Problem with remote access VPN on ASA 5505

Similar Questions

• Problem with remote access VPN

  Hello

  I installed a remote access VPN on my firewall ASA5505 via the ASDM Assistant.

  I can successfully connect with the Cisco VPN client. My firewall also shows me the VPN session and shows the Rx packets. However, Tx packets remain 0, so no traffic is getting out. My ASA5505 is configured as a router on a stick with 25 different VLAN. I want to restrict traffic to one VLAN specific using a card encryption.

  When I run a command to ping t on my connected Windows box, the firewall log shows me the following message:

  "Unable to find political IKE initiator: outside Intf, Src: 10.7.11.18, Dst: ' 172.16.1.1

  "This message indicates that the fast path IPSec processing a packet that triggered of IKE, but IKE policy research has failed. This error could be associated calendar. The ACL triggering IKE could have been deleted before IKE has processed the request for initiation. "This problem will likely correct itself."

  Unfortunately, the problem is correct.

  The "sh cry isa his" and "sh cry ips its ' commands show the following output:

  2 IKE peers: 62.140.137.99

  Type: user role: answering machine

  Generate a new key: no State: AM_ACTIVE

  Interface: outside

  Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 85.17.xxx.xxx (outside interface IP)

  local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)

  Remote ident (addr, mask, prot, port): (172.16.1.1/255.255.255.255/0/0)

  current_peer: 62.140.137.99, username: eclipsevpn

  dynamic allocated peer ip: 172.16.1.1

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 4351, #pkts decrypt: 4351, #pkts check: 4351

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 85.17.xxx.xxx/4500, remote Start crypto. : 62.140.137.99/3698

  Path mtu 1500, fresh ipsec generals 82, media, mtu 1500

  current outbound SPI: B3D60F71

  current inbound SPI: B89BA14A

  SAS of the esp on arrival:

  SPI: 0xB89BA14A (3097207114)

  transform: aes - esp esp-sha-hmac no compression

  running parameters = {RA, Tunnel, NAT-T program,}

  slot: 0, id_conn: 196608, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

  calendar of his: service life remaining key (s): 25126

  Size IV: 16 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0xFFE1FFF8 0xFFFFFFFF

  outgoing esp sas:

  SPI: 0xB3D60F71 (3017150321)

  transform: aes - esp esp-sha-hmac no compression

  running parameters = {RA, Tunnel, NAT-T program,}

  slot: 0, id_conn: 196608, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP

  calendar of his: service life remaining key (s): 25126

  Size IV: 16 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  I really have no idea what's going on. I installed a remote access VPN countless times, but this time it shows me the error as described above.

  Hi Martijn,

  just a few quick thoughts:

  -is your ok NAT exemption, i.e. ensure that the return traffic is not NAT' ed.

  -Make sure that there is no overlap crypto ACL

  -When connected, make a package tracer to see what is happening with the return packages.

  for example

  packet-tracer in the interface within the icmp 10.7.11.18 0 0 172.16.1.1 detail

  (where is the name of the interface on which 10.7.11.18 resides)

  This will show you all the steps the rail package in-house (routing, nat, encryption etc.) so it should give you an idea of what is happening, for example when it comes to the bad interface, nat evil rule, wrong entry card crypto etc.

  HTH

  Herbert
  

• Remote access VPN Cisco ASA

  Hello!

  I have 9.1 (3) version of Cisco ASA with remote access VPN set UP on the outside interface. When the user connects to the Internet on the outside interface, it works well. My goal is to allow the connection of all other interfaces (inside the dmz and etc.) to the outside interface. Cisco ASA allows to do? Order to packet - trace output is less to:

  MSK-hq-fw1 # packet - trace entry inside tcp 10.10.10.1 14214 1.1.1.2 443

  Phase: 1

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  developed 1.1.1.2 255.255.255.255 identity

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  developed 1.1.1.2 255.255.255.255 identity

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  the output interface: NP identity Ifc

  the status of the output: to the top

  output-line-status: to the top

  Action: drop

  Drop-reason: (headwall) No. road to host

  Hello

  Well, you can of course turn VPN on other interfaces, but to be honest, I never even tried to set up the VPN it otherwise than of multiple multiple external interfaces in the case of the ISP and in this case only for testing purposes.

