 85.*. *. 1 255.255.255.0

    !

    access-list 110 scope ip allow a whole

    NAT list extended access permit tcp any host 10.254.17.10 eq ssh

    NAT list extended access permit tcp any host 10.254.17.26 eq ssh

    access-list extended ip allowed any one sheep

    access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

    sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

    tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

    flow-export destination inside-Bct 192.168.1.27 9996

    IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

    ARP timeout 14400

    global (outside-Baku) 1 interface

    global (outside-Ganja) interface 2

    NAT (inside-Bct) 0 access-list sheep-vpn

    NAT (inside-Bct) 1 access list nat

    NAT (inside-Bct) 2-nat-ganja access list

    Access-group rdp on interface outside-Ganja

    !

    Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

    Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

    Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

    Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

    Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

    Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

    Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

    dynamic-access-policy-registration DfltAccessPolicy

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    Crypto ipsec transform-set newset aes - esp esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

    Crypto ipsec transform-set vpnclienttrans transport mode

    Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

    life crypto ipsec security association seconds 214748364

    Crypto ipsec kilobytes of life security-association 214748364

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

    card crypto interface for remote access vpnclientmap

    crypto isakmp identity address

    ISAKMP crypto enable vpntest

    ISAKMP crypto enable outside-Baku

    ISAKMP crypto enable outside-Ganja

    crypto ISAKMP enable remote access

    ISAKMP crypto enable Interior-Bct

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    No vpn-addr-assign aaa

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.192 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside Baku

    SSH 10.254.17.18 255.255.255.255 outside Baku

    SSH 10.254.17.10 255.255.255.255 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside-Ganja

    SSH 10.254.17.18 255.255.255.255 outside-Ganja

    SSH 10.254.17.10 255.255.255.255 outside-Ganja

    SSH 192.168.1.0 255.255.255.192 Interior-Bct

    internal vpn group policy

    attributes of vpn group policy

    value of DNS-server 192.168.1.3

    Protocol-tunnel-VPN IPSec l2tp ipsec

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split tunnel

    BCT.AZ value by default-field

    attributes global-tunnel-group DefaultRAGroup

    raccess address pool

    Group-RADIUS authentication server

    Group Policy - by default-vpn

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key *.

    Hello

    For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

    Please see configuration below:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    or

    http://tinyurl.com/5t67hd

    Please see the section of tunnel-group config of the SAA.

    There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

    So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

    Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

    "crypto isakmp nat-traversal.

    Thirdly, change the transformation of the value

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    Let me know the result.

    Thank you

    Gilbert

  • Configuration of Cisco for Cisco VPN Client ASA 5505

    Our firm has finally made the move from Sonicwall Cisco for our SMB customers. Got our first customer with a VPN site-to site solid and you have configured the main router for connections via the Cisco VPN Client VPN Wizard.

    When I install the VPN Client on desktop computers that does not capture all the necessary options (unless you have a SSL VPN). I guess that there is a process that I am missing to export a connection profile that Cisco VPN Client users can import for their connection.

    There step by step guides to create the connection profile file to distribute to customers?

    Hello

    The ASDM wizard is for the configuration on the SAA. This wizard will help you complete the VPN configuration on the end of the ASA.

    You will need to set the same in the client, so that they can negotiate and connect.

    Input connection in the client field, that's what you want to be seen that on the VPN client - it can be any name

    Host will be the external ip address of the ASA.

    Group options:

    name - same tunnel as defined on the ASA group
    Password - pre-shared as on ASA.

    Confirm password - same pre-shared key.

    Once this is over, you will see the customer having an entry same as a login entry. You must click on connect there. He will be a guest user and the password. Please enter the login crendentials. VPN connects.

    You can distribute the .pcf file that is formed at the place mentioned in the post above. Once the other client receive the .pcf, they need to import it by clicking this tab on the VPN client.

    Kind regards

    Anisha

  • Cisco VPN client (ASA) password expiry messages

    Hi all

    I am looking for a way to change the message displayed on the Cisco VPN client, when a password change is required. This configuration uses an ASA 5520 with Windows 2003 IAS radius for authentication server.

    I have configured the option 'password-management' under the tunnel-group, but when the password expires the vpn client prompts you to "enter a new pin code.

    This customizable message, for example "Please enter a new password to 8 characters etc.

    The original message communicates enough information for the user.

    Thank you

    Hi Matt,

    This is a known defect CSCeh13180 (when using RADIUS with expiry) and there is currently no plan to fix this bug.

    But you can try this for one of your VPN client and see if that helps.

    you need to change the VPNClient.ini on the PC that installed the VPN Client. Here are the settings you will need...

    [RadiusSDI]

    NewPinSubStr = "" enter the new password: ""

    HTH

    Kind regards

    JK

  • connect Cisco VPN client v5 to asa 5505

    I have remote vpn configuration issues between ASA5505 and Cisco VPN client v5. Successfully, I can establish a connection between the client Vpn and ASA and receive the IP address of the ASA. Statistical customer VPN windows shows that packets are sent and encrypted but none of the packages is received/decrypted.

    Cannot ping asa 5505

    Any ideas on what I missed?

    Try adding...

    ISAKMP nat-traversal crypto

    In addition, you cannot ping the inside interface of the ASA vpn without this command...

    management-access inside

    Please evaluate the useful messages.

  • Cisco VPN client 3.5.1 and Cisco ASA 5.2 (2)

    Hello

    I have a strange problem about Cisco VPN client (IPSec) with Cisco ASA. The Cisco ASA runs software version 5.2 (2). The Cisco VPN client version is 3.5.1.

    The problem is the customer able Cisco VPN to authenticate successfully with Cisco ASA, but could not PING to any LAN behind the Cisco ASA. In any case, the problem disappeared when we used the Cisco VPN version 4.6 or 4.8 of the customer. All parameters are exactly the same. What has happened? What is the cause of this problem? How can I solve this problem?

    Please advice.

    Thank you

    Nitass

    I understand your problem, I never used 3.5.1 so I thought that maybe nat - t is not enabled by default as 4.x.

Maybe you are looking for

  • PDF and Windows Media Center

    When I try to open a .pdf file or a photo on the internet, Windows Media Center, then screen.  I don't have to use Media Center to get an open image/document.  I tried to hit all the icons, but nothing happens. Have instructions need simple but detai

  • need to convert a logically binary text file

    Hello I have a text file binary that I have read and converted into a two dimensions array using the spreadsheet in table string. Then I converted the 2D table to table 1 d by concatenating columns. now I want to convert this table logically to anoth

  • who are the technicians of home pc? they are part of the team of microsoft repair or is it a scam

    received a phone call from home pc technicians saying that my computer has faults, he contacted them because they are agents for microsoft it is a scam

  • Failure of 'pipeline' printing/Windows Vista and HP 5740

    Windows vista and hp office jet 5740: all of a sudden, I get the message of failure to print: PRINT FILTER PIPELINE HOST STOPPED WORKING AND WAS CLOSED.  I do not understand what it is and I tried to find solutions that I CAN understand and have had

  • My problem with Google Chrome

    Hello I use the latest version of the Google Chrome browser on my Windows 7 computer. The problem is that chrome is very slow in the first round. It takes more than 20 seconds to finally load the page (any page, say Google.com). Please consider these