ASA remote access problem

Hello

See attached my config.

The problem is that if I try to connect by VPN, the connection seems to be made between WAN ip of the client vpn and IP address of a host inside my LAN. I think that there is a NAT problem.

I need a transfer to a device inside the LAN port SIP and I think there is the problem because the VPN connection has tried to establish a connection with your device and not the ASA.

Maybe an expert could fix my config.

Thans and greetings

Jason

Hello Jason,

I think the version 8.3 of the code. 8.3, you can transfer a range of

ports on a device inside. Please, try the following:

ABC service object

service source tcp range 'starting port' port 'end '.

xyz network object

Host 'LAN client IP.

NAT static source (inside, outside) ABC ABC xyz xyz service

I hope this helps.

Kind regards

Tags: Cisco Security

Similar Questions

ASA remote access VPN cleaning

Experts,

I have about three or four remote access VPN that must be removed from my ASA. What is the best way to ensure that I remove all configurations of the ASA? Thank you. Best.

Hi Thomas,

You can run the command "clear configure vpn" to clear some vpn commands, if you do not have all the certificates or site to site, you can run the command "claire configure crypto" and remove any command associated crypto.

Rate if helps.

-Randy-

The ESP vpn remote access problem

I have vpn for remote access configured on the router from cisco 2901. Everything works well except 2 3g ipad. When I connect with the ipad 3g network it connects, but it is impossible to access the resources of the company. I talked to my phone provider and they told me that they have some problems NAT with ESP. and advised me to force vpn clients to use ports udp 500 and 4500. How do I configure my router to get there?

Thanks in advance

Hello

ISAKMP using UDP 500 port for connection management (Phase 1).

NAT - T (used when they are peripheral nat between two VPN end points) using UDP 4500 port.

So now your NAT - T router is configured by default, all you have to do is if you have an ACL on the external interface allow this traffic (Isakamp and NAT T) on some of its latest IOS versions, you do not have to apply the ACL that default VPN traffic (encrypted traffic bypasses the ACL).

If your condition is performed by default, great right thing! You can leave your phone provider, you are ready for the test.

Julio

Do rates all useful posts!

«Problems with remote access with ASA 5505-, this is the error "the remote peer is no more answers»

Hello

By train I got a remote access IPSec VPN, when I have all the performed configuration and try to access remote show software vpn client (cisco) the following message:

"The remote peer is no more answers.

I know where is the problem.

Network information:

ASA TO LAN - 1:

192.168.1.0 - 255.255.255.0

the interface vlan 1:

IP: 192.168.1.1 - 255.255.255.0

the interface vlan 2:

IP: 100.100.100.1 - 255.255.255.252

REMOTE LAN ACCESS:

192.168.10.0 - 255.255.255.0

ASA-1 configuration:

* IP address pool

local IP VPNPOOL 192.168.20.1 pool - 192.168.20.254

* Split tunneling

splittunnel list standard access allowed 192.168.1.0 255.255.255.0

* NAT configuration

object obj LAN
subnet 192.168.1.0 255.255.255.0
object obj-vpnpool network
subnet 192.168.20.0 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination static obj-vpnpool obj-vpnpool no-proxy-arp

* Group Policy

internal group company-vpn-policy policy
attributes of vpn-company-policy-group policy
VPN-idle-timeout 30

Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnel

Configure the IPSec

IKEv1 crypto policy 10
3des encryption
sha hash
preshared authentication
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address

Crypto ipsec transform-set esp-3des esp-sha-hmac RA - TS ikev1

Dynamic crypto map DYN_MAP 10 set transform-set RA - TS ikev1

card crypto VPN_MAP 30-isakmp dynamic ipsec DYN_MAP
VPN_MAP interface card crypto outside

Create tunnels

tunnel-group vpnclient type remote access
tunnel-group vpnclient-global attributes
address VPNPOOL pool
by default-group-company-vpn-policy
tunnel-group vpnclient ipsec-attributes
IKEv1 pre-shared-key groupkey123

Where is the problem?

Hello
Configuration seems almost perfect. Please share the result of the following of the ASA when you try to connect.