  Some things related to the ASA are well known but not well documented.

  The official document that I can remember: this is the following (which only refers to this limitation regarding the ICMP)

  Note 
  For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.
  

  Source (old configuration guide):

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

  -Jouni

• Cisco Asa 5505 and level 3 with remote access VPN switch

  Today I had a new CISCO LAYER 3 switch... So here's my scenrio

  Cisco Asa 5505

  I have

  Outside of the == 155.155.155.x

  Inside = 192.168.7.1

  Address POOL VPN = 10.10.10.1 - 10.10.10.20

  3 layer switch configuration

  VLAN 2

  ip address of the interface = 192.168.1.1

  VLAN 2

  ip address of the interface = 192.168.2.1

  VLAN 2

  ip address of 192.168.3.1 = interface

  VLAN 2

  ip address of the interface = 192.168.4.1

  VLAN 2

  ip address of the interface = 192.168.5.1

  IP Routing

  So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip

  Thanks to you all

  Al ready has responded

  Sent by Cisco Support technique iPad App

• Problems with remote access IPSec VPN

  Dear Experts,

  Kindly help me with this problem of access VPN remotely.

  I have configured remote access VPN IPSec using the wizard. The remote client connects to fine enough seat, gets the defined IP address, sends the packets and bytes, BUT do not receive all the bytes or decrypt packets. On the contrary, the meter to guard discarded rising.

  What could be possibly responsible or what another configuration to do on the SAA for the connection to be fully functional?

  It can help to say that Anyconnect VPN is configured on the same external Interface on the ASA, and it is still functional. What is the reason?

  AnyConnect VPN is used by staff for remote access.

  Kindly help.

  Thank you.

  Hello

  So if I understand correctly, you have such an interface for LAN and WAN and, naturally, the destination networks you want to reach via the VPN Client connection are all located behind the LAN interface.

  In this case the NAT0 configuration with your software most recent could look like this

  object-group, LAN-NETWORKS-VPN network

  network-object

  network-object

  network-object

  network of the VPN-POOL object

  subnet

  destination of LAN-NETWORKS-VPN VPN-NETWORKS-LAN static NAT (LAN, WAN) 1 static source VPN-VPN-POOL

  Naturally, the naming of interfaces and objects might be different. In this case its just meant to illustrate the purpose of the object or interface.

  Naturally I'm not sure if the NAT0 configuration is the problem if I can't really say anything for some that I can't see the configuration.

  As for the other question,

  I have not implemented an ASA to use 2 interfaces so WAN in production environments in the case usually has separate platforms for both or we may be hosting / providing service for them.

  I imagine that there are ways to do it, but the main problem is the routing. Essentially, we know that the VPN Client connections can come from virtually any public source IP address, and in this case we would need to default route pointing to the VPN interface since its not really convenient to set up separate routes for the IP address where the VPN Client connections would come from.

  So if we consider that it should be the default route on the WEBSITE of the ASA link, we run to the problem that we can not have 2 default routes on the same active device at the same time.

  Naturally, with the level of your software, you would be able to use the NAT to get the result you wanted.

  In short, the requirements would be the following

  • VPN interface has a default route, INTERNET interface has a default route to value at the address below
  • NAT0 between LAN and VPN interface configuration to make sure that this traffic is passed between these interface without NAT
  • Interfaces to special NAT configuration between LAN and INTERNET which would essentially transfer all traffic on the INTERNET interface (except for VPN traffic that we have handled in the previous step)

  The above things would essentially allow the VPN interface have the default route that would mean that no matter what the VPN Client source IP address it should be able to communicate with the ASA.

  The NAT0 configuration application would be to force ASA to pass this traffic between the LAN and VPN (pools) for VPN traffic.

