Announcement

Collapse
No announcement yet.

Cisco ASA 5510 - VPN troubles

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5510 - VPN troubles

    I am setting up a new Cisco ASA 5510, I have the basic setup up and running but I am also needing to set up a VPN. However I am having some trouble getting this to work. When I connect using the Cisco VPN client I get Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding. I have turned off all firewalls and tried from multiple connections and machines. I am including the logs from the client and a copy of the config.

    Here is a copy of my ASA Config

    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname SJPFW001
    enable password encrypted
    names
    !
    interface Ethernet0/0
    description inside interface
    nameif inside
    security-level 100
    ip address 192.168.1.6 255.255.0.0
    !
    interface Ethernet0/1
    description DMZ Interface
    shutdown
    nameif DMZ
    security-level 50
    ip address 172.16.0.253 255.255.0.0
    !
    interface Ethernet0/2
    description Embarq Interface
    nameif outside1
    security-level 0
    ip address xxx.xxx.93.158 255.255.255.252
    !
    interface Ethernet0/3
    description TWC Interface
    nameif outside2
    security-level 0
    ip address xxx.xxx.97.44 255.255.255.248
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 172.22.22.1 255.255.0.0
    management-only
    !
    passwd encrypted
    ftp mode passive
    object-group service vpn tcp
    port-object eq 10000
    object-group network group-inside-vpnclient
    description All inside accessible networks
    network-object 192.168.1.0 255.255.255.0
    access-list outside-entry extended permit icmp any any echo-reply
    access-list outside-entry extended permit icmp any any time-exceeded
    access-list outside-entry extended permit icmp any any unreachable
    access-list outside-entry extended permit tcp any host xxx.xxx.92.193 eq 3389
    access-list outside-entry extended permit tcp any host xxx.xxx.93.158 eq 3389
    access-list outside-entry extended permit tcp any host xxx.xxx.93.158 eq www
    access-list outside-entry extended permit tcp any host xxx.xxx.93.158 eq https
    access-list outside-entry extended permit tcp any host xxx.xxx.193 eq smtp
    access-list outside-entry extended permit tcp any host xxx.xxx.92.193 eq https
    access-list outside-entry extended permit tcp any host xxx.xxx.92.193 eq 465
    access-list outside-entry extended permit tcp any host xxx.xxx.93.158 eq 3101
    access-list outside-entry extended permit tcp any host xxx.xxx.92.194 eq smtp
    access-list outside-entry extended permit tcp any host xxx.xxx.92.194 eq https
    access-list outside-entry extended permit tcp any object-group vpn xxx.xxx.93.156
    255.255.255.252
    access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.25
    5.192
    access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient
    any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu DMZ 1500
    mtu outside1 1500
    mtu outside2 1500
    mtu management 1500
    ip local pool vpnpool_ip 192.168.100.20-192.168.100.40 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside1) 1 interface
    global (outside2) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.0.0 255.255.0.0
    static (inside,outside1) tcp interface 3389 192.168.0.12 3389 netmask 255.255.25
    5.255
    static (inside,outside1) tcp interface 3101 192.168.0.15 3101 netmask 255.255.25
    5.255
    static (inside,outside1) tcp interface www 192.168.1.17 www netmask 255.255.255.
    255
    static (inside,outside1) 67.238.92.193 192.168.1.4 netmask 255.255.255.255
    static (inside,outside1) 67.238.92.194 192.168.1.20 netmask 255.255.255.255
    access-group outside-entry in interface outside1
    route outside1 0.0.0.0 0.0.0.0 67.238.93.157 1 track 1
    route outside2 0.0.0.0 0.0.0.0 24.172.97.41 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 172.22.22.0 255.255.255.0 management
    http 0.0.0.0 0.0.0.0 outside1
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 123
    type echo protocol ipIcmpEcho 67.238.93.157 interface outside1
    num-packets 3
    frequency 10
    sla monitor schedule 123 life forever start-time now
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
    -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
    -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside1_map interface outside1
    crypto isakmp enable outside1
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    !
    track 1 rtr 123 reachability
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    !
    service-policy global_policy global
    webvpn
    enable outside1
    group-policy SJP internal
    group-policy SJP attributes
    dns-server value 192.168.1.3
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    default-domain value sjp.org
    webvpn
    url-list none
    username sjpadm password encrypted encrypted privilege 0
    username sjpadm attributes
    vpn-group-policy SJP
    tunnel-group SJP type remote-access
    tunnel-group SJP general-attributes
    address-pool vpnpool_ip
    default-group-policy SJP
    tunnel-group SJP webvpn-attributes
    hic-fail-group-policy SJP
    nbns-server 192.168.1.3 timeout 2 retry 2
    tunnel-group SJP ipsec-attributes
    pre-shared-key *
    tunnel-group SJP_VPN type remote-access
    tunnel-group SJP_VPN general-attributes
    default-group-policy SJP
    prompt hostname context
    Cryptochecksum:fce8c724d0af5f945fbc09ecc3596752
    : end