Debug crypto isakmp 200
Debug crypto ipsec 200

You can take snapshots on the external interface of the firewall to confirm if the packets are reaching the firewall or don't use do not:
capture capx off match ip host host interface

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Problem with ASA 5505 VPN remote access

After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?

Here is the cfg running of the ASA

----------------------------------------------------------------------------------------

: Saved

:

ASA Version 8.4 (1)

!

hostname NCHCO

enable encrypted password xxxxxxxxxxxxxxx

xxxxxxxxxxx encrypted passwd

names of

description of NCHCO name 192.168.2.0 City offices

name 192.168.2.80 VPN_End

name 192.168.2.70 VPN_Start

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address **. ***. 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa841 - k8.bin

passive FTP mode

network of the NCHCO object

Subnet 192.168.2.0 255.255.255.0

network object obj - 192.168.1.0

subnet 192.168.1.0 255.255.255.0

network object obj - 192.168.2.64

subnet 192.168.2.64 255.255.255.224

network object obj - 0.0.0.0

subnet 0.0.0.0 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the Web server object network

the FINX object network

Home 192.168.2.11

rdp service object

source between 1-65535 destination eq 3389 tcp service

Rdp description

outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0

inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224

outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

LAN_Access list standard access allowed 192.168.2.0 255.255.255.0

LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0

AnyConnect_Client_Local_Print deny ip extended access list a whole

AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

outside_access_in list extended access permit tcp any object FINX eq 3389

outside_access_in_1 list extended access allowed object rdp any object FINX

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 649.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0

NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64

NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

the FINX object network

NAT (inside, outside) interface static service tcp 3389 3389

Access-group outside_access_in_1 in interface outside

Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

network-acl outside_nat0_outbound

WebVPN

SVC request to enable default svc

Enable http server

http 192.168.1.0 255.255.255.0 inside

http *. **. ***. 255.255.255.255 outside

http *. **. ***. 255.255.255.255 outside

http NCHCO 255.255.255.0 inside

http 96.11.251.186 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform

IKEv1 crypto ipsec transform-set l2tp-transformation mode transit

Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyn-map 10 set pfs Group1

crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1

dynamic-map encryption dyn-map 10 value reverse-road

Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

Crypto-map dynamic outside_dyn_map 20 the value reverse-road

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

peer set card crypto outside_map 1 74.219.208.50

card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside crypto map inside_map interface

card crypto vpn-map 1 match address outside_1_cryptomap_1

card crypto vpn-card 1 set pfs Group1

set vpn-card crypto map peer 1 74.219.208.50

card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map

dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

crypto isakmp identity address

Crypto ikev1 allow inside

Crypto ikev1 allow outside

IKEv1 crypto ipsec-over-tcp port 10000

IKEv1 crypto policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

IKEv1 crypto policy 15

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 35

preshared authentication

3des encryption

sha hash

Group 2

life 86400

enable client-implementation to date

Telnet 192.168.1.0 255.255.255.0 inside

Telnet NCHCO 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH NCHCO 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd address 192.168.2.150 - 192.168.2.225 inside

dhcpd dns 216.68.4.10 216.68.5.10 interface inside

lease interface 64000 dhcpd inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server DNS 192.168.2.1

L2TP ipsec VPN-tunnel-Protocol ikev1

nchco.local value by default-field

attributes of Group Policy DfltGrpPolicy

value of server DNS 192.168.2.1

L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

allow password-storage

enable IPSec-udp

enable dhcp Intercept 255.255.255.0

the address value VPN_Pool pools

internal NCHCO group policy

NCHCO group policy attributes

value of 192.168.2.1 DNS Server 8.8.8.8

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1

value by default-field NCHCO.local

admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

username NCHvpn99 password dhn. JzttvRmMbHsP encrypted

attributes global-tunnel-group DefaultRAGroup

address (inside) VPN_Pool pool

address pool VPN_Pool

authentication-server-group (inside) LOCAL

authentication-server-group (outside LOCAL)

LOCAL authority-server-group

authorization-server-group (inside) LOCAL

authorization-server-group (outside LOCAL)

