Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0 Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80 Kind regards Lay For the RADIUS, you need a definition of server-aaa: Protocol AAA - NPS RADIUS server RADIUS AAA-server RADIUS NPS (inside) host 10.10.18.12 key *. authentication port 1812 accounting-port 1813 and tell your tunnel-group for this server: General-attributes of VPN Tunnel-group Group-NPS LOCAL RADIUS authentication server -- Tags: Cisco Security ASA to remote access VPN with external IP dynamic Hi forum, I was wondering if it was possible to set up an ASA to provide access to remote connections VPN (IPSEC or WebVPN/SSL) of the outside world, if the external IP address is dynamic (i.e. obtained through DHCP)? I understand how to use DynamicDNS to provide a host name for the VPN clients, I ask simply if the SAA can be configured to allow VPN connections from a DHCP interface addressed. I understand there are problems with the site to site VPN when both sides are addressed in a dynamic way, but it seems that the remote VPN access should work. Just hoping to confirm this before I go and I'm working on a config. Thanks in advance... The same configuration applies. In my view, that the only difference is that with the external IP being dynamic: interface e0/0 IP address dhcp setroute crypto map The only difference is that (the PCF file) VPN clients should have the VPN connection with a hostname (rather than an IP address) and the IP must be solved at the IPs of the SAA. I'll try to find you an example configuration if you do not. Federico. Hello! I have 9.1 (3) version of Cisco ASA with remote access VPN set UP on the outside interface. When the user connects to the Internet on the outside interface, it works well. My goal is to allow the connection of all other interfaces (inside the dmz and etc.) to the outside interface. Cisco ASA allows to do? Order to packet - trace output is less to: MSK-hq-fw1 # packet - trace entry inside tcp 10.10.10.1 14214 1.1.1.2 443 Phase: 1 Type:-ROUTE SEARCH Subtype: entry Result: ALLOW Config: Additional information: developed 1.1.1.2 255.255.255.255 identity Phase: 2 Type:-ROUTE SEARCH Subtype: entry Result: ALLOW Config: Additional information: developed 1.1.1.2 255.255.255.255 identity Result: input interface: inside entry status: to the top entry-line-status: to the top the output interface: NP identity Ifc the status of the output: to the top output-line-status: to the top Action: drop Drop-reason: (headwall) No. road to host Hello Well, you can of course turn VPN on other interfaces, but to be honest, I never even tried to set up the VPN it otherwise than of multiple multiple external interfaces in the case of the ISP and in this case only for testing purposes. Some things related to the ASA are well known but not well documented. The official document that I can remember: this is the following (which only refers to this limitation regarding the ICMP) Note For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network. Source (old configuration guide): -Jouni Unable to SSH/telnet through the remote access VPN to ASA interface Hi all - im trying to SSH/telnet to my ASA in my remote access VPN tunnel but can't get this to work. what Miss me? remote access VPN subnet: 192.168.25.0 LAN subnet: 192.168.1.0 config is attached. THX- Please enter the command Private access Managament and you will be able to telnet/ssh to the asa on this ip 192.168.1.253 Problem with remote access VPN on ASA 5505 I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after. The VPN client connects is as follows: --------------------------------------------------------------------------------------------------------------------------------------- Cisco Systems VPN Client Version 5.0.07.0440 Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved. Customer type: Windows, Windows NT Running: 6.2.9200 2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002 Start the login process 3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004 Establish a secure connection 4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024 Attempt to connect with the server "*." **. ***. *** » 5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B Try to establish a connection with *. **. ***. ***. 6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001 From IKE Phase 1 negotiation 7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. *** 8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012 Attributes of the authentication request is 6: 00. 