    And there are the logs

    Cisco Systems VPN Client Version 5.0.06.0160
    Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 3
    6 11:14:47.254 02/10/10 Sev=Info/4 CM/0x63100002
    Begin connection process
    7 11:14:47.441 02/10/10 Sev=Info/4 CM/0x63100004
    Establish secure connection
    8 11:14:47.441 02/10/10 Sev=Info/4 CM/0x63100024
    Attempt connection with server "67.238.93.158"
    9 11:14:47.597 02/10/10 Sev=Info/6 IKE/0x6300003B
    Attempting to establish a connection with 67.238.93.158.
    10 11:14:47.738 02/10/10 Sev=Info/4 IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    11 11:14:47.847 02/10/10 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 67.238.93.158
    12 11:14:47.863 02/10/10 Sev=Info/4 IPSEC/0x63700008
    IPSec driver successfully started
    13 11:14:47.863 02/10/10 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    14 11:14:53.126 02/10/10 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!
    15 11:14:53.126 02/10/10 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to 67.238.93.158
    16 11:14:58.623 02/10/10 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!
    17 11:14:58.623 02/10/10 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to 67.238.93.158
    18 11:15:04.120 02/10/10 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!
    19 11:15:04.120 02/10/10 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to 67.238.93.158
    20 11:15:09.617 02/10/10 Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion (I_Cookie=6EEEFA8407046028 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
    21 11:15:10.616 02/10/10 Sev=Info/4 IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=6EEEFA8407046028 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
    22 11:15:10.616 02/10/10 Sev=Info/4 CM/0x63100014
    Unable to establish Phase 1 SA with server "67.238.93.158" because of "DEL_REASON_PEER_NOT_RESPONDING"
    23 11:15:10.616 02/10/10 Sev=Info/5 CM/0x63100025
    Initializing CVPNDrv
    24 11:15:10.663 02/10/10 Sev=Info/6 CM/0x63100046
    Set tunnel established flag in registry to 0.
    25 11:15:10.710 02/10/10 Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection
    26 11:15:11.475 02/10/10 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    27 11:15:11.475 02/10/10 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    28 11:15:11.475 02/10/10 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys
    29 11:15:11.475 02/10/10 Sev=Info/4 IPSEC/0x6370000A
    IPSec driver successfully stopped

  • #2
    Re: Cisco ASA 5510 - VPN troubles

    Try sysopt connection permit-vpn and crypto isakmp nat-traversal
    Last edited by Garen; 10th February 2010, 18:13.

    Comment


    • #3
      Re: Cisco ASA 5510 - VPN troubles

      I have run both commands and I get the same error.

      Comment


      • #4
        Re: Cisco ASA 5510 - VPN troubles

        Make sure the you are entering the correct "pre-shared-key".
        CCNA, Network+

        Comment


        • #5
          Re: Cisco ASA 5510 - VPN troubles

          I have verified all information regarding authentication and still have the same troubles.

          Comment


          • #6
            Re: Cisco ASA 5510 - VPN troubles

            What are you using for the "Group Authentication" ?
            Cause you have "tunnel-group SJP" and "tunnel-group SJP_VPN".
            CCNA, Network+

            Comment


            • #7
              Re: Cisco ASA 5510 - VPN troubles

              It should have been using the SJP. I have been messing with this long enough that at some point I must have entered a second group, not exactly sure why. I have removed the SJP_VPN. Daze, does that answer your question?

              Thanks for the help. I am also posting and updated config.