Group Policy - by default-DefaultRAGroup

band-Kingdom

band-band

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

NOCHECK Peer-id-validate

tunnel-group DefaultRAGroup ppp-attributes

No chap authentication

no authentication ms-chap-v1

ms-chap-v2 authentication

tunnel-group DefaultWEBVPNGroup ppp-attributes

PAP Authentication

ms-chap-v2 authentication

tunnel-group 74.219.208.50 type ipsec-l2l

IPSec-attributes tunnel-group 74.219.208.50

IKEv1 pre-shared-key *.

type tunnel-group NCHCO remote access

attributes global-tunnel-group NCHCO

address pool VPN_Pool

Group Policy - by default-NCHCO

IPSec-attributes tunnel-group NCHCO

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

: end

ASDM image disk0: / asdm - 649.bin

ASDM VPN_Start 255.255.255.255 inside location

ASDM VPN_End 255.255.255.255 inside location

don't allow no asdm history

---------------------------------------------------------------------------------------------------------------

And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:

---------------------------------------------------------------------------------------------------------------

Cisco Systems VPN Client Version 5.0.07.0440

Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

Customer type: Windows, Windows NT

Running: 6.1.7601 Service Pack 1

Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\

1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026

Try to find a certificate using hash Serial.

2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027

Found a certificate using hash Serial.

3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011

RELOADED successfully certificates in all certificate stores.

4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002

Start the login process

5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004

Establish a secure connection

6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "*." **. ***. *** »

7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B

Try to establish a connection with *. **. ***. ***.

8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001

From IKE Phase 1 negotiation

9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001

Peer is a compatible peer Cisco-Unity

13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports XAUTH

14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports the DPD

15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports NAT - T

16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

Peer supports fragmentation IKE payloads

17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001

IOS Vendor ID successful construction

18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083

IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4

20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072

Automatic NAT detection status:

Remote endpoint is NOT behind a NAT device

This effect is NOT behind a NAT device

21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015

Launch application xAuth

25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012

Attributes of the authentication request is 6: 00.

26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017

xAuth application returned

27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008

IPSec driver started successfully

29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E

Customer address a request from firewall to hub

35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F

SPLIT_NET #1

= 192.168.2.0 subnet

mask = 255.255.255.0

Protocol = 0

SRC port = 0

port dest = 0

45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local

46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710

47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11

49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019

Data in mode Config received

51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056

Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify has value of 86400 seconds

56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047

This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now

57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">

59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify is set to 28800 seconds

60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***

61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059

IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)

62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025

OUTGOING ESP SPI support: 0xAAAF4C1C

63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026

Charges INBOUND ESP SPI: 0x3EBEBFC5

64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001

Launch VAInst64 for controlling IPSec virtual card

66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034

The virtual card has been activated:

IP=192.168.2.70/255.255.255.0

DNS = 192.168.2.1, 8.8.8.8

WINS = 0.0.0.0 0.0.0.0

Domain = NCHCO.local

Split = DNS names

67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261

68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038

Were saved successfully road to file changes.

69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

Destination mask subnet Gateway Interface metric

0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100

96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261

192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100

192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261

192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261

224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261

255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261

70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036

The routing table has been updated for the virtual card

71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A

A secure connection established

72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001

Did not find the smart card to watch for removal

75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

Creates a new key structure

77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

Adding key with SPI = 0x1c4cafaa in the list of keys

78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

Creates a new key structure

79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

Adding key with SPI = 0xc5bfbe3e in the list of keys

80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F

Assigned WILL interface private addr 192.168.2.70

81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037

Configure the public interface: 96.11.251.149. SG: **.**.***.***

82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046

Define indicator tunnel set up in the registry to 1.

83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205276

85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276

88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019

Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e

89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205277

91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277

94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D

Upon request of the DPD to *. **. ***. , our seq # = 107205278

96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040

Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278

---------------------------------------------------------------------------------------------------------------

Any help would be appreciated, thanks!

try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.

Problem with remote access VPN on ASA 5505

I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after.

The VPN client connects is as follows:

---------------------------------------------------------------------------------------------------------------------------------------

Cisco Systems VPN Client Version 5.0.07.0440

Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

Customer type: Windows, Windows NT

Running: 6.2.9200

2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002

Start the login process

3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004

Establish a secure connection

4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "*." **. ***. *** »

5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B

Try to establish a connection with *. **. ***. ***.