9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F Received packet of ISAKMP: peer = *. **. ***. *** 10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014 RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from=""> 11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001 Peer is a compatible peer Cisco-Unity 12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001 Peer supports XAUTH 13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001 Peer supports the DPD 14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001 Peer supports NAT - T 15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001 Peer supports fragmentation IKE payloads 16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001 IOS Vendor ID successful construction 17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013 SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. *** 18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055 Sent a keepalive on the IPSec Security Association 19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083 IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194 20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072 Automatic NAT detection status: Remote endpoint is NOT behind a NAT device This effect is behind a NAT device 21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system 22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F Received packet of ISAKMP: peer = *. **. ***. *** 23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014 RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from=""> 24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015 Launch application xAuth 25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008 IPSec driver started successfully 26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017 xAuth application returned 28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. *** 29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F Received packet of ISAKMP: peer = *. **. ***. *** 30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014 RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from=""> 31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. *** 32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E Customer address a request from firewall to hub
34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. *** 35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F Received packet of ISAKMP: peer = *. **. ***. *** 36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014 RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from=""> 37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70 38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0 39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1 40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8 41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001 42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO 43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000 44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00 45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001 46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194 47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019 Data in mode Config received 48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056 Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0 49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. *** 50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F Received packet of ISAKMP: peer = *. **. ***. *** 51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014 RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from=""> 52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045 Answering MACHINE-LIFE notify has value of 86400 seconds 53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047 This SA was already alive for 6 seconds, setting expiration 86394 seconds now 54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F Received packet of ISAKMP: peer = *. **. ***. *** 55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014 RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from=""> 56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013 SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. *** 57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049 IPsec security association negotiation made scrapped, MsgID = CE99A8A8 58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017 Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED 59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F Received packet of ISAKMP: peer = *. **. ***. *** 60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058 Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924 61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014 RECEIVING< isakmp="" oak="" info="" *(dropped)="" from=""> 62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED 64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system 65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025 Initializing CVPNDrv 66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046 Set indicator established tunnel to register to 0. 67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001 Signal received IKE to complete the VPN connection
