Issue of ASA L2TP VPN error QM WSF

Similar Questions

• Issue of ASA 5505 VPN licenses

  I have three places that I want to connect via vpn site-to-site deployed on three ASA 5505. How is the term 'Peers' in the text of license, affecting my script? Each peer ASA in a solution from site to site, or each transmission of user data in the established tunnel also counted?

  Users, passing through the tunnel of site to another are not counted. Only the peers themselves.

• Microsoft L2TP VPN to ASA 5520

  I am trying to configure an L2TP VPN connection on an XP laptop. On the SAA, I use the DefaultRAGroup and the DfltGrpPolicy. I put DefaultRAGroup to use a pre-shared key, and set the authentication of users on ACS_Radius. Our ACS server is associated with AD. Anyone know if I can use ACS to authenticate this user type or do I have to create local accounts on the SAA?

  When I try to connect from the laptop, I get error 789. On the ASA, I see this:

  Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, PHASE 1 COMPLETED

  Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, error QM WSF (P2 struct & 0xcddc7d28, mess id 0x46986b08).

  Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, peer of withdrawal of correlator table failed, no match!

  Group = DefaultRAGroup, username =, IP = 63.xxx.xxx.xxx, disconnected Session. Session type: IKE, duration: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: Phase 2 Mismatch

  On the one hand, it seems that the laptop is not sending the username and password. I've tried a lot of different combos on the side of microsoft MSCHAP and MSCHAPv2, both of them or all of them individually and matched this setting on the SAA. No matter what, I get the same error. Anyone have any ideas?

  Yes... I have never trusted guys for the configuration, I got the following errors:

  1 L2TP requires a mode of transport must be of the type of IPSEC traffic used, your config seems to refer to the one, yet it is not defined:

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set

  Transit mode TRANS_ESP_3DES_SHA<-(needed>

  2. the present set of transformation is not attached to dynamic cryptography so not used:

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  It should look like:

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

  Finally, it is just to clear up, make sure that your server ACS_Radius is indeed enabled for authentication MS-CHAPv2 of ASA and the l2tp client, otherwise it will fail always.

• Site to Site and together on ASA 5505 VPN remote access

  Hello

  I tried to set up a VPN Site again on an ASA5505 where there already is a VPN remote on it.

  After you add the new configuration lines, I received the following message when I debug:

  04 Nov 07:06:06 [IKEv1]: group = , IP = , error QM WSF (P2 struct & 0xd91a4d10, mess id 0xeac05ec0).

  04 Nov 07:04:36 [IKEv1]: group = , IP = , peer of drop table Correlator has failed, no match!

  Someone knows what's the problem? And what to change in the config?

  Thanks in advance,

  Ruben

  Hello

  If the ASA had a remote access VPN and you add a new Site-to-Site you must make sure that the priority for the card encryption is weaker for the new Site-to - added Site.This is because otherwise traffic will always try to match the access tunnel at distance. You can check it with the command "sh run card cry"

  Federico.

• Layman to ASA 5505 vpn of the native vpn client internet, tcp 1723

  Hi all

  I am setting up this asa for connect users at home to my network using vpn clients from microsoft to the native address with windows xp on the internet.

  This asa have, on the outside interface an ip public Internet and inside Board have set up in the network of 192.168.0.x and I want to access this network of internet users using native vpn clients.

  I tested with a pc connected directly to the external interface and works well, but when I connect this interface to the internet and tried to connect to the vpn user I can see it in the newspapers and unable to connect with error 800.

  Request TCP and eliminated from "public_ip_client/61648" outdoors: publicip_outside_interface / 1723 "

  Can help me please?, very thanks in advance!

  (running configuration)

  : Saved

  :

  ASA Version 8.4 (3)

  !

  ciscoasa hostname

  activate the password * encrypted

  passwd * encrypted

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address publicinternetaddress 255.255.255.0

  !