6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001

From IKE Phase 1 negotiation

7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012

Attributes of the authentication request is 6: 00.

9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

Peer is a compatible peer Cisco-Unity

12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

Peer supports XAUTH

13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

Peer supports the DPD

14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

Peer supports NAT - T

15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

Peer supports fragmentation IKE payloads

16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001

IOS Vendor ID successful construction

17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013

SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055

Sent a keepalive on the IPSec Security Association

19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083

IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194

20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072

Automatic NAT detection status:

Remote endpoint is NOT behind a NAT device

This effect is behind a NAT device

21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015

Launch application xAuth

25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008

IPSec driver started successfully

26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017

xAuth application returned

28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E

Customer address a request from firewall to hub

34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO

43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00

45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019

Data in mode Config received

48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056

Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify has value of 86400 seconds

53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047

This SA was already alive for 6 seconds, setting expiration 86394 seconds now

54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. ***

57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049

IPsec security association negotiation made scrapped, MsgID = CE99A8A8

58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017

Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED

59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = *. **. ***. ***

60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058

Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924

61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B

IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED

64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012

ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025

Initializing CVPNDrv

66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046

Set indicator established tunnel to register to 0.

67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001

Signal received IKE to complete the VPN connection

68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

Remove all keys

71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

---------------------------------------------------------------------------------------------------------------------------------------

The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly):

: Saved

:

ASA Version 8.2 (5)

!

hostname NCHCO

Select hTjwXz/V8EuTw9p9 of encrypted password

hTjwXz/V8EuTw9p9 of encrypted passwd

names of

description of NCHCO name 192.168.2.0 City offices

name 192.168.2.80 VPN_End

name 192.168.2.70 VPN_Start

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address **. ***. 255.255.255.248

!

boot system Disk0: / asa825 - k8.bin

passive FTP mode

access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0

access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0

inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0

access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0

Standard access list LAN_Access allow NCHCO 255.255.255.0

LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 645.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside) 0-list of access outside_nat0_outbound

Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

network-acl outside_nat0_outbound

WebVPN

SVC request to enable default svc

Enable http server

http 192.168.1.0 255.255.255.0 inside

http *. **. ***. 255.255.255.255 outside

http 74.218.158.238 255.255.255.255 outside

http NCHCO 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform

Crypto ipsec transform-set l2tp-transformation mode transit

Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyn-map 10 set pfs Group1

crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation

dynamic-map encryption dyn-map 10 value reverse-road

Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

peer set card crypto outside_map 1 74.219.208.50

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside crypto map inside_map interface

card crypto vpn-map 1 match address outside_1_cryptomap_1

card crypto vpn-card 1 set pfs Group1

set vpn-card crypto map peer 1 74.219.208.50

card crypto vpn-card 1 set of transformation-ESP-3DES-SHA

dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

crypto isakmp identity address

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 15

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 35

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP ipsec-over-tcp port 10000

enable client-implementation to date

Telnet 192.168.1.0 255.255.255.0 inside

Telnet NCHCO 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH NCHCO 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd address 192.168.2.150 - 192.168.2.225 inside

dhcpd dns 216.68.4.10 216.68.5.10 interface inside

lease interface 64000 dhcpd inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server DNS 192.168.2.1

Protocol-tunnel-VPN IPSec l2tp ipsec

nchco.local value by default-field

attributes of Group Policy DfltGrpPolicy

value of server DNS 192.168.2.1

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

allow password-storage

enable IPSec-udp

enable dhcp Intercept 255.255.255.0

the address value VPN_Pool pools

internal NCHVPN group policy

NCHVPN group policy attributes

value of 192.168.2.1 DNS Server 8.8.8.8

Protocol-tunnel-VPN IPSec l2tp ipsec

value by default-field NCHCO

admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password

attributes global-tunnel-group DefaultRAGroup

address (inside) VPN_Pool pool

address pool VPN_Pool

authentication-server-group (inside) LOCAL

authentication-server-group (outside LOCAL)