68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014 Remove all keys 71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A IPSec driver successfully stopped --------------------------------------------------------------------------------------------------------------------------------------- The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly): : Saved : ASA Version 8.2 (5) ! hostname NCHCO Select hTjwXz/V8EuTw9p9 of encrypted password hTjwXz/V8EuTw9p9 of encrypted passwd names of description of NCHCO name 192.168.2.0 City offices name 192.168.2.80 VPN_End name 192.168.2.70 VPN_Start ! interface Ethernet0/0 switchport access vlan 2 Speed 100 full duplex ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 IP 192.168.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 IP address **. ***. 255.255.255.248 ! boot system Disk0: / asa825 - k8.bin passive FTP mode access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0 access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0 inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224 access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0 access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0 Standard access list LAN_Access allow NCHCO 255.255.255.0 LAN_Access list standard access allowed 0.0.0.0 255.255.255.0 pager lines 24 Enable logging asdm of logging of information Within 1500 MTU Outside 1500 MTU mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0 ICMP unreachable rate-limit 1 burst-size 1 ASDM image disk0: / asdm - 645.bin don't allow no asdm history ARP timeout 14400 Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound NAT (inside) 1 0.0.0.0 0.0.0.0 NAT (outside) 0-list of access outside_nat0_outbound Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 Floating conn timeout 0:00:00 dynamic-access-policy-registration DfltAccessPolicy network-acl outside_nat0_outbound WebVPN SVC request to enable default svc Enable http server http 192.168.1.0 255.255.255.0 inside http *. **. ***. 255.255.255.255 outside http 74.218.158.238 255.255.255.255 outside http NCHCO 255.255.255.0 inside No snmp server location No snmp Server contact Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform Crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5 Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac life crypto ipsec security association seconds 28800 Crypto ipsec kilobytes of life - safety 4608000 association crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map dyn-map 10 set pfs Group1 crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation dynamic-map encryption dyn-map 10 value reverse-road Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5 card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set pfs Group1 peer set card crypto outside_map 1 74.219.208.50 card crypto outside_map 1 set of transformation-ESP-3DES-SHA map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP outside_map interface card crypto outside inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP inside crypto map inside_map interface card crypto vpn-map 1 match address outside_1_cryptomap_1 card crypto vpn-card 1 set pfs Group1 set vpn-card crypto map peer 1 74.219.208.50 card crypto vpn-card 1 set of transformation-ESP-3DES-SHA dynamic vpn-map 10 dyn-map ipsec isakmp crypto map crypto isakmp identity address crypto ISAKMP allow inside crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication 3des encryption md5 hash Group 2 life 86400 crypto ISAKMP policy 15 preshared authentication aes-256 encryption sha hash Group 2 life 86400 crypto ISAKMP policy 35 preshared authentication 3des encryption sha hash Group 2 life 86400 crypto ISAKMP ipsec-over-tcp port 10000 enable client-implementation to date Telnet 192.168.1.0 255.255.255.0 inside Telnet NCHCO 255.255.255.0 inside Telnet timeout 5 SSH 192.168.1.0 255.255.255.0 inside SSH NCHCO 255.255.255.0 inside SSH timeout 5 Console timeout 0 dhcpd address 192.168.2.150 - 192.168.2.225 inside dhcpd dns 216.68.4.10 216.68.5.10 interface inside lease interface 64000 dhcpd inside ! a basic threat threat detection Statistics-list of access threat detection no statistical threat detection tcp-interception WebVPN internal DefaultRAGroup group strategy attributes of Group Policy DefaultRAGroup value of server DNS 192.168.2.1 Protocol-tunnel-VPN IPSec l2tp ipsec nchco.local value by default-field attributes of Group Policy DfltGrpPolicy value of server DNS 192.168.2.1 Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn allow password-storage enable IPSec-udp enable dhcp Intercept 255.255.255.0 the address value VPN_Pool pools internal NCHVPN group policy NCHVPN group policy attributes value of 192.168.2.1 DNS Server 8.8.8.8 Protocol-tunnel-VPN IPSec l2tp ipsec value by default-field NCHCO admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password attributes global-tunnel-group DefaultRAGroup address (inside) VPN_Pool pool address pool VPN_Pool authentication-server-group (inside) LOCAL authentication-server-group (outside LOCAL) LOCAL authority-server-group authorization-server-group (inside) LOCAL authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup band-Kingdom band-band IPSec-attributes tunnel-group DefaultRAGroup pre-shared key *. NOCHECK Peer-id-validate tunnel-group DefaultRAGroup ppp-attributes No chap authentication no authentication ms-chap-v1 ms-chap-v2 authentication tunnel-group DefaultWEBVPNGroup ppp-attributes PAP Authentication