  passive FTP mode

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  network gatewayono object

  Home gatewayofinternetprovideraccess

  Description salida gateway ono

  service remotointerno object

  service destination tcp 3389 eq

  Remote description

  network pb_clienteing_2 object

  host 192.168.0.15

  Description Pebble client food bowl 2

  service remotoexternopebble object

  Service tcp destination eq 5353

  Description remotoexterno

  network actusmon object

  Home 192.168.0.174

  Description web news monitor

  the Web object service

  Service tcp destination eq www

  Description 80

  irdeto network object

  Home 192.168.0.31

  Irdeto description

  network nmx_mc_p object

  host 192.168.0.60

  Main description of NMX multichannel

  network nmx_mc_r object

  Home 192.168.0.61

  Description NMX multichannel reserva

  network tarsys object

  host 192.168.0.10

  Tarsys description

  network nmx_teuve object

  host 192.168.0.30

  Nmx cabecera teuve description

  tektronix network object

  host 192.168.0.20

  Tektronix vnc description

  vnc service object

  destination eq 5900 tcp service

  Description access vnc

  service exvncnmxmcr object

  Service tcp destination EQ. 5757

  Access vnc external nmx mc figurative description

  service exvncirdeto object

  Service tcp destination eq 6531

  Description access vnc external irdeto

  service exvncnmxmcp object

  Service tcp destination eq 5656

  service exvnctektronix object

  Service tcp destination eq 6565

  service exvncnmxteuve object

  Service tcp destination eq 6530

  ssh service object

  tcp destination eq ssh service

  service sshtedialexterno object

  Service tcp destination eq 5454

  puertosabiertos tcp service object-group

  Remotedesktop description

  EQ port 3389 object

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  the DM_INLINE_NETWORK_1 object-group network

  network-object object irdeto

  network-object object nmx_mc_p

  network-object object nmx_mc_r

  network-object object nmx_teuve

  tektronix network-object

  object-group service udp vpn

  EQ port 1723 object

  DM_INLINE_TCP_1 tcp service object-group

  EQ object of the https port

  EQ pptp Port object

  the DM_INLINE_NETWORK_2 object-group network

  network-object object actusmon

  network-object object tarsys

  inside_access_in remotointerno permitted object extended access list a whole

  inside_access_in list extended access allowed object ssh a whole

  inside_access_in list extended access allowed object-group TCPUDP any any eq www

  inside_access_in list extended access permit icmp any one

  inside_access_in list extended access allowed object vnc a whole

  inside_access_in of access allowed any ip an extended list

  outside_access_in list extended access allowed object remotointerno any object pb_clienteing_2

  outside_access_in list extended access allowed object-group TCPUDP any object actusmon eq www

  access-list outside_access_in note Acceso tedial ssh

  outside_access_in list extended access permit tcp any object tarsys eq ssh

  outside_access_in list extended access allowed object vnc any object-group DM_INLINE_NETWORK_1

  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group

  outside_access_in list extended access deny icmp a whole

  access-list standard corporate allowed 192.168.0.0 255.255.255.0

  Split-Tunnel-ACL access-list allowed standard 192.168.0.0 255.255.255.0

  pager lines 24

  Enable logging

  monitor debug logging

  logging of debug asdm

  Debugging trace record

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool 192.168.0.100 - 192.168.0.110 mask 255.255.255.0 clientesvpn

  IP local pool clientesvpn2 192.168.1.120 - 192.168.1.130 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow all outside

  don't allow no asdm history

  ARP timeout 14400

  NAT (exterior, Interior) static source any service of actusmon of interface static destination Web one-way Web interface

  NAT (exterior, Interior) static source to any destination interface interface static tarsys one-way sshtedialexterno ssh service

  NAT (exterior, Interior) static source any destination interface interface static one-way pb_clienteing_2 service remotoexternopebble remotointerno

  NAT (exterior, Interior) static source any destination interface interface static irdeto one-way exvncirdeto vnc service

  NAT (exterior, Interior) static source any destination interface interface static one-way vnc exvncnmxmcp service nmx_mc_p

  NAT (exterior, Interior) static source any destination interface interface static one-way vnc exvncnmxmcr service nmx_mc_r

  NAT (exterior, Interior) static source any destination interface interface static one-way vnc exvncnmxteuve service nmx_teuve

  NAT (exterior, Interior) static source any destination interface interface static tektronix one-way exvnctektronix vnc service

  NAT (all, outside) interface dynamic source DM_INLINE_NETWORK_2

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface out by-user-override

  Route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  EOU allow none

  local AAA authentication attempts 10 max in case of failure

  Enable http server

  http 192.168.0.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  No vpn sysopt connection permit