LOCAL authority-server-group

authorization-server-group (inside) LOCAL

authorization-server-group (outside LOCAL)

Group Policy - by default-DefaultRAGroup

band-Kingdom

band-band

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

NOCHECK Peer-id-validate

tunnel-group DefaultRAGroup ppp-attributes

No chap authentication

no authentication ms-chap-v1

ms-chap-v2 authentication

tunnel-group DefaultWEBVPNGroup ppp-attributes

PAP Authentication

ms-chap-v2 authentication

tunnel-group 74.219.208.50 type ipsec-l2l

IPSec-attributes tunnel-group 74.219.208.50

pre-shared key *.

type tunnel-group NCHVPN remote access

attributes global-tunnel-group NCHVPN

address pool VPN_Pool

Group Policy - by default-NCHVPN

IPSec-attributes tunnel-group NCHVPN

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:15852745977ff159ba808c4a4feb61fa

: end

ASDM image disk0: / asdm - 645.bin

ASDM VPN_Start 255.255.255.255 inside location

ASDM VPN_End 255.255.255.255 inside location

don't allow no asdm history

Anyone have any idea why this is happening?

Thank you!

Add, crypto dynamic-map outside_dyn_map 20 value reverse-road.

With respect,

Safwan

ODA IP ASA when you browse the web via remote access vpn

Hi all

I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing.

The firmware version of the ASA is 9.1 (6)

Thanks in advance

Hello

What you want to achieve is calles u-turn.

You must enable the feature allowed same-security-traffic intra-interface

For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post):

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Thank you

PS: Please do not forget to rate and score as good response if this solves your problem

Cisco ASA Anyconnect LAN access problem

I have very simple network at home with the WAN IP address, ASA uses DHCP and gateway. plain of network of all no complications.

X.X.X.X like a WAN

192.168.1.0/24 as a LAN

IP Pool 192.168.6.0/24 (VPN Pool)

I am trying to configure AnyConnect (AC) so that I can connect remotely and get my resources on the LAN while out. I am to connect with AC and when you use split tunnel I'm browsing the web very well, but I have no access to the local network (without ICMP or TCP/UDP)

Route looks good in customer AC

unsecured network 0.0.0.0/0
secure network 192.168.1.0/24

What I'm missing for LAN access?, nat statement, list of access...?

_____________________________

Output of the command: "show run".

: Saved
:
ASA Version 9.1 (5)
!
hostname asa01
domain name asa

names of
192.168.6.2 mask - 192.168.6.100 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Outside description
nameif outside
security-level 0
IP address XXXX
!
interface Vlan5
nameif dmz
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
boot system Disk0: / asa915 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
domain naisus.local
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.6.0_25 object
subnet 192.168.6.0 255.255.255.128
object-group Protocol DM_INLINE_PROTOCOL_1
icmp protocol object
icmp6 protocol-object
outside_access_in list extended access permit icmp any any idle state
outside_access_in extended access list allow icmp6 all all idle state
outside_access_in_1 list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
list of access allowed standard LAN 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside 192.168.1.99
forest-hostdown operating permits
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.6.0_25 NETWORK_OBJ_192.168.6.0_25 non-proxy-arp-search of route static destination
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 X > X > X >
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = asa01, CN = 192.168.1.1
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 8b541b55
308201c 3 c 3082012 a0030201 0202048b 0d06092a 864886f7 0d 010105 541b 5530
XXXX
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 access remote trustpoint ASDM_Launcher_Access_TrustPoint_0
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 8.8.8.8 75.75.75.75 interface inside
dhcpd naisus.home area inside interface
dhcpd allow inside
!
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 50.116.56.17 source outdoors
NTP server 108.61.73.243 source outdoors
NTP server 208.75.89.4 prefer external source
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
Trust ASDM_Launcher_Access_TrustPoint_0 inside the vpnlb-ip SSL-point
SSL-trust ASDM_Launcher_Access_TrustPoint_0 inside point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1 regex 'Windows NT'
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2 regex "Intel Mac OS X.
AnyConnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3 regex "Linux".
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 30
VPN-idle-timeout 5
internal GroupPolicy_AC_Profile group strategy
attributes of Group Policy GroupPolicy_AC_Profile
WINS server no
4.2.2.2 DNS server value
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value LAN
naisus.local value by default-field
XX XX encrypted privilege 15 password username
name of user XX attributes
WebVPN
chip-tunnel tunnel-policy tunnelall
type tunnel-group AC_Profile remote access
attributes global-tunnel-group AC_Profile
address pool VPN-pool
Group Policy - by default-GroupPolicy_AC_Profile
tunnel-group AC_Profile webvpn-attributes
enable AC_Profile group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:xxx
: end