ms-chap-v2 authentication tunnel-group 74.219.208.50 type ipsec-l2l IPSec-attributes tunnel-group 74.219.208.50 pre-shared key *. type tunnel-group NCHVPN remote access attributes global-tunnel-group NCHVPN address pool VPN_Pool Group Policy - by default-NCHVPN IPSec-attributes tunnel-group NCHVPN pre-shared key *. ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns preset_dns_map parameters maximum message length automatic of customer message-length maximum 512 Policy-map global_policy class inspection_default inspect the preset_dns_map dns inspect the ftp inspect h323 h225 inspect the h323 ras inspect the rsh inspect the rtsp inspect esmtp inspect sqlnet inspect the skinny inspect sunrpc inspect xdmcp inspect the sip inspect the netbios inspect the tftp Review the ip options ! global service-policy global_policy context of prompt hostname no remote anonymous reporting call Cryptochecksum:15852745977ff159ba808c4a4feb61fa : end ASDM image disk0: / asdm - 645.bin ASDM VPN_Start 255.255.255.255 inside location ASDM VPN_End 255.255.255.255 inside location don't allow no asdm history Anyone have any idea why this is happening? Thank you! Add, crypto dynamic-map outside_dyn_map 20 value reverse-road. With respect, Safwan Problem with remote access VPN Hello I installed a remote access VPN on my firewall ASA5505 via the ASDM Assistant. I can successfully connect with the Cisco VPN client. My firewall also shows me the VPN session and shows the Rx packets. However, Tx packets remain 0, so no traffic is getting out. My ASA5505 is configured as a router on a stick with 25 different VLAN. I want to restrict traffic to one VLAN specific using a card encryption. When I run a command to ping t on my connected Windows box, the firewall log shows me the following message: "Unable to find political IKE initiator: outside Intf, Src: 10.7.11.18, Dst: ' 172.16.1.1 "This message indicates that the fast path IPSec processing a packet that triggered of IKE, but IKE policy research has failed. This error could be associated calendar. The ACL triggering IKE could have been deleted before IKE has processed the request for initiation. "This problem will likely correct itself." Unfortunately, the problem is correct. The "sh cry isa his" and "sh cry ips its ' commands show the following output: 2 IKE peers: 62.140.137.99 Type: user role: answering machine Generate a new key: no State: AM_ACTIVE Interface: outside Tag crypto map: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 85.17.xxx.xxx (outside interface IP) local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0) Remote ident (addr, mask, prot, port): (172.16.1.1/255.255.255.255/0/0) current_peer: 62.140.137.99, username: eclipsevpn dynamic allocated peer ip: 172.16.1.1 #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0 #pkts decaps: 4351, #pkts decrypt: 4351, #pkts check: 4351 compressed #pkts: 0, unzipped #pkts: 0 #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0 success #frag before: 0, failures before #frag: 0, #fragments created: 0 Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0 #send errors: 0, #recv errors: 0 local crypto endpt. : 85.17.xxx.xxx/4500, remote Start crypto. : 62.140.137.99/3698 Path mtu 1500, fresh ipsec generals 82, media, mtu 1500 current outbound SPI: B3D60F71 current inbound SPI: B89BA14A SAS of the esp on arrival: SPI: 0xB89BA14A (3097207114) transform: aes - esp esp-sha-hmac no compression running parameters = {RA, Tunnel, NAT-T program,} slot: 0, id_conn: 196608, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP calendar of his: service life remaining key (s): 25126 Size IV: 16 bytes support for replay detection: Y Anti-replay bitmap: 0xFFE1FFF8 0xFFFFFFFF outgoing esp sas: SPI: 0xB3D60F71 (3017150321) transform: aes - esp esp-sha-hmac no compression running parameters = {RA, Tunnel, NAT-T program,} slot: 0, id_conn: 196608, crypto-card: SYSTEM_DEFAULT_CRYPTO_MAP calendar of his: service life remaining key (s): 25126 Size IV: 16 bytes support for replay detection: Y Anti-replay bitmap: 0x00000000 0x00000001 I really have no idea what's going on. I installed a remote access VPN countless times, but this time it shows me the error as described above. Hi Martijn, just a few quick thoughts: -is your ok NAT exemption, i.e. ensure that the return traffic is not NAT' ed. -Make sure that there is no overlap crypto ACL -When connected, make a package tracer to see what is happening with the return packages. for example packet-tracer in the interface within the icmp 10.7.11.18 0 0 172.16.1.1 detail (where is the name of the interface on which 10.7.11.18 resides)
This will show you all the steps the rail package in-house (routing, nat, encryption etc.) so it should give you an idea of what is happening, for example when it comes to the bad interface, nat evil rule, wrong entry card crypto etc. HTH Herbert Service of ASA module does on 6509-E support remote access VPN? I'm having a problem of configuration of remote access VPN (SSL, Anyconnect ect.) on the Module of ASA Service on 6509-E. It is even supported or I'm wasting my time trying to do something that won't work in a first place :) to work? Site-to-Site works without any problem. Technical info: 6509-E current SUP 2 t SY 15.1 (2) Module of ASA - WS-SVC-ASA-SM1 running of the image - asa912-smp-k8 & asdm-712 Licenses on ASA: Encryption--Activated 3DES-AES-Encryption - enabled Thank you for the support. You run multiple context mode? If you are, access remote VPN only