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 clientewindowsxp

  IKEv1 crypto ipsec transform-set clientewindowsxp transport mode

  Crypto ipsec transform-set ikev1 L2TP-IKE1-Transform-Set esp - aes esp-sha-hmac

  Crypto ipsec ikev1 transit mode L2TP-IKE1-Transform-Set transform-set

  Crypto ipsec ikev2 ipsec-proposal OF

  encryption protocol esp

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 proposal ipsec 3DES

  Esp 3des encryption protocol

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 ipsec-proposal AES

  Esp aes encryption protocol

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 ipsec-proposal AES192

  Protocol esp encryption aes-192

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 AES256 ipsec-proposal

  Protocol esp encryption aes-256

  Esp integrity sha - 1, md5 Protocol

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set clientewindowsxp ikev1

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1jeu ikev2 AES256 AES192 AES 3DES ipsec-proposal OF

  Crypto-map dynamic L2TP - map 10 set transform-set L2TP-IKE1-Transform-Set ikev1

  inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside crypto map inside_map interface

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  Crypto map L2TP - VPN - dynamic 20-isakmp ipsec L2TP-map map

  L2TP-VPN-card interface card crypto outside

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  IKEv2 crypto policy 1

  aes-256 encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 10

  aes-192 encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 20

  aes encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 30

  3des encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 40

  the Encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  Crypto ikev2 activate out of service the customer port 443

  trustpoint to ikev2 crypto Ingeniería remote access

  Crypto ikev1 allow inside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 10

  authentication crack

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 20

  authentication rsa - sig

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 40

  authentication crack

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 50

  authentication rsa - sig

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 60

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 70

  authentication crack

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 80

  authentication rsa - sig

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 100

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 110

  authentication rsa - sig

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 130

  authentication crack

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 140

  authentication rsa - sig

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 150

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.0.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd dns 8.8.8.8

  dhcpd outside auto_config

  !

  dhcpd address 192.168.0.5 - 192.168.0.36 inside

  dhcpd dns 8.8.8.8 8.8.4.4 interface inside

  dhcpd auto_config outside interface inside

  dhcpd allow inside

  !

  no basic threat threat detection

  no statistical access list - a threat detection

  no statistical threat detection tcp-interception

  SSL-trust Ingeniería out point

  WebVPN

  tunnel-group-list activate

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  WINS server no

  Server 192.168.0.1 DNS value

  Protocol-tunnel-VPN l2tp ipsec

  by default no

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 8.8.8.8

  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2

  internal engineering group policy

  attributes of Ingeniería group policy

  Protocol-tunnel-VPN l2tp ipsec

  by default no

  L2TP-policy group policy interns

  attributes of L2TP-policy-group policy

  value of server DNS 8.8.8.8

  Protocol-tunnel-VPN l2tp ipsec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value Split-Tunnel-ACL

  Intercept-dhcp enable

  username, password Ingeniería 4fD/5xY/6BwlkjGqMZbnKw is encrypted nt privilege 0

  Ingeniería username attributes

  VPN-group-policy Ingeniería

  password rjuve SjBNOLNgSkUi5KWk/TUsTQ user name is nt encrypted

  attributes global-tunnel-group DefaultRAGroup

  address clientesvpn pool

  address clientesvpn2 pool

  authentication-server-group (outside LOCAL)

  LOCAL authority-server-group

  Group Policy - by default-L2TP-policy

  authorization required

  IPSec-attributes tunnel-group DefaultRAGroup

  IKEv1 pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  No chap authentication

  ms-chap-v2 authentication

  !

  class-map inspection_default

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  !

  context of prompt hostname

  anonymous reporting remote call

  Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e

  : end

  don't allow no asdm history

  I ramon I guess that service policy is not applied in the firewall. So it does not not trust other than the same audience segment.

  Apply like this.

  global_policy global service policy.

  because according to the configs old, I see that the policy has not been applied. Please let me know the results.

  Please rate if the given info can help.

• Problem with ASA 5505 VPN remote access

  After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?

