Cisco VPN + Win XP SP2 Firewall

We started to test Windows XP SP2, last week and met with an interesting question. If you activate the XP SP2 Firewall services it will disrupt Cisco VPN to establish a TCP connection. I created an exception to the application, but is not solving the problems.

Note: If you change the UDP/10000 connection it works fine, but IPSec through NAT on TCP/443 will not work.

Using "capture" on my PIX I can compare a successful connection (firewall off) and a failed connection (firewall). On the attempt of the ACK packet between the host and the VPN concentrator is blocked. Unfortunately the debugging of winXP is essentially useless.

Has anyone meet a similar problem? Any help would be appreciated.

Create an exception in the Windows Firewall to allow the 62515/udp port. The scope should be of any computer. It is my understanding that Cisco is working on an updated version of the client which will address this, but it should work in the meantime.

Tags: Cisco Security

Similar Questions

Allow Cisco VPN Client through the firewall?

Hello

How can I allow a cisco VPN client work from the inside of our network to an external IP address?

We have customers who wish to make use of their Cisco VPN Client companies but our ASA blocks I think?

Also (sorry to ask) a friend in South America is having the same problem but I am not hink they use Cisco, is there a default port used by the client to Cisco? then I can send this info?

Thank you

Generally, the ASA will allow the IPSEC from the inside to outside traffic. This is when you want it came outside and connect to you - this is where it gets creative. You restrict outgoing traffic at all? You deny all ip/tcp/udp outgoing?

But may depend on if the remote end is compaitable NAT - T, and if they have configured. Another question would be how they allow VPN traffic go?

Comments Win XP cannot connect to the network when Cisco VPN works on Mac

Guest OS (Win XP) on the merger connects to the network, no problem. However, when I start a Cisco VPN on my Mac (not in the guest operating system) and then start Fusion/guest OS, the guest cannot connect to the network.
I was able to use this configuration for a year on an old MacBook Pro (unibody). Last month, I got a new MacBook Pro and flying over my virtual machine image. I don't check for a few weeks. I'm sure I fly over the image correctly because everything else seems OK or if the IT guys doing something to block my traffic over the VPN.
Config
-Fusion - Version 3.1.0 (261 058)
-Mac - 10.6.4
So far, I have tried the following
-started to merge and XP without VPN on Mac - OK (bridge autodetect)
-launched VPN to work, and then launched Fusion - no network
-tried ipconfig/release, ipconfig / renew - not always no network
-tried NAT - do always no network
Thanks in advance. For any help or suggestion will be greatly appreciated.
Bernie

The NAT value and then restart the virtual machine. Works for me with the VPN client built into a cisco router.

Do not work the real on 10.6.4 cisco software unless you really need to.

Error of customer Cisco VPN connection ASA 5505

I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.

CISCO VPN CLIENT LOG

Cisco Systems VPN Client Version 5.0.06.0160

Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.

Customer type: Windows, Windows NT

Running: 6.1.7600

Config files directory: C:\Program Cisco Systems Client\

1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002

Start the login process

2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004

Establish a secure connection

3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024

Attempt to connect with the server "71.xx.xx.253".

4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B

Attempts to establish a connection with 71.xx.xx.253.

5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001

From IKE Phase 1 negotiation

6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253

7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer is a compatible peer Cisco-Unity

10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports XAUTH

11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports the DPD

12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports NAT - T

13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

Peer supports fragmentation IKE payloads

14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001

IOS Vendor ID successful construction

15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253

16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055

Sent a keepalive on the IPSec Security Association

17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083

IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194

18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072

Automatic NAT detection status:

Remote endpoint is NOT behind a NAT device

This effect is behind a NAT device

19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E

Customer address a request from firewall to hub

22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253

23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1

26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0

27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250

28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251

29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000

30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA

31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45

33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019

Data in mode Config received

36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056

Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0

37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253

38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045

Answering MACHINE-LIFE notify has value of 86400 seconds

41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047

This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now

42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013

SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253

45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049

IPsec security association negotiation made scrapped, MsgID = 89EE7032

46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017

Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

Received packet of ISAKMP: peer = 71.xx.xx.253

48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058

Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8

49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B

IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012

ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025

Initializing CVPNDrv

53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046

Set indicator established tunnel to register to 0.