  The special configuration of NAT then match the traffic from LAN to ANY destination address and send to the INTERNET interface. Once this decision is made the traffic would follow the lower value default route on this interface.

  I would say that this isn't really the ideal situation and the configuration to use in an environment of productin. It potentially creates a complex NAT configuration such that you use to manipulate the traffic instead of leave the mark of table routing choice in the first place.

  Of course, there could be other options, but I have to test this configuration before I can say anything more for some.

  -Jouni

• Unable to SSH/telnet through the remote access VPN to ASA interface

  Hi all - im trying to SSH/telnet to my ASA in my remote access VPN tunnel but

  can't get this to work.  what Miss me?

  remote access VPN subnet: 192.168.25.0

  LAN subnet: 192.168.1.0

  config is attached.  THX-

  Please enter the command

  Private access Managament

  and you will be able to telnet/ssh to the asa on this ip 192.168.1.253

• «Problems with remote access with ASA 5505-, this is the error "the remote peer is no more answers»

  Hello

  By train I got a remote access IPSec VPN, when I have all the performed configuration and try to access remote show software vpn client (cisco) the following message:

  "The remote peer is no more answers.

  I know where is the problem.

  Network information:

  ASA TO LAN - 1:

  192.168.1.0 - 255.255.255.0

  the interface vlan 1:

  IP: 192.168.1.1 - 255.255.255.0

  the interface vlan 2:

  IP: 100.100.100.1 - 255.255.255.252

  REMOTE LAN ACCESS:

  192.168.10.0 - 255.255.255.0

  ASA-1 configuration:

  * IP address pool

  local IP VPNPOOL 192.168.20.1 pool - 192.168.20.254

  * Split tunneling

  splittunnel list standard access allowed 192.168.1.0 255.255.255.0

  * NAT configuration

  object obj LAN
  subnet 192.168.1.0 255.255.255.0
  object obj-vpnpool network
  subnet 192.168.20.0 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination static obj-vpnpool obj-vpnpool no-proxy-arp

  * Group Policy

  internal group company-vpn-policy policy
  attributes of vpn-company-policy-group policy
  VPN-idle-timeout 30

  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list splittunnel

  Configure the IPSec

  IKEv1 crypto policy 10
  3des encryption
  sha hash
  preshared authentication
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  Crypto ipsec transform-set esp-3des esp-sha-hmac RA - TS ikev1

  Dynamic crypto map DYN_MAP 10 set transform-set RA - TS ikev1

  card crypto VPN_MAP 30-isakmp dynamic ipsec DYN_MAP
  VPN_MAP interface card crypto outside

  Create tunnels

  tunnel-group vpnclient type remote access
  tunnel-group vpnclient-global attributes
  address VPNPOOL pool
  by default-group-company-vpn-policy
  tunnel-group vpnclient ipsec-attributes
  IKEv1 pre-shared-key groupkey123

  Where is the problem?

  Hello
  Configuration seems almost perfect. Please share the result of the following of the ASA when you try to connect.

  Debug crypto isakmp 200
  Debug crypto ipsec 200

  You can take snapshots on the external interface of the firewall to confirm if the packets are reaching the firewall or don't use do not:
  capture capx off match ip host host interface

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Problem with remote access in a residential group

  Having a problem with desktop sharing remote within a group of home access.  I don't have problem of access to the desktop from the laptop, but for some reason I can't access the laptop from the desktop.  I tried everything I could think of.  Remote access is enabled on both PCs.  Help, please.  Thank you very much!

  Hello

   

  1. who is the operating system installed on the desktop and laptop computers?

  2. what happens when you try to access the laptop from the desktop? You receive an error message?

  3. What are troubleshooting you performed?

  I suggest you follow these methods and check.

  In a first step of troubleshooting, I suggest to run the troubleshooter to group on the source and the destination computer.