  Here is the cfg running of the ASA

  ----------------------------------------------------------------------------------------

  : Saved

  :

  ASA Version 8.4 (1)

  !

  hostname NCHCO

  enable encrypted password xxxxxxxxxxxxxxx

  xxxxxxxxxxx encrypted passwd

  names of

  description of NCHCO name 192.168.2.0 City offices

  name 192.168.2.80 VPN_End

  name 192.168.2.70 VPN_Start

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address **. ***. 255.255.255.248

  !

  interface Ethernet0/0

  switchport access vlan 2

  Speed 100

  full duplex

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa841 - k8.bin

  passive FTP mode

  network of the NCHCO object

  Subnet 192.168.2.0 255.255.255.0

  network object obj - 192.168.1.0

  subnet 192.168.1.0 255.255.255.0

  network object obj - 192.168.2.64

  subnet 192.168.2.64 255.255.255.224

  network object obj - 0.0.0.0

  subnet 0.0.0.0 255.255.255.0

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  the Web server object network

  the FINX object network

  Home 192.168.2.11

  rdp service object

  source between 1-65535 destination eq 3389 tcp service

  Rdp description

  outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

  outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0

  inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

  inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

  permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224

  outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

  outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0

  LAN_Access list standard access allowed 192.168.2.0 255.255.255.0

  LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

  NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0

  AnyConnect_Client_Local_Print deny ip extended access list a whole

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

  Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

  print the access-list AnyConnect_Client_Local_Print Note Windows port

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

  access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

  AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

  AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

  AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

  Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

  AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

  outside_access_in list extended access permit tcp any object FINX eq 3389

  outside_access_in_1 list extended access allowed object rdp any object FINX

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 649.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0

  NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64

  NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64

  !

  network obj_any object

  NAT dynamic interface (indoor, outdoor)

  the FINX object network

  NAT (inside, outside) interface static service tcp 3389 3389

  Access-group outside_access_in_1 in interface outside

  Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  network-acl outside_nat0_outbound

  WebVPN

  SVC request to enable default svc

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  http *. **. ***. 255.255.255.255 outside

  http *. **. ***. 255.255.255.255 outside

  http NCHCO 255.255.255.0 inside

  http 96.11.251.186 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform

  IKEv1 crypto ipsec transform-set l2tp-transformation mode transit

  Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

  transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1

  transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  crypto dynamic-map dyn-map 10 set pfs Group1

  crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1

  dynamic-map encryption dyn-map 10 value reverse-road

  Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

  Crypto-map dynamic outside_dyn_map 20 the value reverse-road

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  peer set card crypto outside_map 1 74.219.208.50

  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

  map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside crypto map inside_map interface

  card crypto vpn-map 1 match address outside_1_cryptomap_1

  card crypto vpn-card 1 set pfs Group1

  set vpn-card crypto map peer 1 74.219.208.50

  card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map

  dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

  crypto isakmp identity address

  Crypto ikev1 allow inside

  Crypto ikev1 allow outside

  IKEv1 crypto ipsec-over-tcp port 10000

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  IKEv1 crypto policy 15

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 35

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  enable client-implementation to date

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet NCHCO 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH NCHCO 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.2.150 - 192.168.2.225 inside

  dhcpd dns 216.68.4.10 216.68.5.10 interface inside

  lease interface 64000 dhcpd inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  value of server DNS 192.168.2.1

  L2TP ipsec VPN-tunnel-Protocol ikev1

  nchco.local value by default-field

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 192.168.2.1

  L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

  allow password-storage

  enable IPSec-udp

  enable dhcp Intercept 255.255.255.0

  the address value VPN_Pool pools

  internal NCHCO group policy

  NCHCO group policy attributes

  value of 192.168.2.1 DNS Server 8.8.8.8

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1

  value by default-field NCHCO.local

  admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

  username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

  username NCHvpn99 password dhn. JzttvRmMbHsP encrypted

  attributes global-tunnel-group DefaultRAGroup

  address (inside) VPN_Pool pool

  address pool VPN_Pool

  authentication-server-group (inside) LOCAL

  authentication-server-group (outside LOCAL)

  LOCAL authority-server-group

  authorization-server-group (inside) LOCAL

  authorization-server-group (outside LOCAL)

  Group Policy - by default-DefaultRAGroup

  band-Kingdom

  band-band

  IPSec-attributes tunnel-group DefaultRAGroup

  IKEv1 pre-shared-key *.