I'm not positive that's causing the problem, but I noticed that you have defined incoherent poolside VPN as a 24 (in the command name and that name is associated with the tunnel group) and 25 (in the command object on the network that is also referenced in the statement of NAT exempting NAT to that object). True your pool assigns addresses from the lower half of the 24, but still...

I try to simplify things by using a single object for something like that, which is used in several places. With the help of objects the way they are intended, and which allows to avoid any discrepancies.

Remote access server problem ASA5510

Hello guys,.

I have a problem with ASA5510 configured as a remote access server. We use the client VPN in Windows XP. Look at the requirements I see no problem, but when I try to connect to the server it doesn't open the negotiation of VPN. I had the problem like this before, but at least I saw the traffic hitting the ASA. Now, I don't see anything hitting the device. I enclose the current configuration of the SAA. The VPN client on my laptop is configured correctly. Thank you in advance!

RVR

Hello

Happy to help and thanks for the note.

This command is not required, but 90% of deployment I've seen has this configured command and is the default value for the SAA. In a Word, what this command is open to IKE and IPSEC ports and also does not check ACL entering ASA for IPSEC traffic.

In case if you do not have this command enabled, you must configure inbound ACL to allow IKE, IPSEC and text clear remote access VPN traffic after IPSEC packets get decrypted on the SAA.

Kind regards

Arul

* Rate pls if it helps *.

Cisco ASA 8.4 (3) remote access VPN - client connects but cannot access inside the network

I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well

Thank you

interface Ethernet0/0

Speed 100

full duplex

nameif outside

security-level 0

IP x.x.x.x 255.255.255.240

!

interface Ethernet0/1

Speed 100

full duplex

nameif inside

security-level 100

IP 10.88.10.254 255.255.255.0

!

interface Management0/0

Shutdown

nameif management

security-level 0

no ip address

!

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network of the PAT_to_Outside_ClassA object

10.88.0.0 subnet 255.255.0.0

network of the PAT_to_Outside_ClassB object

subnet 172.16.0.0 255.240.0.0

network of the PAT_to_Outside_ClassC object

Subnet 192.168.0.0 255.255.240.0

network of the LocalNetwork object

10.88.0.0 subnet 255.255.0.0

network of the RemoteNetwork1 object

Subnet 192.168.0.0 255.255.0.0

network of the RemoteNetwork2 object

172.16.10.0 subnet 255.255.255.0

network of the RemoteNetwork3 object

10.86.0.0 subnet 255.255.0.0

network of the RemoteNetwork4 object

10.250.1.0 subnet 255.255.255.0

network of the NatExempt object

10.88.10.0 subnet 255.255.255.0

the Site_to_SiteVPN1 object-group network

object-network 192.168.4.0 255.255.254.0

object-network 172.16.10.0 255.255.255.0

object-network 10.0.0.0 255.0.0.0

outside_access_in deny ip extended access list a whole

inside_access_in of access allowed any ip an extended list

11 extended access-list allow ip 10.250.1.0 255.255.255.0 any

outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1

mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool

NAT static NatExempt NatExempt of the source (indoor, outdoor)

NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3

NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search

!

network of the PAT_to_Outside_ClassA object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassB object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassC object

NAT dynamic interface (indoor, outdoor)

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

dynamic-access-policy-registration DfltAccessPolicy

Sysopt connection timewait

Service resetoutside

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 set pfs

Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1

life together - the association of security crypto dynamic-map dynmap 10 28800 seconds

Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic dynmap 10 the value reverse-road

card crypto mymap 1 match address outside_1_cryptomap

card crypto mymap 1 set counterpart x.x.x.x

card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1

card crypto mymap 86400 seconds, 1 lifetime of security association set

map mymap 1 set security-association life crypto kilobytes 4608000

map mymap 100-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto isakmp identity address

Crypto isakmp nat-traversal 30

Crypto ikev1 allow outside

IKEv1 crypto ipsec-over-tcp port 10000

IKEv1 crypto policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 50

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

preshared authentication

aes-256 encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

Telnet timeout 5

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal BACKDOORVPN group policy

BACKDOORVPN group policy attributes

value of VPN-filter 11

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelall

BH.UK value by default-field

type tunnel-group BACKDOORVPN remote access

attributes global-tunnel-group BACKDOORVPN

address pool Admin_Pool

Group Policy - by default-BACKDOORVPN

IPSec-attributes tunnel-group BACKDOORVPN

IKEv1 pre-shared-key *.

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group ipsec-attributes x.x.x.x

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

Excellent.

Evaluate the useful ticket.

Thank you

Rizwan James

Bad VPN ASA injection road on OSPF when using remote access

Has anyone ever seen the ASA by inserting a bad road in a connection that has been set up with it? I'll explain more below:

I'm using a reverse road Injection. When access remotely with IPSEC (CLIENT) connects to the camera ASA, ASA create a static route to the remote access to the closest router for the SAA to come to this remote access. This itinerary is distributed on OSPF. OK, it may be a normal situation. But, the problem is when I ask another participant of this OSPF area, which is the road to this remote access (CLIENT), the answer is the router closer to the ASA and don't have to ASA. Does anyone have a solution for this? I tried to create a roadmap but that you did not.

If I understand your question, my question for you is whether the OSPF route to the remote VPN client is source by ASA or another device?

Is the IP address in the space I wrote ASA_ROUTER_ID ASA router ID or it is the router from another device ID? What I've listed below are an example of the output of "show ip route. The value in bold must be ASA router ID, if she is from the road to the VPN client. Other OSPF routers will forward packets destined to VPN to ASA client.

#sh ip route 1.1.1.0
Routing for 1.1.1.0/24 entry
Known through the "ospf 1", metric 110, distance 310, type intra zone
Last updated on GigabitEthernet0 1.2.2.2, 2w there
Routing descriptor blocks:
* 1.2.2.2, ASA_ROUTER_ID, there is, through GigabitEthernet0 2w
Path metric is 310, number of shares of traffic 1

Service of ASA module does on 6509-E support remote access VPN?

I'm having a problem of configuration of remote access VPN (SSL, Anyconnect ect.) on the Module of ASA Service on 6509-E. It is even supported or I'm wasting my time trying to do something that won't work in a first place :) to work? Site-to-Site works without any problem.

Technical info:

6509-E current SUP 2 t SY 15.1 (2)

Module of ASA - WS-SVC-ASA-SM1 running of the image - asa912-smp-k8 & asdm-712

Licenses on ASA:

Encryption--Activated

3DES-AES-Encryption - enabled

Thank you for the support.

You run multiple context mode?

If you are, access remote VPN only is not supported in this case:

"Note several context mode only applies to the IKEv2 and IKEv1 site to another and applies not to the AnyConnect, clientless SSL VPN, the legacy Cisco VPN, native VPN client client of Apple, the VPN client from Microsoft or cTCP for IKEv1 IPsec."

Reference.

Problems with remote access IPSec VPN

Dear Experts,

Kindly help me with this problem of access VPN remotely.

I have configured remote access VPN IPSec using the wizard. The remote client connects to fine enough seat, gets the defined IP address, sends the packets and bytes, BUT do not receive all the bytes or decrypt packets. On the contrary, the meter to guard discarded rising.

What could be possibly responsible or what another configuration to do on the SAA for the connection to be fully functional?

It can help to say that Anyconnect VPN is configured on the same external Interface on the ASA, and it is still functional. What is the reason?

AnyConnect VPN is used by staff for remote access.

Kindly help.

Thank you.

Hello

So if I understand correctly, you have such an interface for LAN and WAN and, naturally, the destination networks you want to reach via the VPN Client connection are all located behind the LAN interface.