  Step 1: Open the troubleshooter group living

  If your computer has problems viewing computers or files shared in your collective housing, try to use the collective dwelling Troubleshooter to fix the problem

  http://Windows.Microsoft.com/en-us/Windows7/open-the-HomeGroup-Troubleshooter

  Step 2: Share files and folders on a group of houses in the laptop using the method proposed below. Try to access from desktop and check.

  a. right click on the item you want to share, and then click share with.

  b. Select Home Group (read/write)

  c. this option share point with your entire Home Group and allows them to open, edit, or delete.

  Share files with someone: http://Windows.Microsoft.com/en-us/Windows7/share-files-with-someone

  See also:

  Home Group: frequently asked questions
  http://Windows.Microsoft.com/en-us/Windows7/HomeGroup-frequently-asked-questions

   

  I hope this helps!

• problem with remote access to NMH405

  Hello

  I have the NMH405 connected to my PC (windows7 and windows xp with IE and Firefox). I was able to connect to the platform of media locally and also via a remote access through ciscomediahub.com. However, remote access Island suddenly no longer works. There is an error message saying that the device is in offline mode.

  I tried to unplug and turn off the mediahub that did not work. I have also resorted to reset the mediahub that did not help also. Even now when I access it locally, I can't even connect via the browser to configure the media center.

  I would be grateful if someone could give advice on how to solve this problem.

  Thank you!

  just to close the loop on this. I called Cisco and their identified technical support it was a hardware problem. Since then, I exchanged for a new device. It works fine now.

  Thank you very much!

• Problem with remote access to Time Capsule

  Hi, I need to set up my APTC in a way to access it on the Internet remotelly.

  I did the following:

  • router Huawei HG622u
    1. activation of NAT
    2. port mapping
       • Protocol: TCP/UDP
       • External start port: 8888
       • End external port: 8888
       • Internal host: the TC's local IP address
       • Internal port: 8888
       • Name of the Air Port TC map
  • APTC (latest firmware installed)
    1. definition of back to my Mac: my Apple ID and password - Green State
    2. definition of APTC in Bridge mode
    3. disc of shared configuration
  • on Mac
    1. definition of back to my Mac - no comment illustrates iCloud

  When I try to access the APTC from the Internet, I see CLTS in Finder/shared section. But when I try to connect, I get the message that the connection failed.

  Could someone advice whot shut I do to make this work?

  Thank you, Eduard

  router Huawei HG622u

  1. activation of NAT

  If it is possible to run your modem without NAT, that is to say fill so that the TC is the main router, will be much more successful than to try to convey the CCMM via a router.

  CCMM if I understand correctly, he must use many more ports... but it is very difficult to get a TC behind a NAT router to work. While Apple says that a computer will work behind a UPNP router, a TC will NOT... There is no UPNP integrated with open ports.

  Get help using Back to My Mac - Apple Support

  Browse through the list...

  TCP and UDP ports used by Apple software - Support Apple products

  the following ports must be open.

  TCP 443

  UDP 500

  UDP 1900

  4488 TCP

  UDP 4500

  5223 TCP

  5350 UDP

  5351 UDP

  5353 UDP

  49512 TO 65535 UDP

  Of course, not all these ports are needed... This is why it is preferable to install the TC in order to open the ports it needs.

  There are other methods of access remotely with the help of the CCMM... and simply transmit AFP TB is the best. I think you're confused or confusing instructions.

  Airport drive - remote (3 methods)

  It seems you are trying to use method 3, but not all do it properly...

  8888 has nothing to do with the CCMM or AFP. Tesserax chose him as a port to be used for the translation of the AFP 548 port. You did no translation of port. There is nothing in the TC to meet 8888... 548 alone will work.

  And this has nothing to do with the CCMM. While let... do try and use both methods of access on top of the other. This gives a big mess.

• Configuring remote access VPN

  Hi all

  I need help with remote access vpn configuration. I want to some remote users who have access to the internet on their system to connect and access an application server in my seat social cisco vpn client user. I use Cisco 881. I am unable to use the SDM configuration because it seems that SDM is not supported by the router so I'm using command line. I'd appreciate any help I can get. Thank you.

  This is the configuration I have:

  VPNROUT #sho run
  Building configuration...