  NOCHECK Peer-id-validate

  tunnel-group DefaultRAGroup ppp-attributes

  No chap authentication

  no authentication ms-chap-v1

  ms-chap-v2 authentication

  tunnel-group DefaultWEBVPNGroup ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  tunnel-group 74.219.208.50 type ipsec-l2l

  IPSec-attributes tunnel-group 74.219.208.50

  IKEv1 pre-shared-key *.

  type tunnel-group NCHCO remote access

  attributes global-tunnel-group NCHCO

  address pool VPN_Pool

  Group Policy - by default-NCHCO

  IPSec-attributes tunnel-group NCHCO

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:a2110206e1af06974c858fb40c6de2fc

  : end

  ASDM image disk0: / asdm - 649.bin

  ASDM VPN_Start 255.255.255.255 inside location

  ASDM VPN_End 255.255.255.255 inside location

  don't allow no asdm history

  ---------------------------------------------------------------------------------------------------------------

  And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:

  ---------------------------------------------------------------------------------------------------------------

  Cisco Systems VPN Client Version 5.0.07.0440

  Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 6.1.7601 Service Pack 1

  Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\

  1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026

  Try to find a certificate using hash Serial.

  2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027

  Found a certificate using hash Serial.

  3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011

  RELOADED successfully certificates in all certificate stores.

  4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "*." **. ***. *** »

  7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B

  Try to establish a connection with *. **. ***. ***.

  8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001

  From IKE Phase 1 negotiation

  9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

  10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

  12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001

  Peer is a compatible peer Cisco-Unity

  13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

  Peer supports XAUTH

  14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

  Peer supports the DPD

  15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

  Peer supports NAT - T

  16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001

  Peer supports fragmentation IKE payloads

  17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001

  IOS Vendor ID successful construction

  18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013

  SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

  19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083

  IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4

  20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072

  Automatic NAT detection status:

  Remote endpoint is NOT behind a NAT device

  This effect is NOT behind a NAT device

  21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

  22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015

  Launch application xAuth

  25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012

  Attributes of the authentication request is 6: 00.

  26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017

  xAuth application returned

  27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

  34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E

  Customer address a request from firewall to hub

  35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

  39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

  40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

  41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

  42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

  43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

  44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F

  SPLIT_NET #1

  = 192.168.2.0 subnet

  mask = 255.255.255.0

  Protocol = 0

  SRC port = 0

  port dest = 0

  45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local

  46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710

  47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

  48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11

  49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

  50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019

  Data in mode Config received

  51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056

  Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

  52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

  53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

  55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045

  Answering MACHINE-LIFE notify has value of 86400 seconds

  56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047

  This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now

  57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">

  59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045

  Answering MACHINE-LIFE notify is set to 28800 seconds

  60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***

  61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059

  IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)

  62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025

  OUTGOING ESP SPI support: 0xAAAF4C1C

  63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026

  Charges INBOUND ESP SPI: 0x3EBEBFC5

  64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

  Destination mask subnet Gateway Interface metric

  0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

  96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

  96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

  96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

  127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

  127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

  192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

  192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

  192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

  224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

  224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

  224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

  255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

  255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

  255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

  65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001

  Launch VAInst64 for controlling IPSec virtual card

  66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034

  The virtual card has been activated:

  IP=192.168.2.70/255.255.255.0

  DNS = 192.168.2.1, 8.8.8.8

  WINS = 0.0.0.0 0.0.0.0

  Domain = NCHCO.local

  Split = DNS names

  67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

  Destination mask subnet Gateway Interface metric

  0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

  96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

  96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

  96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

  127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

  127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

  192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

  192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

  192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

  224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

  224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

  224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

  224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261

  255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

  255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

  255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

  255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261

  68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038

  Were saved successfully road to file changes.

  69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013

  Destination mask subnet Gateway Interface metric

  0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261

  **. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100

  96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261

  96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261

  96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261

  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306

  127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306

  127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

  192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261

  192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261

  192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261

  192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261

  192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100

  192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261

  192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261

  224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306

  224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261

  224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261

  224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261

  255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306

  255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261

  255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261

  255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261

  70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036

  The routing table has been updated for the virtual card

  71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A

  A secure connection established

  72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

  Look at address added to 96.11.251.149.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

  73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B

  Look at address added to 192.168.2.70.  Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.