54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001

Signal received IKE to complete the VPN connection

----------------------------------------------------------------------------------------

ASA 5505 CONFIG

: Saved

:

ASA Version 8.2 (1)

!

ciscoasa hostname

domain masociete.com

activate tdkuTUSh53d2MT6B encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 172.26.0.252 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

IP address 71.xx.xx.253 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

DNS server-group DefaultDNS

domain masociete.com

access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA

Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0

outside_access_in list extended access permit icmp any one

outside_access_in list extended access udp allowed any any eq 4500

outside_access_in list extended access udp allowed any any eq isakmp

outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp

outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389

inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240

inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask

ICMP unreachable rate-limit 1 burst-size 1

enable ASDM history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0

static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255

static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

Enable http server

http 172.26.0.0 255.255.0.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

no basic threat threat detection

no statistical access list - a threat detection

no statistical threat detection tcp-interception

WebVPN

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server WINS 172.26.0.250 172.26.0.251

value of 172.26.0.250 DNS server 172.26.0.251

Protocol-tunnel-VPN IPSec l2tp ipsec svc

value by default-field TLCUSA

internal LIMUVPNPOL1 group policy

LIMUVPNPOL1 group policy attributes

value of 172.26.0.250 DNS server 172.26.0.251

VPN-idle-timeout 30

Protocol-tunnel-VPN IPSec l2tp ipsec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list LIMU_Split_Tunnel_List

the address value VPN_POOL pools

internal TLCVPNGROUP group policy

TLCVPNGROUP group policy attributes

value of 172.26.0.250 DNS server 172.26.0.251

Protocol-tunnel-VPN IPSec l2tp ipsec svc

Re-xauth disable

enable IPSec-udp

value by default-field TLCUSA

barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0

username barry.julien attributes

VPN-group-policy TLCVPNGROUP

Protocol-tunnel-VPN IPSec l2tp ipsec

bjulien bhKBinDUWhYqGbP4 encrypted password username

username bjulien attributes

VPN-group-policy TLCVPNGROUP

attributes global-tunnel-group DefaultRAGroup

address VPN_POOL pool

Group Policy - by default-DefaultRAGroup

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared-key *.

tunnel-group DefaultRAGroup ppp-attributes

no authentication ms-chap-v1

ms-chap-v2 authentication

type tunnel-group TLCVPNGROUP remote access

attributes global-tunnel-group TLCVPNGROUP

address VPN_POOL pool

Group Policy - by default-TLCVPNGROUP

IPSec-attributes tunnel-group TLCVPNGROUP

pre-shared-key *.

ISAKMP ikev1-user authentication no

tunnel-group TLCVPNGROUP ppp-attributes

PAP Authentication

ms-chap-v2 authentication

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:b94898c163c59cee6c143943ba87e8a4

: end

enable ASDM history

can you try to change the transformation of dynamic value ESP-3DES-SHA map.

for example

remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5

and replace with

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

Receive message "Validation of C:\WINDOWS\System32\VSINIT.dll failure" error message when trying to run Cisco VPN Client.

windows\system32\vsinit.dll

I try to run CISCO "VPN Client" connect from my PC at home for my work PC.

Then, I get a message:

Validation failed for C:\WINDOWS\System32\VSINIT.dll

Any ideas?

Martin

Hello

Run the checker system files on the computer. Link, we can see: Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe): http://support.microsoft.com/kb/310747

Note that: if he asks you the service pack CD, follow these steps from the link: you are prompted to insert a Windows XP SP2 CD when you try to run the tool on a Windows XP SP2 computer system File Checker: http://support.microsoft.com/kb/900910 (valid for Service pack 3)

If the steps above is not enough of it please post your request in the TechNet forum for assistance: http://social.technet.microsoft.com/Forums/en/category/windowsxpitpro

Professional Windows Vista crashes when you use Cisco VPN Client 5.05.0290

I have a Dell Latitude E6400 Windows Vista Business (32 bit) operating system. When I go to turn on the VPN client, I get invited to my username / password and once entered, the system just hangs. The only way to answer, it's a re-start. I took action:

1 disabled UAC in Windows
2 tried an earlier version of the VPN client
3. by the representative of Cisco, I put the application runs as an administrator

If there are any suggestions or similar stories, I would be grateful any offereings.

It IS the COMODO Firewall with the 5.0.x CISCO VPN client that causes the gel. The last update of COMODO has caused some incompatibility. I tried to install COMODO without the built in Zonealerm, but it is still frozen. The only way to solve it is to uninstall COMODOD. Since then, my CISCO VPN client works again...