In this case the NAT0 configuration with your software most recent could look like this

object-group, LAN-NETWORKS-VPN network

network-object

network-object

network-object

network of the VPN-POOL object

subnet

destination of LAN-NETWORKS-VPN VPN-NETWORKS-LAN static NAT (LAN, WAN) 1 static source VPN-VPN-POOL

Naturally, the naming of interfaces and objects might be different. In this case its just meant to illustrate the purpose of the object or interface.

Naturally I'm not sure if the NAT0 configuration is the problem if I can't really say anything for some that I can't see the configuration.

As for the other question,

I have not implemented an ASA to use 2 interfaces so WAN in production environments in the case usually has separate platforms for both or we may be hosting / providing service for them.

I imagine that there are ways to do it, but the main problem is the routing. Essentially, we know that the VPN Client connections can come from virtually any public source IP address, and in this case we would need to default route pointing to the VPN interface since its not really convenient to set up separate routes for the IP address where the VPN Client connections would come from.

So if we consider that it should be the default route on the WEBSITE of the ASA link, we run to the problem that we can not have 2 default routes on the same active device at the same time.

Naturally, with the level of your software, you would be able to use the NAT to get the result you wanted.

In short, the requirements would be the following
- VPN interface has a default route, INTERNET interface has a default route to value at the address below
- NAT0 between LAN and VPN interface configuration to make sure that this traffic is passed between these interface without NAT
- Interfaces to special NAT configuration between LAN and INTERNET which would essentially transfer all traffic on the INTERNET interface (except for VPN traffic that we have handled in the previous step)
The above things would essentially allow the VPN interface have the default route that would mean that no matter what the VPN Client source IP address it should be able to communicate with the ASA.

The NAT0 configuration application would be to force ASA to pass this traffic between the LAN and VPN (pools) for VPN traffic.

The special configuration of NAT then match the traffic from LAN to ANY destination address and send to the INTERNET interface. Once this decision is made the traffic would follow the lower value default route on this interface.

I would say that this isn't really the ideal situation and the configuration to use in an environment of productin. It potentially creates a complex NAT configuration such that you use to manipulate the traffic instead of leave the mark of table routing choice in the first place.

Of course, there could be other options, but I have to test this configuration before I can say anything more for some.

-Jouni

Site to Site and together on ASA 5505 VPN remote access

Hello

I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.

After you add the new configuration lines, I received the following message when I debug:

04 Nov 07:06:06 [IKEv1]: group = , IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0).

04 Nov 07:04:36 [IKEv1]: group = , IP = , peer of drop table Correlator has failed, no match!

Someone knows what's the problem? And what to change in the config?

Thanks in advance,

Ruben

Hello

If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"

Federico.

Problem with remote access in a residential group

Having a problem with desktop sharing remote within a group of home access. I don't have problem of access to the desktop from the laptop, but for some reason I can't access the laptop from the desktop. I tried everything I could think of. Remote access is enabled on both PCs. Help, please. Thank you very much!

Hello

1. who is the operating system installed on the desktop and laptop computers?

2. what happens when you try to access the laptop from the desktop? You receive an error message?

3. What are troubleshooting you performed?

I suggest you follow these methods and check.

In a first step of troubleshooting, I suggest to run the troubleshooter to group on the source and the destination computer.

Step 1: Open the troubleshooter group living

If your computer has problems viewing computers or files shared in your collective housing, try to use the collective dwelling Troubleshooter to fix the problem

http://Windows.Microsoft.com/en-us/Windows7/open-the-HomeGroup-Troubleshooter

Step 2: Share files and folders on a group of houses in the laptop using the method proposed below. Try to access from desktop and check.

a. right click on the item you want to share, and then click share with.

b. Select Home Group (read/write)

c. this option share point with your entire Home Group and allows them to open, edit, or delete.

Share files with someone: http://Windows.Microsoft.com/en-us/Windows7/share-files-with-someone

See also:

Home Group: frequently asked questions
http://Windows.Microsoft.com/en-us/Windows7/HomeGroup-frequently-asked-questions

I hope this helps!

ASA remote access problem

Similar Questions

Maybe you are looking for