              Here is the updated Config

              ASA Version 8.0(2)
              !
              hostname SJPFW001
              enable password encrypted
              names
              !
              interface Ethernet0/0
              description inside interface
              nameif inside
              security-level 100
              ip address 192.168.1.6 255.255.0.0
              !
              interface Ethernet0/1
              description DMZ Interface
              shutdown
              nameif DMZ
              security-level 50
              ip address 172.16.0.253 255.255.0.0
              !
              interface Ethernet0/2
              description Embarq Interface
              nameif outside1
              security-level 0
              ip address xx.xx.xx.158 255.255.255.252
              !
              interface Ethernet0/3
              description TWC Interface
              nameif outside2
              security-level 0
              ip address xx.xx.xx.44 255.255.255.248
              !
              interface Management0/0
              nameif management
              security-level 100
              ip address 172.22.22.1 255.255.0.0
              management-only
              !
              passwd encrypted
              ftp mode passive
              same-security-traffic permit intra-interface
              object-group service vpn tcp
              port-object eq 10000
              object-group network group-inside-vpnclient
              description All inside accessible networks
              network-object 192.168.1.0 255.255.255.0
              access-list outside-entry extended permit icmp any any echo-reply
              access-list outside-entry extended permit icmp any any time-exceeded
              access-list outside-entry extended permit icmp any any unreachable
              access-list outside-entry extended permit tcp any host xx.xx.xx.193 eq 3389
              access-list outside-entry extended permit tcp any host xx.xx.xx.158 eq 3389
              access-list outside-entry extended permit tcp any host xx.xx.xx.158 eq www
              access-list outside-entry extended permit tcp any host xx.xx.xx.158 eq https
              access-list outside-entry extended permit tcp any host xx.xx.xx.193 eq smtp
              access-list outside-entry extended permit tcp any host xx.xx.xx.193 eq https
              access-list outside-entry extended permit tcp any host xx.xx.xx.193 eq 465
              access-list outside-entry extended permit tcp any host xx.xx.xx.158 eq 3101
              access-list outside-entry extended permit tcp any host xx.xx.xx.194 eq smtp
              access-list outside-entry extended permit tcp any host xx.xx.xx.194 eq https
              access-list outside-entry extended permit tcp any object-group vpn xx.xx.xx.158
              255.255.255.252
              access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
              2.168.100.0 255.255.255.0
              access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient
              any
              access-list inside_nat0_inbound extended permit ip any 192.168.100.0 255.255.255
              .0
              access-list inside_nat0_inbound extended permit tcp 192.168.100.0 255.255.255.0
              192.168.1.0 255.255.255.0
              access-list test_splitTunnelAcl standard permit any
              pager lines 24
              logging enable
              logging asdm informational
              mtu inside 1500
              mtu DMZ 1500
              mtu outside1 1500
              mtu outside2 1500
              mtu management 1500
              ip local pool vpnpool_ip 192.168.100.20-192.168.100.40 mask 255.255.255.0
              icmp unreachable rate-limit 1 burst-size 1
              asdm image disk0:/asdm-602.bin
              no asdm history enable
              arp timeout 14400
              global (outside1) 1 interface
              global (outside2) 1 interface
              nat (inside) 1 192.168.0.0 255.255.0.0
              static (inside,outside1) tcp interface 3389 192.168.0.12 3389 netmask 255.255.25
              5.255
              static (inside,outside1) tcp interface 3101 192.168.0.15 3101 netmask 255.255.25
              5.255
              static (inside,outside1) tcp interface www 192.168.1.17 www netmask 255.255.255.
              255
              static (inside,outside1) xx.xx.xx.193 192.168.1.4 netmask 255.255.255.255
              static (inside,outside1) xx.xx.xx.194 192.168.1.20 netmask 255.255.255.255
              access-group outside-entry in interface outside1
              route outside1 0.0.0.0 0.0.0.0 xx.xx.xx.157 1 track 1
              route outside2 0.0.0.0 0.0.0.0 xx.xx.xx.41 2
              timeout xlate 3:00:00
              timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
              timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
              timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
              timeout uauth 0:05:00 absolute
              dynamic-access-policy-record DfltAccessPolicy
              http server enable
              http 172.22.22.0 255.255.255.0 management
              http 0.0.0.0 0.0.0.0 outside1
              no snmp-server location
              no snmp-server contact
              snmp-server enable traps snmp authentication linkup linkdown coldstart
              sla monitor 123
              type echo protocol ipIcmpEcho xx.xx.xx.157 interface outside1
              num-packets 3
              frequency 10
              sla monitor schedule 123 life forever start-time now
              crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
              crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
              crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
              crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
              crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
              crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
              crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
              crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
              crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
              crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
              crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
              crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
              -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
              -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
              crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
              crypto map outside1_map interface outside1
              crypto isakmp enable outside1
              crypto isakmp policy 10
              authentication pre-share
              encryption 3des
              hash sha
              group 2
              lifetime 86400
              !
              track 1 rtr 123 reachability
              telnet 192.168.1.0 255.255.255.0 inside
              telnet timeout 5
              ssh timeout 5
              console timeout 0
              threat-detection basic-threat
              threat-detection statistics access-list
              !
              class-map inspection_default
              match default-inspection-traffic
              !
              !
              policy-map type inspect dns preset_dns_map
              parameters
              message-length maximum 512
              policy-map global_policy
              class inspection_default
              inspect dns preset_dns_map
              inspect ftp
              inspect h323 h225
              inspect h323 ras
              inspect rsh
              inspect rtsp
              inspect esmtp
              inspect sqlnet
              inspect skinny
              inspect sunrpc
              inspect xdmcp
              inspect sip
              inspect netbios
              inspect tftp
              inspect icmp
              !
              service-policy global_policy global
              webvpn
              enable outside1
              group-policy SJP internal
              group-policy SJP attributes
              dns-server value 192.168.1.3
              vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
              default-domain value sjp.org
              webvpn
              url-list none
              username sjpadm password encrypted privilege 0
              username sjpadm attributes
              vpn-group-policy SJP
              tunnel-group SJP type remote-access
              tunnel-group SJP general-attributes
              address-pool vpnpool_ip
              default-group-policy SJP
              tunnel-group SJP webvpn-attributes
              hic-fail-group-policy SJP
              nbns-server 192.168.1.3 timeout 2 retry 2
              tunnel-group SJP ipsec-attributes
              pre-shared-key *
              prompt hostname context
              Cryptochecksum:fce8c724d0af5f945fbc09ecc3596752
              : end

              Comment


              • #8
                Re: Cisco ASA 5510 - VPN troubles

                Ok, I got this working. I had to reset the preshared key yet again. and I am able to connect to the VPN. I am still having trouble, I am not able to access network resources. But I will do some more research first unless some one sees something easy.

                Comment


                • #9
                  Re: Cisco ASA 5510 - VPN troubles

                  Originally posted by kgantt View Post
                  Ok, I got this working. I had to reset the preshared key yet again. and I am able to connect to the VPN. I am still having trouble, I am not able to access network resources. But I will do some more research first unless some one sees something easy.
                  You either need to create ACLs for that or enable sysopt connection permit-vpn.

                  Comment


                  • #10
                    Re: Cisco ASA 5510 - VPN troubles

                    I would like to use sysopt. I wonder if I have an acl that is causing troubles.



                    here is what sysopt config is showing. Any suggestions?



                    SJPFW001# show running-config sysopt
                    no sysopt connection timewait
                    sysopt connection tcpmss 1380
                    sysopt connection tcpmss minimum 0
                    no sysopt nodnsalias inbound
                    no sysopt nodnsalias outbound
                    no sysopt radius ignore-secret
                    sysopt connection permit-vpn
                    no sysopt connection reclassify-vpn

                    Comment


                    • #11
                      Re: Cisco ASA 5510 - VPN troubles

                      Give this a try:

                      Code:
                      nat (inside) 0 access-list inside_nat0_outbound
                      CCNA, Network+

                      Comment


                      • #12
                        Re: Cisco ASA 5510 - VPN troubles

                        That solved the problem. All is now working. Thanks for all the help.

                        Comment


                        • #13
                          Re: Cisco ASA 5510 - VPN troubles

                          No problem. Glad we could help.
                          CCNA, Network+

                          Comment

                          Working...
                          X