  Current configuration: 6832 bytes
  !
  ! Last configuration change at 10:50:45 UTC Saturday, May 30, 2015, by thomas
  version 15.2
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname VPNROUT
  !
  boot-start-marker
  boot-end-marker
  !
  !
  logging buffered 51200 warnings
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login userauthen1 local
  AAA authorization groupauthor1 LAN
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  iomem 10 memory size
  !
  Crypto pki trustpoint TP-self-signed-1632305899
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1632305899
  revocation checking no
  rsakeypair TP-self-signed-1632305899
  !
  !
  TP-self-signed-1632305899 crypto pki certificate chain
  certificate self-signed 01
  3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31363332 33303538 6174652D 3939301E 170 3134 30313233 31323132
  33325A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36333233 65642D
  30353839 3930819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100BC0C 341CD79B A38572CE 1F0F9A91 F96B133C A889B564 E8352034 1CF5EE4B
  B505616B 6014041B EC498C0A F6C5CD2B F5BF62DA BD6E1C44 0C7B9089 1FD0C6E5
  299CEB40 28CD3F3B ADE3468A B07AAA9F AC42F0A7 4087172A 33C4013D 9A50884D
  5778727E 53A4940E 6E622460 560C F597DD53 3B 261584 E45E8776 A848B73D 5252
  92 50203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355 D
  551 2304 18301680 14E85AD0 DEF133D8 E09516FD 0AA5FDAD E10EAB1A FA301D06
  03551D0E E85AD0DE 04160414 F133D8E0 9516FD0A A5FDADE1 0EAB1AFA 300 D 0609
  2A 864886 818100A 5 05050003 5B23ED5B 9A380E1F 467ABB03 BAB1070B F70D0101
  7A 218377 73089DC1 D32DA585 C5FD7ECE 0D000F96 7F3AB6CC 71509E8F 3F1C55AE
  E37536A3 1008FBF9 A29329D5 6F76DDC0 AA1C70AE 958AAE5D 32388BE4 2C1C6839
  0369 D 533 027B612C 8D199C35 C008FE00 F7E1DF62 9C73E603 85C3240A 63611D 93
  854A61E2 794F8EF5 DA535DCC B209DA
  quit smoking
  !
  !
  !
  no record of conflict ip dhcp
  DHCP excluded-address IP 10.10.10.1
  DHCP excluded-address IP 172.20.0.1 172.20.0.50
  !
  DHCP IP CCP-pool
  import all
  Network 10.10.10.0 255.255.255.248
  default router 10.10.10.1
  Rental 2 0
  !
  IP dhcp pool 1
  network 172.20.0.0 255.255.240.0
  domain meogl.net
  router by default - 172.20.0.1
  172.20.0.4 DNS server 41.79.4.11 4.2.2.2 8.8.8.8
  8 rental
  !
  !
  !
  no ip domain search
  IP domain name meogl.net
  name of the IP-server 172.20.0.4
  name of the IP-server 41.79.4.11
  IP-server names 4.2.2.2
  8.8.8.8 IP name-server
  IP cef
  No ipv6 cef
  !
  !
  license udi pid CISCO881-K9 sn FCZ1804C3SL
  !
  !
  username secret privilege 15 thomas 4 JXSizd1r/hMqPpGz94vKBb5somtpZLy03k50rJvHO6c
  username privilege 15 secret 4 mowe hlfv/rdDRCAeTUzRXbOIfdaKhJCl1onoGdaQeaQsAnw
  !
  !
  !
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  ISAKMP crypto client configuration group moweclients
  XXXXXXX key
  DNS 172.20.0.4
  meogl.net field
  pool mowepool
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac moweset
  tunnel mode
  !
  !
  !
  Dynmap crypto dynamic-map 1
  Set transform-set moweset
  market arriere-route
  !
  !
  card crypto client mowemap of authentication list userauthen1
  card crypto isakmp authorization list groupauthor1 mowemap
  client configuration address card crypto mowemap answer
  mowemap 1 card crypto ipsec-isakmp dynamic dynmap
  !
  !
  !
  !
  !
  interface Loopback0
  IP 172.30.30.1 255.255.255.0
  IP nat inside
  IP virtual-reassembly in
  !
  interface FastEthernet0
  no ip address
  !
  interface FastEthernet1
  no ip address
  !
  interface FastEthernet2
  switchport access vlan 100
  no ip address
  !
  interface FastEthernet3
  no ip address
  !
  interface FastEthernet4
  IP 41.7.8.13 255.255.255.252
  NAT outside IP
  IP virtual-reassembly in
  intellectual property policy map route VPN-CLIENT
  Shutdown
  automatic duplex
  automatic speed
  mowemap card crypto
  !
  interface Vlan1
  Description $ETH_LAN$
  IP 10.10.10.1 255.255.255.248
  IP tcp adjust-mss 1452
  !
  interface Vlan100
  IP 172.20.0.1 255.255.240.0
  IP nat inside
  IP virtual-reassembly in
  !
  local pool IP 192.168.1.1 mowepool 192.168.1.100
  IP forward-Protocol ND
  IP http server
  23 class IP http access
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  !
  IP nat inside source overload map route interface FastEthernet4 LAT
  IP route 0.0.0.0 0.0.0.0 41.7.8.12
  !
  access-list 23 allow 10.10.10.0 0.0.0.7
  access-list 23 allow 172.20.0.0 0.0.15.255
  access-list 100 permit ip 172.20.0.0 0.0.15.255 everything
  access-list 144 allow ip 192.168.1.0 0.0.0.255 any
  not run cdp
  !
  LAT route map permit 1
  corresponds to the IP 100
  IP 41.7.8.12 jump according to the value
  !
  route VPN-CLIENT map permit 1
  corresponds to the IP 144
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  !
  !
  end