is not supported in this case: "Note several context mode only applies to the IKEv2 and IKEv1 site to another and applies not to the AnyConnect, clientless SSL VPN, the legacy Cisco VPN, native VPN client client of Apple, the VPN client from Microsoft or cTCP for IKEv1 IPsec." Remote access VPN without certificate Hi all I want to deploy remote access VPN to ASA using Cisco anyconnect version 5512 customer secure mobility 3.1.05152. However, it must be a valid certificate of a CA such as verisign, entrust... Is - it there anyway that I can use the certificate auto-signer? Thank you for helping me! Hi Harry,. I think it would always be possible to configure the VPN just with simple authentication AAA. In my opinion you just set up your client to check worthy of trust of the certificate installed on your ASA. Please uncheck as on sccreenshot: Thank you Jan Cisco Asa 5505 and level 3 with remote access VPN switch Today I had a new CISCO LAYER 3 switch... So here's my scenrio Cisco Asa 5505 I have Outside of the == 155.155.155.x Inside = 192.168.7.1 Address POOL VPN = 10.10.10.1 - 10.10.10.20 3 layer switch configuration VLAN 2 ip address of the interface = 192.168.1.1 VLAN 2 ip address of the interface = 192.168.2.1 VLAN 2 ip address of 192.168.3.1 = interface VLAN 2 ip address of the interface = 192.168.4.1 VLAN 2 ip address of the interface = 192.168.5.1 IP Routing So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip Thanks to you all Al ready has responded Sent by Cisco Support technique iPad App How to use ACS 5.2 to create a static ip address user for remote access VPN Hi all I have the problem. Please help me. Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do. I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this: 1Ajouter step to attribute a static IP address to the user attribute dictionary internal: Step 2select System Administration > Configuration > dictionaries > identity > internal users. Step 3click create. Static IP attribute by step 4Ajouter. 5selectionnez users and identity of the stage stores > internal identity stores > users. 6Click step create. Step 7Edit static IP attribute of the user. I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted. so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please. Wait for you answer, no question right or not, please answer, thank you. There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached ODA IP ASA when you browse the web via remote access vpn Hi all I was wondering if it is possible to configure an ASA5510 in a way to allow users remote access VPN use external IP of the ASA when browsing the web. So what I'm looking for is a solution to hide my IP address and use the IP address of the ASA, when browsing. The firmware version of the ASA is 9.1 (6) Thanks in advance Hello What you want to achieve is calles u-turn. You must enable the feature allowed same-security-traffic intra-interface For the configuration of the asa, here's the Cisco documentation (I don't copy paste on the post): http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX... Thank you PS: Please do not forget to rate and score as good response if this solves your problem ASA 5505 - remote access VPN to access various internal networks Hi all A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x. Here is the config: : ASA Version 8.2 (5) ! ciscoasa hostname enable encrypted password xxx XXX encrypted passwd names of ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 IP 200.190.1.15 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 IP address 255.255.255.0 xxxxxxx ! exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED passive FTP mode access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any outside_access_in list extended access permit icmp any external interface access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0 Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0 MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0 access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192 inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192 pager lines 24 Enable logging asdm of logging of information Within 1500 MTU Outside 1500 MTU mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool IP verify reverse path to the outside interface ICMP unreachable rate-limit 1 burst-size 1 ICMP allow any inside ICMP allow all outside don't allow no asdm history ARP timeout 14400 Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound NAT (inside) 1 200.190.1.0 255.255.255.0 inside_access_in access to the interface inside group Access-group outside_access_in in interface outside Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1 Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1 Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1 Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 Floating conn timeout 0:00:00 dynamic-access-policy-registration DfltAccessPolicy http server enable 10443 http server idle-timeout 5 Server of http session-timeout 30 HTTP 200.190.1.0 255.255.255.0 inside No snmp server location No snmp Server contact Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac life crypto ipsec security