Cisco vpn client is supported on the analogue ppp connection

can someone pls tell me if we can use the client vpn cisco on a ppp connection analog and put a pix that is not PPPs running. If it works, then why do we need to VPN L2tp/ipsec. can someone pls tell me something abt it. It is very urgent.

concerning

Assane

Assane,

If I understand your question, you speak with PPP initially to get an IP address from your service provider, then use the Client VPN VPN in your Pix Firewall. If so, yes it is possible.

To name a few reasons why PPTP or L2TP/IPSEC is used instead of Cisco VPN Client are:

1. because companies have used a PPTP or L2TP/IPSEC solution for some time and are migrating to Cisco VPN

2. do not install vpn on the PC client software

3. won't pay for the VPN Client software licenses

Let me know if it helps.

Kind regards

Arul

All necessary licenses on ASA 5510 for old Cisco VPN Client

We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with? No matter what special config that needs to be done on the 5510?

Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).

You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.

Cisco VPN Client behind PIX 515E,-> VPN concentrator

I'm trying to configure a client as follows:

The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

IOS VPN will not respond to connections Cisco VPN Client.

Hi all

I'll put my routers fire here.

I have two 2921 SRI both with licenses of security concerning leased lines separated. I configured one to accept our workers to remote Client VPN Cisco VPN connections.

I have followed the set up process I used on another site with a router 1841/s and the same customers and I have also checked against the config given in the last guide of IOS15 EasyVPN.

With debugs all assets, all I see is

038062: 14:03:04.519 Dec 8: ISAKMP (0): received x.y.z.z dport-60225 Global (N) SA NEW 500 sport package
038063: 14:03:04.519 Dec 8: ISAKMP: created a struct peer x.y.z.z, peer port 60225
038064: 14:03:04.519 Dec 8: ISAKMP: new position created post = 0x3972090C peer_handle = 0x8001D881
038065: 14:03:04.523 Dec 8: ISAKMP: lock struct 0x3972090C, refcount 1 to peer crypto_isakmp_process_block
038066: 14:03:04.523 Dec 8: ISAKMP: (0): client setting Configuration parameters 3E156D70
038067: 14:03:10.027 Dec 8: ISAKMP (0): packet received x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATE

Here is the abbreviated config.

System image file is "flash0:c2900 - universalk9-mz.» Spa. 154 - 1.T1.bin.

AAA new-model
!
!
AAA authentication login default local
local VPNAUTH AAA authentication login
AAA authorization exec default local
local authorization AAA VPN network
!
!
!
!
!
AAA - the id of the joint session

crypto ISAKMP policy 10
BA aes
preshared authentication
Group 14

ISAKMP crypto group configuration of VPN client
key ****-****-****-****
DNS 192.168.177.207 192.168.177.3
xxx.local field
pool VPNADDRESSES
ACL REVERSEROUTE

Crypto ipsec transform-set aes - esp esp-sha-hmac HASH
tunnel mode

Profile of crypto ipsec IPSECPROFILE
the HASH transform-set value

dynamic-map crypto VPN 1
the HASH transform-set value
market arriere-route
!
!
list of authentication of card crypto client VPN VPNAUTH
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 65535-isakmp dynamic VPN ipsec VPN
!
!
local IP VPNADDRESSES 172.16.198.16 pool 172.16.198.31

REVERSEROUTE extended IP access list
IP 192.168.0.0 allow 0.0.255.255 everything
Licensing ip 10.0.0.0 0.0.0.255 any

scope of IP-FIREWALL access list
2 allow any host a.b.c.d eq non500-isakmp udp
3 allow any host a.b.c.d eq isakmp udp
4 ahp permits any host a.b.c.d
5 esp of the permit any host a.b.c.d

If anyone can see anything wrong, I would be very happy and it would save the destruction of a seemingly innocent router.

Thank you

Paul

> I would be so happy and it would save the destruction of a seemingly innocent router.

No, which won't work! But instead of destroying the router, I can do it for you. Just send it to me... ;-)

OK, now more serious...
1. The default Cisco IPSec client uses only DH group 2, while you set up the 14. Try to use Group 2 in your isakmp policy.
2. You have your virtual model in place? She is not in the config.

What are the ports used by the Cisco VPN Client?

Hello

I need to open my outgoing traffic on my firewall to allow two interns (LAN) Cisco VPN Client to connect to their Internet virtual private network.