  Please the configuration above, give me the desired output.

  Thank you.

  Hello Thomas,.

  I'm glad to hear that you have found useful in the example configuration.

  I checked your configuration and everything seems ok with him, especially the statements of nat.

   ip local pool mowepool 192.168.1.1 192.168.1.100 access-list 100 deny ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255 access-list 100 permit ip 172.20.0.0 0.0.15.255 any route-map LAT permit 1 match ip address 100 ip nat inside source route-map LAT interface FastEthernet4 overload interface Vlan100 ip address 172.20.0.1 255.255.240.0 ip nat inside ip virtual-reassembly in 

  Try to generate ICMP traffic behind your 100 VLANS to the client VPN in order to answer the following questions:

  -The router receives this traffic between VLAN100 unit?

  -The router is encrypt this traffic, after receiving the ICMP packet?

  #show crypto ipsec router its can help you with this question. Look for the program/decaps counters.

  -The same, but the other way around (from VPN client to device behind VLAN100) try to locate the problem.

  The following document explains more this crypto commands and debugs if necessary.

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation-IKE-protocols/5409-IPSec-debug-00.html#iosdbgs

• PIX 515E and remote access VPN

  I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

  I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

  Any help is appreciated,

  Hello

  Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

  Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

  There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

• Remote access VPN without certificate

  Hi all

  I want to deploy remote access VPN to ASA using Cisco anyconnect version 5512 customer secure mobility 3.1.05152. However, it must be a valid certificate of a CA such as verisign, entrust...

  Is - it there anyway that I can use the certificate auto-signer? Thank you for helping me!

  Hi Harry,.

  I think it would always be possible to configure the VPN just with simple authentication AAA.

  In my opinion you just set up your client to check worthy of trust of the certificate installed on your ASA.

  Please uncheck as on sccreenshot:

  

  Thank you

  Jan

• ASA 5505 - remote access VPN to access various internal networks

  Hi all

  A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x.