association seconds 28800 Crypto ipsec kilobytes of life - safety 4608000 association Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP outside_map interface card crypto outside Crypto ca trustpoint _SmartCallHome_ServerCA Configure CRL Crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 (omitted) quit smoking crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication 3des encryption sha hash Group 2 life 86400 Crypto isakmp nat-traversal 3600 Telnet timeout 5 SSH 200.190.1.0 255.255.255.0 inside SSH timeout 5 SSH version 2 Console timeout 5 dhcpd outside auto_config ! a basic threat threat detection scanning-threat shun threat detection Statistics-list of access threat detection no statistical threat detection tcp-interception WebVPN allow outside internal MD_SSL_Gp_Pol group strategy attributes of Group Policy MD_SSL_Gp_Pol VPN-tunnel-Protocol webvpn WebVPN list of URLS no disable the port forward hidden actions no disable file entry exploration of the disable files disable the input URL internal MD_IPSEC_Tun_Gp group strategy attributes of Group Policy MD_IPSEC_Tun_Gp value of banner welcome to remote VPN VPN - connections 1 VPN-idle-timeout 5 Protocol-tunnel-VPN IPSec webvpn Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl the address value Remote_IPSEC_VPN_Pool pools WebVPN value of the RDP URL-list attributes of username (omitted) VPN-group-policy MD_IPSEC_Tun_Gp type of remote access service type tunnel-group MD_SSL_Profile remote access attributes global-tunnel-group MD_SSL_Profile Group Policy - by default-MD_SSL_Gp_Pol type tunnel-group MD_IPSEC_Tun_Gp remote access attributes global-tunnel-group MD_IPSEC_Tun_Gp address pool Remote_IPSEC_VPN_Pool Group Policy - by default-MD_IPSEC_Tun_Gp IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp pre-shared key *. ! ! context of prompt hostname : end The following ACL and NAT exemption ACL split tunnel is incorrect: MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0 inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192 It should have been: Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0 access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192 Then 'clear xlate' and reconnect with the VPN Client. Hope that helps. How to prohibit remote access vpn client to use the local DNS server Hello I'm on ASA5505 remote access vpn configuration. Everything works fine so far, except when the client got connected, he always used the local DNS server provided by the ISP. How can I force the customer to use the DNS server configured on ASA? Thank you. Kind regards The command "Activate dns split-tunnel-all" is supported only on SSL VPN and VPN IKEv2. Since you're using IKEv1, this command is not supported. Here's the order reference: http://www.Cisco.com/en/us/docs/security/ASA/asa82/command/reference/S8.html#wp1533793 You configure no split tunnel? If you are, then you need to configure "tunnelall" split tunnel policy, and that will force the dns resolution and everything else through the VPN tunnel. ASA remote access VPN cleaning Experts, I have about three or four remote access VPN that must be removed from my ASA. What is the best way to ensure that I remove all configurations of the ASA? Thank you. Best. Hi Thomas, You can run the command "clear configure vpn" to clear some vpn commands, if you do not have all the certificates or site to site, you can run the command "claire configure crypto" and remove any command associated crypto. Rate if helps. -Randy- DMVPN with based remote access VPN client Hi all We DMVPN deployed to connect to our remote location now I want to configure the vpn remote access also with DMVPN tunnel so if somehow our DMVPN tunnel goes down we can connect to the router through vpn remote access client based around... I want experts to do the light on it is it possible or what are the technical challenges that I have to face in this regard. Thank you Salman Jamshed Hello Salman, It's 100% possible, there is no harm in having them both up on your router. In fact, as you have said that it will provide an extra layer of redundancy if by chance the DMVPN tunnel breaks down. That being said, you can go ahead and do it is a movement course Julio My neighbor asked me to help them get an app they need on their old iPad. I think it's a first version iPad. From what I can tell, you cannot update the software on the iPad. Is this true? I know that the app they watch used to have a version of I did a film on I move This can be shared many ways - but no longer can you send to IDVD I lucky to have on my computer How in the world one take an i move around and burn these days? I shared it on i tunes- but y at - there no way to get a copy to p upgrade from Vista Home Basic to windows 7 pro Can I switch from vista basic to windows 7 pro? I do not see changes within a folder, except if I go up a level and then again enter the folder, for example, create new folder, rename the folder, rotate the image, etc.. How do I get without printing something, Windows XP, how much written, I left? I have a HP printer. Thank you HE'S
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteniSimilar Questions
Maybe you are looking for