I already opened the port 500/UDP, but they are not able to connect. If I open all outgoing ports, they can connect.

What are the ports used by the Cisco VPN Client?

Thank you

You need to open:

UDP 500

ESP protocol

You must also open the UDP 4500 port (if using NAT - T).

In addition, if the clients are connecting to a VPN 3000 Concentrator series and it is configured for all other options of NAT-transparency, corresponding ports must be open. By default:

1. If using IPSec over TCP 10000, then open TCP 10000.

2. If using IPSec over UDP 10000, open UDP 1000.

Cisco VPN Client

Hello

I would like to know why when it failed to connect to the private network through the Cisco VPN client and trying to establish an Internet connection, the connection Internet.

Thanks in advance,

SK

Which would be configured on the vpn, firewall/router endpoint etc..

Issue of ASA and Cisco VPN

I'm having a problem on a new ASA. I am able to connect to the client? s network using the Cisco VPN client, but I'm not able to PING or access anything on the client network. What needs to be done to solve this problem?

There is a road on the client? s router pointing back to the firewall for the IP range you get when you VPN into?

Thank you

Chris

try to add to the ASA... This is disabled by default

ISAKMP nat-traversal

Cisco VPN Client is blocking incoming connections

Hello

I somethimes (not always) a problem with the Cisco VPN Client.

As soon as the CISCO VPN Client is installed (it must not be running) it blocks inbound connections from the local network.

The problem is that I use Ultra VNC SC to support some of my clients. Another client is supported by Cisco VPN. With UltraVNC SC customer clients try to connect to my PC.

But if I installed the cisco VPN Client, no incoming connections are possible.

How can I change this behavior?

This behavior is not always the same. Last incoming connections of two months were possible, but from one day to another is not possible more.

I recently installed the Client, but it takes no effect :-(

I have NOT activated the firewall Cisco on the VPN Client and the behavior is NOT only if the Client is activated. This is the behavior even if it is NOT active and just installed.

Hi Chris,

Zone alarm is installed on the PC that is defective?

Try to restart the Cisco VPN service and launch the vpn client.

I remember having a similar problem with the Cisco VPN Client. Some conflict between the VPN client and Zone-Alarm, installed on the same PC.

The problem was with VSDATANT variables in the registry key.

Please see the following mail took from another forum:

http://www.OutpostFirewall.com/Forum/showthread.php?t=9917

Windows 2003 cannot access remote network via Cisco VPN

I have two computers at home, an XP Pro SP2 and another is Windows 2003 server SP1. If I set Cisco VPN XP (version 4.6) the Office (ASA 5510), I can access the office network resources. However, if I set the Cisco VPN on 2003, can I? t do the same thing. After studying the two routing tables, I think XP has this road: 192.168.0.0 255.255.0.0 192.168.101.5 192.168.101.5 1, but the 2003 doesn't? t. If I add this route manually (rou? add 192.168.0.0 mask 255.255.255.0 192.168.101.3) 2003, then I can access resources. Why?

tale of 2003 routing.

Active routes:

Network Destination gateway metric Interface subnet mask

0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.3 40

x.x.x.37 255.255.255.255 192.168.10.1 192.168.10.3 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.10.0 255.255.255.0 192.168.10.3 192.168.10.3 40

192.168.10.3 255.255.255.255 127.0.0.1 127.0.0.1 40

192.168.10.255 255.255.255.255 192.168.10.3 192.168.10.3 40

192.168.101.0 255.255.255.0 192.168.101.3 192.168.101.3 10

192.168.101.3 255.255.255.255 127.0.0.1 127.0.0.1 10

192.168.101.255 255.255.255.255 192.168.101.3 192.168.101.3 10

224.0.0.0 240.0.0.0 192.168.10.3 192.168.10.3 40

224.0.0.0 240.0.0.0 192.168.101.3 192.168.101.3 10

255.255.255.255 255.255.255.255 192.168.10.3 192.168.10.3 1

255.255.255.255 255.255.255.255 192.168.101.3 192.168.101.3 1

Default gateway: 192.168.10.1

===========================================================================

Persistent routes:

None

VPN client has not been tested on Win2003. Customer requirements are described here:

http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/4_6/relnt/4604cln.htm#wp1024664

and the show to competition of WinXP is supported.

Cisco VPN + Win XP SP2 Firewall

Similar Questions

Maybe you are looking for