  74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001

  Did not find the smart card to watch for removal

  75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

  Creates a new key structure

  77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

  Adding key with SPI = 0x1c4cafaa in the list of keys

  78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010

  Creates a new key structure

  79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F

  Adding key with SPI = 0xc5bfbe3e in the list of keys

  80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F

  Assigned WILL interface private addr 192.168.2.70

  81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037

  Configure the public interface: 96.11.251.149. SG: **.**.***.***

  82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046

  Define indicator tunnel set up in the registry to 1.

  83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

  84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D

  Upon request of the DPD to *. **. ***. , our seq # = 107205276

  85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

  87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040

  Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276

  88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019

  Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e

  89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

  90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D

  Upon request of the DPD to *. **. ***. , our seq # = 107205277

  91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

  93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040

  Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277

  94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***

  95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D

  Upon request of the DPD to *. **. ***. , our seq # = 107205278

  96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">

  98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040

  Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278

  ---------------------------------------------------------------------------------------------------------------

  Any help would be appreciated, thanks!

  try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.

• Cisco ASA 5510 VPN Site to Site with Sonicwall

  I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

  Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

  Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

  NAT (inside) 0 access-list sheep

  ..

  IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

  access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

  ..

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set counterpart x.x.x.x

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  ..

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  lifetime 28800

  ..

  internal SiteToSitePolicy group strategy

  attributes of Group Policy SiteToSitePolicy

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec

  Split-tunnel-network-list no

  ..

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group x.x.x.x General attributes

  Group Policy - by default-SiteToSitePolicy

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared key *.

  ..

  Added some excerpts from the configuration file

  Hello Manjitriat,

  Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

  Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

  Now the packet tracer must be something like this:

  entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

  Please provide us with the result of the following instructions after you run the packet tracer.

  See the crypto Isakamp SA

  See the crypto Ipsec SA

  Kind regards

  Julio

• Cannot open an L2TP VPN tunnel behind a router 806.

  This is the scenario:

  My ISP provider provides pppoE.

  When I connect a PC directly to the ADSL modem, I can open my L2TP VPN and VPN works fine and I am able to navigate.

  When I connect the PC behind 806, I get a private pool in 806 IP and I am able to navigate, but PC, I open my VPN L2TP software utility (same as before) and cannot open the VPN.

  Could you please tell me what config I shoul put in router to open the tunnel of 806 instead of op VPN software utility? The difference is that now 806 global IP gets rather od PC.

  So I know now tunnel should be open from the router, but I Don t know what I have lines shlould Add.

  Help, please!

  I thinkl you want is VPN passthrough, the answer to that is the version of the IOS, I think IOS version 12.2 and allows VPN Passthru especially. There is no other configuration required just to 12.2 or above

• Disable ipsec for l2tp vpn connection?

  Hello

  How can I disable ipsec for l2tp vpn connection? I use a linux vpn that offers only l2tp. I remember doing this with winxp in regedit.

  [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RasMan/settings] "ProhibitIpSec" = DWORD: 00000001

  How is it possible in win7?

  Thank you.

  Thank you for visiting the Microsoft answers community site. The question you have posted is related to Linux and would be better suited to the community network. Please visit the link below to find a community that will provide the support you want.

  http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

• ASA 5505 VPN sessions maximum 25?

  Hello friend´s

  The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:

  Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?

  Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?

  I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?

  Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.

  Kind regards!

  Hi Alex,

  The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.

  To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.

  Find the official documentation for the ASA5505 on the following link:

  http://www.Cisco.com/c/en/us/products/collateral/security/ASA-5500-series-next-generation-firewalls/datasheet-C78-733510.html

  Rate if helps.

  -Randy-

• ASA for vpn only

  Hello

  I would like to configure the ASA for vpn only. By default, ASA allows traffic from the interface of high security to low security interface. I want to stop it. Is it possible to do without resorting to access lists.

  Thank you

  John

  Define interfaces for the same level of security and make sure that you do not have same-security-traffic permits inter-interface enabled.
  

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807fc191.shtml

  Hope that helps.

• DHCP relay for users (ASA) SSL VPN

  I have ASA 5520 vpn endpoint. Before asa, there are firewalls which translates the public ip address to the private sector and to pass SSL traffic to ASA. I have configured DHCP relay to get the IP address for the DHCP in Windows Server users:

  dhcprelay Server 10.100.2.101 on the inside

  dhcprelay activate vpn

  dhcprelay setroute vpn

  and it does not work. with the local pool, it works fine. Should I do something else? When I turn on debugging it has not any activity.

