Announcement

Collapse
No announcement yet.

Not able to remote access my asa

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Not able to remote access my asa

    Hi,

    I am trying to configure remote access VPN to my network, i have a Cisco ASA 5510 IOS 7.0(7).

    I configured the VPN using ASDM 5.0.9 and below is the configuration received:

    access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248
    access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0
    ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0
    nat (inside) 0 access-list 90
    group-policy ClientVPN internal
    group-policy ClientVPN attributes
    dns-server value 192.xxx.xxx.xxx 192.xxx.xxx.xxx
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ClientVPN_splitTunnelAcl
    webvpn
    username user password dkmv9X0FR/3rJ.Jw encrypted privilege 0
    username user attributes
    vpn-group-policy ClientVPN
    webvpn
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map
    isakmp policy 70 authentication pre-share
    isakmp policy 70 encryption 3des
    isakmp policy 70 hash md5
    isakmp policy 70 group 2
    isakmp policy 70 lifetime 86400
    tunnel-group ClientVPN type ipsec-ra
    tunnel-group ClientVPN general-attributes
    address-pool VPNIpPool
    default-group-policy ClientVPN
    tunnel-group ClientVPN ipsec-attributes
    pre-shared-key *


    When i trying to connect using a VPN client i got an error:
    Reason 412: The remote peer is no longer responding

    I have also site to site VPN on the same ASA which are wotking fine and tunnels are up.

    Is there any specific ACCESS List i should configure to get this work.

    Attaching my entire ASA config for review.

    Thank you for your help on this


    ASA Version 7.0(7)
    !
    hostname xxxxxx
    domain-name default.domain.invalid
    enable password ***** encrypted
    names
    *****
    *****
    *****

    dns-guard
    !
    interface Ethernet0/0
    speed 10
    nameif outside
    security-level 0
    ip address 92.xxx.xxx.xxx 255.xxx.xxx.xxx
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.xxx.xxx.1 255.255.255.0
    !
    passwd ***** encrypted
    ftp mode passive

    access-list idm extended permit ip any any
    access-list Outside_IN extended permit icmp any host 92.xxx.xxx.xxx
    access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248
    access-list 95 extended permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
    access-list 95 extended permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
    access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0

    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu dmzdown 1500
    mtu management 1500
    ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0
    icmp deny any echo outside
    asdm image disk0:/asdm-509.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 92.xxx.xxx.xxx
    nat (inside) 0 access-list 90
    nat (inside) 1 192.xxx.xxx.0 255.255.255.0

    static (inside,outside) xxx.xxx.xxx.xxx 192.xxx.xxx.xxx netmask 255.255.255.255

    access-group Outside_IN in interface outside
    access-group idm in interface inside

    route outside 0.0.0.0 0.0.0.0 92.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute

    group-policy ClientVPN internal
    group-policy ClientVPN attributes
    dns-server value 192.xxx.xxx.xxx 192.xxx.xxx.xxx
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ClientVPN_splitTunnelAcl
    webvpn
    username csoueid password ***** encrypted privilege 0
    username csoueid attributes
    vpn-group-policy ClientVPN
    webvpn
    http server enable
    http 192.xxx.xxx.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no sysopt connection permit-ipsec

    crypto ipsec transform-set site_to_site esp-3des esp-md5-hmac

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

    crypto map ToOutside 25 match address 95
    crypto map ToOutside 25 set peer 111.111.111.111
    crypto map ToOutside 25 set transform-set site_to_site
    crypto map ToOutside 25 set security-association lifetime seconds 86400


    crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map ToOutside interface outside

    isakmp identity address
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption aes-256
    isakmp policy 30 hash sha
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400
    isakmp policy 50 authentication pre-share
    isakmp policy 50 encryption 3des
    isakmp policy 50 hash md5
    isakmp policy 50 group 1
    isakmp policy 50 lifetime 86400
    isakmp policy 70 authentication pre-share
    isakmp policy 70 encryption des
    isakmp policy 70 hash md5
    isakmp policy 70 group 2
    isakmp policy 70 lifetime 86400
    isakmp am-disable

    tunnel-group 111.111.111.111 type ipsec-l2l
    tunnel-group 111.111.111.111 ipsec-attributes
    pre-shared-key *

    tunnel-group ClientVPN type ipsec-ra
    tunnel-group ClientVPN general-attributes
    address-pool VPNIpPool
    default-group-policy ClientVPN
    tunnel-group ClientVPN ipsec-attributes
    pre-shared-key *
    telnet 192.xxx.xxx.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    Cryptochecksum:6905b6a85818f088942078f88929351b7
    : end

  • #2
    Re: Not able to remote access my asa

    You have washed so much of your configuration for private addressing (192.168.x.x) that its hard to tell if your ACLs, address pools, nat, nat exclusions, etc... are causing a problem.

    That said... In your configuration, you have isakmp aggressive mode disabled (isakmp am-disable). I believe the cisco vpn client requires aggressive mode to be enabled on the ASA, otherwise it would simply drop the packet from the VPN client. This could be causing the 412 error.

    To test, type:
    Code:
    no crypto isakmp am-disable
    and then test a connection from the vpn client again

    Comment


    • #3
      Re: Not able to remote access my asa

      Hi,

      man you are a genius ... i was getting desperate and no one from the cisco community could help me..

      it workd now tks for your reply and help... i really appreciate it

      Comment


      • #4
        Re: Not able to remote access my asa

        Congratulations! Good to know that worked.

        Comment

        Working...
        X