Announcement

Collapse
No announcement yet.

Complicated Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Complicated Problem

    Hey guys ...

    am beginner in ASA and cisco configuration , i always use ASDM Launcher to configure or modifying my Cisco ASA5055 Firewall , i tried to enable VPN on my ASA using IPsec VPN Wizard , Remote VPN section and i made correct configuration for Cisco VPN Client (not windows) , until this moment i still unable to connect to my VPN , i dont know where is the problem exactly , is it routing ? or access list?
    here is running configuration :

    Code:
    : Saved
    :
    ASA Version 8.0(3)6 
    !
    hostname ciscoasa
    enable password ******* encrypted
    passwd ********* encrypted
    names
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address 10.10.10.2 255.255.255.252 
    !
    interface Vlan2
     nameif outside
     security-level 0
     ip address xx.xx.xx.xx 255.255.255.248 
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list DALLAS_splitTunnelAcl standard permit host 192.168.3.229 
    access-list DALLAS_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252 
    access-list DALLAS_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0 
    access-list dallas_VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252 
    access-list Out extended permit ip any any 
    access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 192.168.14.0 255.255.255.192 
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1492
    ip local pool Dallas 192.168.14.1-192.168.14.50 mask 255.255.255.0
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255 
    route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
    route inside 192.168.3.0 255.255.255.0 10.10.10.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 1:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no sysopt connection permit-vpn
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    no crypto isakmp nat-traversal
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    vpnclient server xx.xx.xx.xx
    vpnclient mode client-mode
    vpnclient vpngroup dallas password ********
    vpnclient username dallas password ********
    threat-detection basic-threat
    threat-detection scanning-threat shun
    threat-detection statistics
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
     vpn-tunnel-protocol IPSec l2tp-ipsec 
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol IPSec l2tp-ipsec 
    group-policy dallas internal
    group-policy dallas attributes
     dns-server value xx.xx.xx.xx
     vpn-tunnel-protocol IPSec 
    username admin password *************** encrypted privilege 15
    username dallas password *********  nt-encrypted privilege 0
    username dallas attributes
     vpn-group-policy DefaultRAGroup
    username user1 password *********** nt-encrypted privilege 0
    username cisco password ********* encrypted privilege 15
    tunnel-group DefaultRAGroup general-attributes
     default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
     pre-shared-key *
    tunnel-group dallas type remote-access
    tunnel-group dallas general-attributes
     address-pool Dallas
     default-group-policy dallas
    tunnel-group dallas ipsec-attributes
     pre-shared-key *
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
      inspect icmp 
    !
    service-policy global_policy global
    prompt hostname context 
    Cryptochecksum:beac138dba28b1b3b58dffbcbc4fbb93
    : end
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    when i use VPN Client to connect to my VPN network using real IP ,this message appears





    please if anyone can see the problem and tell me how to solve it by ASDM GUI or CLI , but i preferred ASDM..

    Note : VPN tunnel should connect to Internal Network IP Range 192.168.3.X
    which is accessible by ASA as you see from redirection to 192.168.3.229

    thanks everyone
    Last edited by jordannet; 14th May 2010, 23:09.

  • #2
    Re: Complicated Problem

    ok guys..

    now could you see the following running configuration and determine where is the problem????

    i tried to debug and at the same time i tried to connect .. here is debugging results (the debugging of attempting to connect through Cisco VPN Client here is ASA Debug :

    Code:
    ciscoasa# debug cry ipsec
    ciscoasa# May  14 23:55:24 [IKEv1]: Group = dallas, IP = xx.xx.xx.xx, Removing p
    eer  from peer table failed, no match!
    May 14 23:55:24 [IKEv1]: Group =  dallas, IP = xx.xx.xx.xx, Error: Unable to rem
    ove PeerTblEntry
    May  14 23:55:30 [IKEv1]: Group = dallas, IP = xx.xx.xx.xx, Removing peer  from p
    eer table failed, no match!
    May 14 23:55:30 [IKEv1]: Group =  dallas, IP = xx.xx.xx.xx, Error: Unable to rem
    ove PeerTblEntry
    May  14 23:55:35 [IKEv1]: Group = dallas, IP = xx.xx.xx.xx, Removing peer  from p
    eer table failed, no match!
    May 14 23:55:35 [IKEv1]: Group =  dallas, IP = xx.xx.xx.xx, Error: Unable to rem
    ove PeerTblEntry
    May  14 23:55:40 [IKEv1]: Group = dallas, IP = xx.xx.xx.xx, Removing peer  from p
    eer table failed, no match!
    May 14 23:55:40 [IKEv1]: Group =  dallas, IP = xx.xx.xx.xx, Error: Unable to rem
    ove PeerTblEntry
    -------------------------------------


    also here is Debuggin results of Cisco VPN Client :

    Code:
    Cisco Systems VPN Client Version 5.0.04.0300
    Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2
    
    26     04:45:06.203  05/15/10  Sev=Warning/2    IKE/0xE300009B
    Invalid SPI size (PayloadNotify:116)
    
    27     04:45:06.203  05/15/10  Sev=Warning/3    IKE/0xA3000058
    Received malformed message or negotiation no longer active (message id: 0x00000000)
    
    28     04:45:11.640  05/15/10  Sev=Warning/2    IKE/0xE300009B
    Fragmented msg rcvd with no associated SA (PacketReceiver:133)
    
    29     04:45:11.656  05/15/10  Sev=Warning/2    IKE/0xE300009B
    Fragmented msg rcvd with no associated SA (PacketReceiver:133)
    
    30     04:45:16.656  05/15/10  Sev=Warning/2    IKE/0xE300009B
    Fragmented msg rcvd with no associated SA (PacketReceiver:133)
    
    31     04:45:16.656  05/15/10  Sev=Warning/2    IKE/0xE300009B
    Fragmented msg rcvd with no associated SA (PacketReceiver:133)
    
    32     04:45:21.640  05/15/10  Sev=Warning/2    IKE/0xE300009B
    Fragmented msg rcvd with no associated SA (PacketReceiver:133)
    
    33     04:45:21.640  05/15/10  Sev=Warning/2    IKE/0xE300009B
    Fragmented msg rcvd with no associated SA (PacketReceiver:133)


    and here is currently Running configuration

    Code:
    : Saved
    :
    ASA  Version 8.0(3)6 
    !
    hostname ciscoasa
    enable password *********  encrypted
    passwd ********** encrypted
    names
    !
    interface  Vlan1
     nameif inside
     security-level 100
     ip address 10.10.10.2  255.255.255.252 
    !
    interface Vlan2
     nameif outside
     security-level  0
     ip address xx.xx.xx.xx 255.255.255.248 
    !
    interface  Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface  Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface  Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp  mode passive
    same-security-traffic permit inter-interface
    same-security-traffic  permit intra-interface
    access-list DALLAS_splitTunnelAcl standard  permit host 192.168.3.229 
    access-list DALLAS_splitTunnelAcl standard  permit 10.10.10.0 255.255.255.252 
    access-list DALLAS_splitTunnelAcl  standard permit 192.168.3.0 255.255.255.0 
    access-list  inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0  192.168.3.0 255.255.255.0 
    access-list out extended permit tcp any  any 
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu  outside 1492
    ip local pool Dallas 192.168.14.1-192.168.14.50 mask  255.255.255.0
    ip verify reverse-path interface inside
    ip verify  reverse-path interface outside
    icmp unreachable rate-limit 1  burst-size 1
    icmp permit any inside
    asdm image disk0:/asdm-603.bin
    no  asdm history enable
    arp timeout 14400
    global (outside) 1  interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside)  tcp interface www 192.168.3.229 www netmask 255.255.255.255 
    static  (inside,outside) tcp interface citrix-ica 192.168.3.229 citrix-ica  netmask 255.255.255.255 
    access-group out in interface outside
    route  outside 0.0.0.0 0.0.0.0 77.245.4.9 1
    route inside 192.168.3.0  255.255.255.0 10.10.10.1 1
    timeout xlate 3:00:00
    timeout conn  1:00:00 half-closed 1:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc  0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout  sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout  sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record  DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    http  192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no  snmp-server contact
    snmp-server enable traps snmp authentication  linkup linkdown coldstart
    crypto ipsec transform-set ESP-DES-MD5  esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-DES-SHA esp-des  esp-sha-hmac 
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs 
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535  ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map  interface outside
    crypto isakmp enable inside
    crypto isakmp  enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption  des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp  nat-traversal 25
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh  0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console  timeout 0
    dhcpd auto_config outside
    !
    vpnclient server  xx.xx.xx.xx
    vpnclient mode client-mode
    vpnclient vpngroup dallas  password ********
    vpnclient username dallas password ********
    threat-detection  basic-threat
    threat-detection scanning-threat shun
    threat-detection  statistics
    group-policy DefaultRAGroup internal
    group-policy  DefaultRAGroup attributes
     vpn-tunnel-protocol IPSec l2tp-ipsec 
    group-policy  DfltGrpPolicy attributes
     vpn-tunnel-protocol IPSec l2tp-ipsec 
    group-policy  dallas internal
    group-policy dallas attributes
     dns-server value  xx.xx.xx.xx
     vpn-tunnel-protocol IPSec 
     split-tunnel-policy  tunnelspecified
     split-tunnel-network-list value  DALLAS_splitTunnelAcl
    username admin password *********** encrypted  privilege 15
    username dallas password ************ nt-encrypted  privilege 0
    username dallas attributes
     vpn-group-policy dallas
    username  user1 password ********* nt-encrypted privilege 0
    username cisco  password ************* encrypted privilege 15
    tunnel-group  DefaultRAGroup general-attributes
     default-group-policy  DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
     pre-shared-key  *
    tunnel-group dallas type remote-access
    tunnel-group dallas  general-attributes
     address-pool Dallas
     default-group-policy  dallas
    tunnel-group dallas ipsec-attributes
     pre-shared-key *
    !
    class-map  inspection_default
     match default-inspection-traffic
    !
    !
    policy-map  type inspect dns preset_dns_map
     parameters
      message-length  maximum 512
    policy-map global_policy
     class inspection_default
      inspect  dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect  h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect  skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect  netbios 
      inspect tftp 
      inspect icmp 
    !
    service-policy  global_policy global
    prompt hostname context 
    Cryptochecksum:3727a12672c644bf122b2a4355309459
    :  end
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    Last edited by jordannet; 15th May 2010, 13:46.

    Comment

    Working...
    X