  You try to assign the IP address to the SSL vpn client using the DHCP server?

  If so, you don't need these commands contained in your message.

  Basically, you need to set dhcp server in tunnel-group and dhcp-network-scope in group policy.

  Here is an example of Ipsec client. Setup must be the same.

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

• VPN with ASA 5500 VPN with PIX 515E vs

  I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

  Craig

  According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

  On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

  HTH

  Rick

• ASA 5520 VPN licenses

  Community support,

  I want to run this question by you guys to avoid the sales of our partner CISCO and similar pitch more to the best solution that would give us what we want.

  We currently have a VPN from CISCO 3020 hub to terminate the Lan-to-Lan tunnels and have our mobile workers to connect through the client VPN CISCO (300 users-employees and contractors).

  Given that this device is coming to an end of LIFE this year, we bought a CISCO 5520 (here is the current licenses in this topic)

  Licensing seems quite complicated, so here's my question:

  -What VPN do you recommend for our users and entrepreneurs? I understand that the CISCO VPN client does not work with ASA 5500 Series devices

  Is there a license needed to deploy a VPN solution for our remote users(employees/contractors)?

  Thank you

  John

  The devices allowed for this platform:
  The maximum physical Interfaces: unlimited perpetual
  VLAN maximum: 150 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active/active perpetual
  VPN - A: enabled perpetual
  VPN-3DES-AES: activated perpetual
  Security contexts: 2 perpetual
  GTP/GPRS: Disabled perpetual
  AnyConnect Premium peers: 2 perpetual
  AnyConnect Essentials: Disabled perpetual
  Counterparts in other VPNS: 750 perpetual
  Total VPN counterparts: 750 perpetual
  Shared license: disabled perpetual
  AnyConnect for Mobile: disabled perpetual
  AnyConnect Cisco VPN phone: disabled perpetual
  Assessment of Advanced endpoint: disabled perpetual
  Proxy UC phone sessions: 2 perpetual
  Proxy total UC sessions: 2 perpetual
  Botnet traffic filter: disabled perpetual
  Intercompany Media Engine: Disabled perpetual

  This platform includes an ASA 5520 VPN Plus license.

  Your understanding that the Cisco VPN client does not work with ASA is wrong. Maybe it's the version of Cisco VPN client that you use currently does not work with ASA. But these (and so not very new indeed) versions of VPN client work with the ASA. I installed for several clients who use the traditional IPSec VPN client with ASA ASAs and they work well.

  You are right that the granting of licenses for the SAA is complicated. Your tunnels IPSec VPN site-to-site will work on the SAA and pose much challenge in terms of licenses. But there are problems and alternative solutions to consider for remote access VPN clients. At this point, there are two major variants: you can use the classic IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. It is not special license that applies to the traditional IPSec client and they are just against your license for peers Total VPN (for which you have 750 in your license). For the AnyConect there is a condition of licence. There is a premium for AnyConnect license and there are licensed AnyConnect Essentials. The Essentials license price is much lower than the premium license, but Essentials does not all the features that made the premium.

  In the immediate future, that it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not a special permit and it is what you are used to. However Cisco has announced the dates of end of sale and end of Support for the traditional VPN client. If at some point you will need to use the AnyConnect client. I would say that if you make the change of the ASA that it might be a good choice to also adopt the AnyConnect client.

  HTH

  Rick

• ASA 5520 - VPN users have no internet.

  Hello

  We just migrated a Pix 515 and an ASA 5520 VPN concentrator.  The firewall part works fine, but we have some problem with our remote VPN.

  Everything inside network is accessible when you use VPN remote but there is no access to our perimeter network or the internet.  I don't know there's only something simple you need that I'm missing, and hoping someone can shed some light on what is needed to allow the VPN tunnel back outdoors and in our DMZ.

  The ASA is running 8.2 (2) 9 and ASDM 6.2 (1).

  See you soon,.

  Rob

  From the 172.16.68.0/24 you can PING 10.10.10.1 correct?

  The 10.10.10.0/24 you can PING 172.16.68.1 correct?

  I'm having a hard time find now how this tunnel is up since you have PFS
  activated on the SAA, but not on the PIX.

  Federico.