  Here is the config:

  :

  ASA Version 8.2 (5)

  !

  ciscoasa hostname

  enable encrypted password xxx

  XXX encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 200.190.1.15 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 255.255.255.0 xxxxxxx

  !

  exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

  connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

  banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED

  passive FTP mode

  access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any

  outside_access_in list extended access permit icmp any external interface

  access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0

  Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0

  MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

  access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

  inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool

  IP verify reverse path to the outside interface

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow all outside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 200.190.1.0 255.255.255.0

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1

  Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1

  Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1

  Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  http server enable 10443

  http server idle-timeout 5

  Server of http session-timeout 30

  HTTP 200.190.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca certificate chain _SmartCallHome_ServerCA

  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

  (omitted)

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 3600

  Telnet timeout 5

  SSH 200.190.1.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 5

  dhcpd outside auto_config

  !

  a basic threat threat detection

  scanning-threat shun threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  internal MD_SSL_Gp_Pol group strategy

  attributes of Group Policy MD_SSL_Gp_Pol

  VPN-tunnel-Protocol webvpn

  WebVPN

  list of URLS no

  disable the port forward

  hidden actions no

  disable file entry

  exploration of the disable files

  disable the input URL

  internal MD_IPSEC_Tun_Gp group strategy

  attributes of Group Policy MD_IPSEC_Tun_Gp

  value of banner welcome to remote VPN

  VPN - connections 1

  VPN-idle-timeout 5

  Protocol-tunnel-VPN IPSec webvpn

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl

  the address value Remote_IPSEC_VPN_Pool pools

  WebVPN

  value of the RDP URL-list

  attributes of username (omitted)

  VPN-group-policy MD_IPSEC_Tun_Gp

  type of remote access service

  type tunnel-group MD_SSL_Profile remote access

  attributes global-tunnel-group MD_SSL_Profile

  Group Policy - by default-MD_SSL_Gp_Pol

  type tunnel-group MD_IPSEC_Tun_Gp remote access

  attributes global-tunnel-group MD_IPSEC_Tun_Gp

  address pool Remote_IPSEC_VPN_Pool

  Group Policy - by default-MD_IPSEC_Tun_Gp

  IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp

  pre-shared key *.

  !

  !

  context of prompt hostname

  : end

  The following ACL and NAT exemption ACL split tunnel is incorrect:

  MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0

  inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192

  It should have been:

  Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0

  access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192

  Then 'clear xlate' and reconnect with the VPN Client.

  Hope that helps.

• Remote access VPN with ASA 5510 by using the DHCP server

  Hello

  Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?

  I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:

  !

  ASA Version 8.2 (5)

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 10.6.0.12 255.255.254.0

  !

  IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)

  !

  Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto-map dynamic dyn1 1jeu transform-set FirstSet

  dynamic mymap 1 dyn1 ipsec-isakmp crypto map

  mymap map crypto inside interface

  crypto ISAKMP allow inside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 43200

  !

  VPN-addr-assign aaa

  VPN-addr-assign dhcp

  !

  internal group testgroup strategy

  testgroup group policy attributes

  DHCP-network-scope 10.6.192.1

  enable IPSec-udp

  IPSec-udp-port 10000

  !

  username testlay password * encrypted

  !

  tunnel-group testgroup type remote access

  tunnel-group testgroup General attributes

  strategy-group-by default testgroup

  DHCP-server 10.6.20.3

  testgroup group tunnel ipsec-attributes

  pre-shared key *.

  !

  I got following output when I test connect to the ASA with Cisco VPN client 5.0

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO

  4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID

  Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

  [OK]

  KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable

  Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64

  Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes

  Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.

  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.

  Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!

  Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!

  Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

  Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84

  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

  Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

  Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets.  No last packet retransmit.

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address

  Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048) , : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740) , : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE

  Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm

  Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80

  Kind regards

  Lay

  For the RADIUS, you need a definition of server-aaa:

  Protocol AAA - NPS RADIUS server RADIUS

  AAA-server RADIUS NPS (inside) host 10.10.18.12

  key *.

  authentication port 1812

  accounting-port 1813

  and tell your tunnel-group for this server:

  General-attributes of VPN Tunnel-group

  Group-NPS LOCAL RADIUS authentication server

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni