topic Remote Access IKEv1 VPN DMZ ASA in Network Security https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073991#M396644 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>To make the configuration more clear and readable can we take out the Inside interface from the VPN perspective:</P><P></P><P>no crypto map inside_map interface inside</P><P>no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>no crypto ikev1 enable inside </P><P></P><P></P><P>I do not see anything wrong on the configuration, pretty interesting but on the debugs we are going to the default-group.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 <EM style="text-decoration: underline; "><STRONG>with unknown tunnel group name 'user'.</STRONG></EM></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P></P><P></P><P>That unknown tunnel group I do not like it!</P><P></P><P>Can you paste an screenshot about where are you trying to connect.</P><P></P><P>You should set on your VPN client</P><P>NetworkRA </P><P>Preshared-key</P><P></P><P>Let me know!</P></BODY></HTML> Mon, 29 Oct 2012 23:14:27 GMT Julio Carvajal 2012-10-29T23:14:27Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073982#M396620 <P>Hello All,</P><P></P><P>I have a test ASA behind an edge firewall (Checkpoint), and I'm trying to set up the ASA for remote VPN access only. The ports being forwarded are UDP/500, UDP/4500 and UDP/TCP/10000. I'd prefer to encapsulate the sessions into TCP/10000. There's two networks that the ASA is connected to. The DMZ (10.11.12.0/24) and an internal segment (10.10.1.0/24), where the external remote client will connect to the DMZ interface and the goal is to access the internal subnet. The pool I want to set up is 10.11.12.150-200. I have upgraded the ASA to the most current IOS [8.4(4)1] / ASDM [6.4(9)] images. Here's what I've come up with, but unfortuantely the client fails to connect. I have messed around several times with settings using the ASDM, but ultimately I cannot get the client to connect. Here's my config:</P><P></P><P>[code]</P><P>hostname RemoteVPNASA</P><P>domain-name Domain.local</P><P>enable password ---------------- encrypted</P><P>passwd ---------------- encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P>!</P><P>interface Ethernet0/3</P><P> shutdown</P><P>!</P><P>interface Ethernet0/4</P><P> shutdown</P><P>!</P><P>interface Ethernet0/5</P><P> shutdown&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!</P><P>interface Ethernet0/6</P><P> shutdown</P><P>!</P><P>interface Ethernet0/7</P><P> shutdown</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.10.1.76 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif DMZ</P><P> security-level 0</P><P> ip address 10.11.12.2 255.255.255.0 </P><P>!</P><P>banner motd </P><P>banner motd +----------------------------------------------------+</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; *** Unauthorized Use or Access Prohibited ***&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; For Authorized Official Use Only&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; You must have explicit permission to access or&nbsp;&nbsp; |</P><P>banner motd |&nbsp; configure this device. All activities performed&nbsp;&nbsp; |</P><P>banner motd |&nbsp; on this device may be logged, and violations of&nbsp;&nbsp; |</P><P>banner motd | this policy may result in disciplinary action, and |</P><P>banner motd |&nbsp; may be reported to law enforcement authorities.&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; There is no right to privacy on this device.&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd +----------------------------------------------------+</P><P>banner motd </P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name Domain.local</P><P>object network Network-10.11.12.0</P><P> subnet 10.11.12.0 255.255.255.0</P><P>object-group icmp-type DefaultICMP</P><P> description Default ICMP Types permitted</P><P> icmp-object echo-reply</P><P> icmp-object unreachable</P><P> icmp-object time-exceeded</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object 10.10.1.0 255.255.255.0</P><P> network-object 10.11.12.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object 10.10.1.0 255.255.255.0</P><P> network-object 10.11.12.0 255.255.255.0</P><P>object-group protocol DM_INLINE_PROTOCOL_1</P><P> protocol-object ip</P><P> protocol-object icmp</P><P>access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel</P><P>access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0 </P><P>access-list nonat remark ACL for Nat Bypass</P><P>access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 </P><P>access-list acl_DMZ extended permit icmp any any object-group DefaultICMP </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>ip local pool IPPool 10.11.12.150-10.11.12.200</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0</P><P>access-group acl_DMZ in interface DMZ</P><P>route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication http console LOCAL </P><P>http server enable</P><P>http 10.10.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet</P><P>crypto dynamic-map DynamicMap 1 set reverse-route</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap</P><P>crypto map NetMap interface DMZ</P><P>crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map inside_map interface inside</P><P>crypto isakmp identity address </P><P>crypto ikev1 enable inside</P><P>crypto ikev1 enable DMZ</P><P>crypto ikev1 ipsec-over-tcp port 10000 </P><P>crypto ikev1 policy 1</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 43200</P><P>crypto ikev1 policy 11</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 65535</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet timeout 5</P><P>ssh 10.10.1.0 255.255.255.0 inside</P><P>ssh timeout 5</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P></P><P></P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>group-policy Network internal</P><P>group-policy Network attributes</P><P> vpn-idle-timeout 120</P><P> vpn-tunnel-protocol ikev1 </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value vpn_SplitTunnel</P><P>username user password ---------------- encrypted privilege 15</P><P>tunnel-group NetworkRA type remote-access</P><P>tunnel-group NetworkRA general-attributes</P><P> address-pool IPPool</P><P> default-group-policy Network</P><P>tunnel-group NetworkRA ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect ip-options </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>Cryptochecksum:d6e568acfb0bed9dc9979dc1a980f24f</P><P>: end</P><P>[/code]</P><P></P><P>Any help would be greatly appreciated!</P> Tue, 12 Mar 2019 00:15:10 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073982#M396620 Nathan Hawkins 2019-03-12T00:15:10Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073983#M396626 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>Can you run some debugs and let us have the outputs, what does the ASA logs say when you attemtp to connect?</P><P></P><P></P><P>Also can you change the following:</P><P></P><P>no crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap</P><P></P><P>crypto map NetMap 1&nbsp; ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P></P><P>Let me know the result,</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Sun, 28 Oct 2012 06:23:39 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073983#M396626 Julio Carvajal 2012-10-28T06:23:39Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073984#M396629 <HTML><HEAD></HEAD><BODY><P>Thanks for that Julio!</P><P></P><P>I made the change of that command and here's the logging/debug for a connection attempt:</P><P></P><P>Syslog logging: enabled</P><P>&nbsp;&nbsp;&nbsp; Facility: 20</P><P>&nbsp;&nbsp;&nbsp; Timestamp logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Standby logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Debug-trace logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Console logging: level debugging, 1566 messages logged</P><P>&nbsp;&nbsp;&nbsp; Monitor logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Buffer logging: level debugging, 1568 messages logged</P><P>&nbsp;&nbsp;&nbsp; Trap logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Permit-hostdown logging: disabled</P><P>&nbsp;&nbsp;&nbsp; History logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Device ID: disabled</P><P>&nbsp;&nbsp;&nbsp; Mail logging: disabled</P><P>&nbsp;&nbsp;&nbsp; ASDM logging: level informational, 1663 messages logged</P><P>%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.</P><P>%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show logging</P><P>%ASA-7-609001: Built local-host DMZ:74.125.227.20</P><P>%ASA-7-609001: Built local-host identity:10.11.12.2</P><P>%ASA-6-302013: Built inbound TCP connection 371 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/10000 (10.11.12.2/10000)</P><P>%ASA-6-302015: Built inbound UDP connection 372 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/500 (10.11.12.2/500)</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829</P><P>%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used&nbsp;&nbsp;&nbsp; local TCP port: 10000&nbsp;&nbsp;&nbsp; peer TCP port:&nbsp; 46673&nbsp; </P><P>%ASA-7-715047: IP = 74.125.227.20, processing SA payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ke payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing nonce payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ID payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received DPD VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID</P><P>%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:&nbsp; Main Mode:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; True&nbsp; Aggressive Mode:&nbsp; False</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID</P><P>%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.</P><P>%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P>%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable&nbsp; Matches global IKE entry # 1</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload</P><P>%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload</P><P>%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372</P><P>%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &amp;0xcc051860)&nbsp; <STATE>, <EVENT>:&nbsp; AM_DONE, EV_ERROR--&gt;AM_SND_MSG2, EV_SND_MSG--&gt;AM_SND_MSG2, EV_START_TMR--&gt;AM_BLD_MSG2, EV_BLD_MSG2_TRL--&gt;AM_BLD_MSG2, EV_SKEYID_OK--&gt;AM_BLD_MSG2, NullEvent--&gt;AM_BLD_MSG2, EV_GEN_SKEYID--&gt;AM_BLD_MSG2, EV_BLD_MSG2_HDR</EVENT></STATE></P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:8642b183 terminating:&nbsp; flags 0x0104c001, refcnt 0, tuncnt 0</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message</P><P>%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection</P><P></P><P>Let me know when you can.</P><P></P><P>Thanks!</P></BODY></HTML> Mon, 29 Oct 2012 12:36:08 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073984#M396629 Nathan Hawkins 2012-10-29T12:36:08Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073985#M396632 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>This is our problem:</P><P></P><P>%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection.</P><P></P><P>Can you add the following commands and try it one more time</P><P></P><P> Sysopt connection preserve-vpn-flows </P><P> Sysopt connection reclassify-vpn</P><P></P><P>Can I have the show run nat and show run policy-map</P><P></P><P></P><P></P><P>Regards,</P></BODY></HTML> Mon, 29 Oct 2012 16:34:59 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073985#M396632 Julio Carvajal 2012-10-29T16:34:59Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073986#M396636 <HTML><HEAD></HEAD><BODY><P>Here ya go (it still does not connect):</P><P></P><P>RemoteVPNASA# sh run nat</P><P>nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0</P><P></P><P></P><P>RemoteVPNASA# sh run policy-map </P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect ip-options </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P></P><P></P><P>Syslog logging: enabled</P><P>&nbsp;&nbsp;&nbsp; Facility: 20</P><P>&nbsp;&nbsp;&nbsp; Timestamp logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Standby logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Debug-trace logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Console logging: level debugging, 2534 messages logged</P><P>&nbsp;&nbsp;&nbsp; Monitor logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Buffer logging: level debugging, 2536 messages logged</P><P>&nbsp;&nbsp;&nbsp; Trap logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Permit-hostdown logging: disabled</P><P>&nbsp;&nbsp;&nbsp; History logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Device ID: disabled</P><P>&nbsp;&nbsp;&nbsp; Mail logging: disabled</P><P>&nbsp;&nbsp;&nbsp; ASDM logging: level informational, 2066 messages logged</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show logging</P><P>%ASA-6-302013: Built inbound TCP connection 380 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/10000 (10.11.12.2/10000)</P><P>%ASA-6-302015: Built inbound UDP connection 381 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/500 (10.11.12.2/500)</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829</P><P>%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used&nbsp;&nbsp;&nbsp; local TCP port: 10000&nbsp;&nbsp;&nbsp; peer TCP port:&nbsp; 20486&nbsp; </P><P>%ASA-7-715047: IP = 74.125.227.20, processing SA payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ke payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing nonce payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ID payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received DPD VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID</P><P>%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:&nbsp; Main Mode:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; True&nbsp; Aggressive Mode:&nbsp; False</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID</P><P>%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.</P><P>%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P>%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable&nbsp; Matches global IKE entry # 1</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload</P><P>%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload</P><P>%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372</P><P>%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &amp;0xcbf25fe0)&nbsp; <STATE>, <EVENT>:&nbsp; AM_DONE, EV_ERROR--&gt;AM_SND_MSG2, EV_SND_MSG--&gt;AM_SND_MSG2, EV_START_TMR--&gt;AM_BLD_MSG2, EV_BLD_MSG2_TRL--&gt;AM_BLD_MSG2, EV_SKEYID_OK--&gt;AM_BLD_MSG2, NullEvent--&gt;AM_BLD_MSG2, EV_GEN_SKEYID--&gt;AM_BLD_MSG2, EV_BLD_MSG2_HDR</EVENT></STATE></P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating:&nbsp; flags 0x0104c001, refcnt 0, tuncnt 0</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message</P><P>%ASA-6-302014: Teardown TCP connection 380 for DMZ:74.125.227.20/20486 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection</P></BODY></HTML> Mon, 29 Oct 2012 17:43:39 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073986#M396636 Nathan Hawkins 2012-10-29T17:43:39Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073987#M396639 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>Here are the interesting facts from the debugs:</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &amp;0xcbf25fe0)&nbsp; <STATE>, <EVENT>:&nbsp; AM_DONE, EV_ERROR--&gt;AM_SND_MSG2, EV_SND_MSG--&gt;AM_SND_MSG2, EV_START_TMR--&gt;AM_BLD_MSG2, EV_BLD_MSG2_TRL--&gt;AM_BLD_MSG2, EV_SKEYID_OK--&gt;AM_BLD_MSG2, NullEvent--&gt;AM_BLD_MSG2, EV_GEN_SKEYID--&gt;AM_BLD_MSG2, EV_BLD_MSG2_HDR</EVENT></STATE></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating:&nbsp; flags 0x0104c001, refcnt 0, tuncnt 0</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message</P><P></P><P>Can you share the show crypto isakmp sa while you try to connect and share the output you get ( try to do it several times so we can see where it gets stuck)</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Mon, 29 Oct 2012 17:58:41 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073987#M396639 Julio Carvajal 2012-10-29T17:58:41Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073988#M396641 <HTML><HEAD></HEAD><BODY><P>I get the following after and during each connection attempt:</P><P></P><P>RemoteVPNASA(config)# show crypto isakmp sa</P><P></P><P></P><P>There are no IKEv1 SAs</P><P></P><P></P><P>There are no IKEv2 SAs</P><P></P><P>Here's the log from the attempts:</P><P>%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.</P><P>%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show logging</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa</P><P>%ASA-7-609001: Built local-host DMZ:74.125.227.20</P><P>%ASA-7-609001: Built local-host identity:10.11.12.2</P><P>%ASA-6-302013: Built inbound TCP connection 401 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/10000 (10.11.12.2/10000)</P><P>%ASA-6-302015: Built inbound UDP connection 402 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/500 (10.11.12.2/500)</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829</P><P>%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used&nbsp;&nbsp;&nbsp; local TCP port: 10000&nbsp;&nbsp;&nbsp; peer TCP port:&nbsp; 59541&nbsp; </P><P>%ASA-7-715047: IP = 74.125.227.20, processing SA payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ke payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing nonce payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ID payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received DPD VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID</P><P>%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:&nbsp; Main Mode:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; True&nbsp; Aggressive Mode:&nbsp; False</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID</P><P>%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.</P><P>%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P>%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable&nbsp; Matches global IKE entry # 1</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload</P><P>%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload</P><P>%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372</P><P>%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &amp;0xcb64b900)&nbsp; <STATE>, <EVENT>:&nbsp; AM_DONE, EV_ERROR--&gt;AM_SND_MSG2, EV_SND_MSG--&gt;AM_SND_MSG2, EV_START_TMR--&gt;AM_BLD_MSG2, EV_BLD_MSG2_TRL--&gt;AM_BLD_MSG2, EV_SKEYID_OK--&gt;AM_BLD_MSG2, NullEvent--&gt;AM_BLD_MSG2, EV_GEN_SKEYID--&gt;AM_BLD_MSG2, EV_BLD_MSG2_HDR</EVENT></STATE></P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:4448d481 terminating:&nbsp; flags 0x0104c001, refcnt 0, tuncnt 0</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message</P><P>%ASA-6-302014: Teardown TCP connection 401 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa</P><P>%ASA-6-302013: Built inbound TCP connection 403 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/10000 (10.11.12.2/10000)</P><P>%ASA-6-302015: Built inbound UDP connection 404 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/500 (10.11.12.2/500)</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829</P><P>%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used&nbsp;&nbsp;&nbsp; local TCP port: 10000&nbsp;&nbsp;&nbsp; peer TCP port:&nbsp; 59702&nbsp; </P><P>%ASA-7-715047: IP = 74.125.227.20, processing SA payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ke payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing nonce payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ID payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received DPD VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID</P><P>%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:&nbsp; Main Mode:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; True&nbsp; Aggressive Mode:&nbsp; False</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID</P><P>%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.</P><P>%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P>%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable&nbsp; Matches global IKE entry # 1</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload</P><P>%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload</P><P>%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372</P><P>%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &amp;0xcb64bc80)&nbsp; <STATE>, <EVENT>:&nbsp; AM_DONE, EV_ERROR--&gt;AM_SND_MSG2, EV_SND_MSG--&gt;AM_SND_MSG2, EV_START_TMR--&gt;AM_BLD_MSG2, EV_BLD_MSG2_TRL--&gt;AM_BLD_MSG2, EV_SKEYID_OK--&gt;AM_BLD_MSG2, NullEvent--&gt;AM_BLD_MSG2, EV_GEN_SKEYID--&gt;AM_BLD_MSG2, EV_BLD_MSG2_HDR</EVENT></STATE></P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:29c8051d terminating:&nbsp; flags 0x0104c001, refcnt 0, tuncnt 0</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message</P><P>%ASA-6-302014: Teardown TCP connection 403 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection</P><P>%ASA-6-302013: Built inbound TCP connection 405 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/10000 (10.11.12.2/10000)</P><P>%ASA-6-302015: Built inbound UDP connection 406 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/500 (10.11.12.2/500)</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829</P><P>%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used&nbsp;&nbsp;&nbsp; local TCP port: 10000&nbsp;&nbsp;&nbsp; peer TCP port:&nbsp; 59774&nbsp; </P><P>%ASA-7-715047: IP = 74.125.227.20, processing SA payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ke payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing nonce payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ID payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received DPD VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID</P><P>%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:&nbsp; Main Mode:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; True&nbsp; Aggressive Mode:&nbsp; False</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID</P><P>%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.</P><P>%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P>%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable&nbsp; Matches global IKE entry # 1</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload</P><P>%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload</P><P>%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372</P><P>%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &amp;0xcb64bc80)&nbsp; <STATE>, <EVENT>:&nbsp; AM_DONE, EV_ERROR--&gt;AM_SND_MSG2, EV_SND_MSG--&gt;AM_SND_MSG2, EV_START_TMR--&gt;AM_BLD_MSG2, EV_BLD_MSG2_TRL--&gt;AM_BLD_MSG2, EV_SKEYID_OK--&gt;AM_BLD_MSG2, NullEvent--&gt;AM_BLD_MSG2, EV_GEN_SKEYID--&gt;AM_BLD_MSG2, EV_BLD_MSG2_HDR</EVENT></STATE></P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:67fd2fff terminating:&nbsp; flags 0x0104c001, refcnt 0, tuncnt 0</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message</P><P>%ASA-6-302014: Teardown TCP connection 405 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection</P><P>%ASA-6-302013: Built inbound TCP connection 407 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/10000 (10.11.12.2/10000)</P><P>%ASA-6-302015: Built inbound UDP connection 408 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/500 (10.11.12.2/500)</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829</P><P>%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used&nbsp;&nbsp;&nbsp; local TCP port: 10000&nbsp;&nbsp;&nbsp; peer TCP port:&nbsp; 59889&nbsp; </P><P>%ASA-7-715047: IP = 74.125.227.20, processing SA payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ke payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing nonce payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing ID payload</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received DPD VID</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID</P><P>%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:&nbsp; Main Mode:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; True&nbsp; Aggressive Mode:&nbsp; False</P><P>%ASA-7-715047: IP = 74.125.227.20, processing VID payload</P><P>%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID</P><P>%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.</P><P>%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P>%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable&nbsp; Matches global IKE entry # 1</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload</P><P>%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload</P><P>%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload</P><P>%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID</P><P>%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372</P><P>%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &amp;0xcb64bc80)&nbsp; <STATE>, <EVENT>:&nbsp; AM_DONE, EV_ERROR--&gt;AM_SND_MSG2, EV_SND_MSG--&gt;AM_SND_MSG2, EV_START_TMR--&gt;AM_BLD_MSG2, EV_BLD_MSG2_TRL--&gt;AM_BLD_MSG2, EV_SKEYID_OK--&gt;AM_BLD_MSG2, NullEvent--&gt;AM_BLD_MSG2, EV_GEN_SKEYID--&gt;AM_BLD_MSG2, EV_BLD_MSG2_HDR</EVENT></STATE></P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:e5c37c1d terminating:&nbsp; flags 0x0104c001, refcnt 0, tuncnt 0</P><P>%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message</P><P>%ASA-6-302014: Teardown TCP connection 407 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa</P><P>%ASA-6-302016: Teardown UDP connection 402 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/500 duration 0:02:01 bytes 845</P><P>%ASA-6-302016: Teardown UDP connection 404 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/500 duration 0:02:01 bytes 845</P><P>%ASA-6-302016: Teardown UDP connection 406 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/500 duration 0:02:02 bytes 845</P><P>%ASA-6-302016: Teardown UDP connection 408 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/500 duration 0:02:01 bytes 845</P><P>%ASA-7-609002: Teardown local-host DMZ:74.125.227.20 duration 0:02:16</P><P>%ASA-7-609002: Teardown local-host identity:10.11.12.2 duration 0:02:16</P></BODY></HTML> Mon, 29 Oct 2012 18:30:36 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073988#M396641 Nathan Hawkins 2012-10-29T18:30:36Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073989#M396642 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>Can you share the updated configuration?</P><P></P><P>Also if you take out the crypto ikev1 ipsec-over-tcp port 10000, does it work over UDP?</P><P></P><P>Regards,</P></BODY></HTML> Mon, 29 Oct 2012 18:48:36 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073989#M396642 Julio Carvajal 2012-10-29T18:48:36Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073990#M396643 <HTML><HEAD></HEAD><BODY><P>Here's the current cofig:</P><P></P><P>hostname RemoteVPNASA</P><P>domain-name Domain.local</P><P>enable password EknDlaH/tYor46kT encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P>!</P><P>interface Ethernet0/3</P><P> shutdown</P><P>!</P><P>interface Ethernet0/4</P><P> shutdown</P><P>!</P><P>interface Ethernet0/5</P><P> shutdown&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!</P><P>interface Ethernet0/6</P><P> shutdown</P><P>!</P><P>interface Ethernet0/7</P><P> shutdown</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.10.1.76 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif DMZ</P><P> security-level 0</P><P> ip address 10.11.12.2 255.255.255.0 </P><P>!</P><P>banner motd </P><P>banner motd +----------------------------------------------------+</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; *** Unauthorized Use or Access Prohibited ***&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; For Authorized Official Use Only&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; You must have explicit permission to access or&nbsp;&nbsp; |</P><P>banner motd |&nbsp; configure this device. All activities performed&nbsp;&nbsp; |</P><P>banner motd |&nbsp; on this device may be logged, and violations of&nbsp;&nbsp; |</P><P>banner motd | this policy may result in disciplinary action, and |</P><P>banner motd |&nbsp; may be reported to law enforcement authorities.&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; There is no right to privacy on this device.&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd +----------------------------------------------------+</P><P>banner motd </P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name Domain.local</P><P>object network Network-10.11.12.0</P><P> subnet 10.11.12.0 255.255.255.0</P><P>object-group icmp-type DefaultICMP</P><P> description Default ICMP Types permitted</P><P> icmp-object echo-reply</P><P> icmp-object unreachable</P><P> icmp-object time-exceeded</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object 10.10.1.0 255.255.255.0</P><P> network-object 10.11.12.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object 10.10.1.0 255.255.255.0</P><P> network-object 10.11.12.0 255.255.255.0</P><P>object-group protocol DM_INLINE_PROTOCOL_1</P><P> protocol-object ip</P><P> protocol-object icmp</P><P>access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel</P><P>access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0 </P><P>access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0 </P><P>access-list vpn_SplitTunnel standard permit 10.11.12.0 255.255.255.0 </P><P>access-list vpn_SplitTunnel standard permit 5.5.0.0 255.255.255.192 </P><P>access-list vpn_SplitTunnel standard permit 5.5.16.0 255.255.255.192 </P><P>access-list nonat remark ACL for Nat Bypass</P><P>access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 </P><P>access-list acl_DMZ extended permit icmp any any object-group DefaultICMP </P><P>pager lines 24</P><P>logging enable</P><P>logging buffer-size 524288</P><P>logging asdm-buffer-size 200</P><P>logging console debugging</P><P>logging buffered debugging</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>ip local pool IPPool 10.11.12.150-10.11.12.200</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0</P><P>access-group acl_DMZ in interface DMZ</P><P>route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication http console LOCAL </P><P>http server enable</P><P>http 10.10.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>sysopt connection preserve-vpn-flows</P><P>crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet</P><P>crypto dynamic-map DynamicMap 1 set reverse-route</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map NetMap interface DMZ</P><P>crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map inside_map interface inside</P><P>crypto isakmp identity address </P><P>crypto ikev1 enable inside</P><P>crypto ikev1 enable DMZ</P><P>crypto ikev1 ipsec-over-tcp port 10000 </P><P>crypto ikev1 policy 1</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 43200</P><P>crypto ikev1 policy 11</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 65535</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet timeout 5</P><P>ssh 10.10.1.0 255.255.255.0 inside</P><P>ssh timeout 5</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P></P><P></P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>group-policy Network internal</P><P>group-policy Network attributes</P><P> vpn-idle-timeout 120</P><P> vpn-tunnel-protocol ikev1 </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value vpn_SplitTunnel</P><P>username user password HTfNe5Yf7OKVfTLO encrypted privilege 15</P><P>tunnel-group NetworkRA type remote-access</P><P>tunnel-group NetworkRA general-attributes</P><P> address-pool IPPool</P><P> default-group-policy Network</P><P>tunnel-group NetworkRA ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect ip-options </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com">callhome@cisco.com</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>Cryptochecksum:84afd7a2bcd6a7bc321dcf16f1376e85</P><P>: end</P><P></P><P>The result (no connection) is the same if I check UDP on the client. I'd prefer to keep it TCP tho.</P></BODY></HTML> Mon, 29 Oct 2012 19:56:39 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073990#M396643 Nathan Hawkins 2012-10-29T19:56:39Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073991#M396644 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>To make the configuration more clear and readable can we take out the Inside interface from the VPN perspective:</P><P></P><P>no crypto map inside_map interface inside</P><P>no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>no crypto ikev1 enable inside </P><P></P><P></P><P>I do not see anything wrong on the configuration, pretty interesting but on the debugs we are going to the default-group.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 <EM style="text-decoration: underline; "><STRONG>with unknown tunnel group name 'user'.</STRONG></EM></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload</P><P></P><P></P><P>That unknown tunnel group I do not like it!</P><P></P><P>Can you paste an screenshot about where are you trying to connect.</P><P></P><P>You should set on your VPN client</P><P>NetworkRA </P><P>Preshared-key</P><P></P><P>Let me know!</P></BODY></HTML> Mon, 29 Oct 2012 23:14:27 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073991#M396644 Julio Carvajal 2012-10-29T23:14:27Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073992#M396645 <HTML><HEAD></HEAD><BODY><P>Yeah...the internal stuff I did through the ASDM in order to troubleshoot. Its all removed now. My VPN client is the Cisco VPN client - Version 5.0.07.0440</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/2/7/109725-VPN-Client-Info.jpg" class="jive-image" /></P><P>There isnt anywhere to set the Preshared-Key for NetworkRA. Please explain.</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 30 Oct 2012 14:21:58 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073992#M396645 Nathan Hawkins 2012-10-30T14:21:58Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073993#M396646 <HTML><HEAD></HEAD><BODY><P>Go to New</P><P>Connection entry : Just how you want to name it</P><P>host: DMZ ip address</P><P>Group authentication </P><P>Name: Tunnel-group of the ASA (NetworkRA)</P><P>Password: Preshared key</P><P></P><P>Remember to rate all of the helpful posts, If you do not know how to do it just let me know and I will show you <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Tue, 30 Oct 2012 17:15:12 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073993#M396646 Julio Carvajal 2012-10-30T17:15:12Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073994#M396647 <HTML><HEAD></HEAD><BODY><P>Hey Julio,</P><P></P><P>Well I clicked correct answer too quickly...The client connects now, but I cannot access anything on the internal network 10.10.1.0/24... So what should I look at now?</P></BODY></HTML> Wed, 31 Oct 2012 12:10:49 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073994#M396647 Nathan Hawkins 2012-10-31T12:10:49Z Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073995#M396648 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>Well we can connect now <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> That is really good!</P><P></P><P></P><P>Now you cannot access anything on your internal network!</P><P></P><P>Lets start from there:</P><P></P><P>object network internal_subnet</P><P>networ 10.10.1.0 255.255.255.0</P><P></P><P>nat (inside,dmz) source static internal_subnet&nbsp; internal_subnet destination Network-10.11.12.0&nbsp; Network-10.11.12.0 </P><P></P><P>no nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0</P><P></P><P>Let me know,</P><P></P><P>Regards</P></BODY></HTML> Wed, 31 Oct 2012 17:25:29 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073995#M396648 Julio Carvajal 2012-10-31T17:25:29Z Re: Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073996#M396649 <HTML><HEAD></HEAD><BODY><P>Yes - I very much agree that the client can connect is a very big step to getting this to work. I applied the changes you listed and I am still not able to connect here's the log:</P><P></P><P>Syslog logging: enabled</P><P>&nbsp;&nbsp;&nbsp; Facility: 20</P><P>&nbsp;&nbsp;&nbsp; Timestamp logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Standby logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Debug-trace logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Console logging: level debugging, 61342 messages logged</P><P>&nbsp;&nbsp;&nbsp; Monitor logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Buffer logging: level debugging, 61344 messages logged</P><P>&nbsp;&nbsp;&nbsp; Trap logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Permit-hostdown logging: disabled</P><P>&nbsp;&nbsp;&nbsp; History logging: disabled</P><P>&nbsp;&nbsp;&nbsp; Device ID: disabled</P><P>&nbsp;&nbsp;&nbsp; Mail logging: disabled</P><P>&nbsp;&nbsp;&nbsp; ASDM logging: level informational, 5469 messages logged</P><P>%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.</P><P>%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'</P><P>%ASA-7-111009: User 'enable_15' executed cmd: show logging</P><P>%ASA-5-611103: User logged out: Uname: user</P><P>%ASA-6-315011: SSH session from 10.10.1.23 on interface inside for user "user" terminated normally</P><P>%ASA-6-302014: Teardown TCP connection 468 for inside:10.10.1.23/43355 to identity:10.10.1.76/22 duration 0:02:30 bytes 105260 TCP Reset-O</P><P>%ASA-7-609002: Teardown local-host inside:10.10.1.23 duration 0:02:30</P><P>%ASA-7-609002: Teardown local-host identity:10.10.1.76 duration 0:02:30</P><P>%ASA-6-106015: Deny TCP (no connection) from 10.10.1.23/43355 to 10.10.1.76/22 flags FIN PSH ACK&nbsp; on interface inside</P><P>%ASA-7-710005: TCP request discarded from 10.10.1.23/43355 to inside:10.10.1.76/22</P><P>%ASA-7-609001: Built local-host DMZ:76.199.251.254</P><P>%ASA-7-609001: Built local-host identity:10.11.12.2</P><P>%ASA-6-302013: Built inbound TCP connection 469 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/10000 (10.11.12.2/10000)</P><P>%ASA-6-302015: Built inbound UDP connection 470 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/500 (10.11.12.2/500)</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 832</P><P>%ASA-7-713906: IP = 76.199.251.254, Responder: IPSec over TCP encapsulation is used&nbsp;&nbsp;&nbsp; local TCP port: 10000&nbsp;&nbsp;&nbsp; peer TCP port:&nbsp; 25283&nbsp; </P><P>%ASA-7-715047: IP = 76.199.251.254, processing SA payload</P><P>%ASA-7-715047: IP = 76.199.251.254, processing ke payload</P><P>%ASA-7-715047: IP = 76.199.251.254, processing ISA_KE payload</P><P>%ASA-7-715047: IP = 76.199.251.254, processing nonce payload</P><P>%ASA-7-715047: IP = 76.199.251.254, processing ID payload</P><P>%ASA-7-715047: IP = 76.199.251.254, processing VID payload</P><P>%ASA-7-715049: IP = 76.199.251.254, Received xauth V6 VID</P><P>%ASA-7-715047: IP = 76.199.251.254, processing VID payload</P><P>%ASA-7-715049: IP = 76.199.251.254, Received DPD VID</P><P>%ASA-7-715047: IP = 76.199.251.254, processing VID payload</P><P>%ASA-7-715049: IP = 76.199.251.254, Received Fragmentation VID</P><P>%ASA-7-715064: IP = 76.199.251.254, IKE Peer included IKE fragmentation capability flags:&nbsp; Main Mode:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; True&nbsp; Aggressive Mode:&nbsp; False</P><P>%ASA-7-715047: IP = 76.199.251.254, processing VID payload</P><P>%ASA-7-715049: IP = 76.199.251.254, Received Cisco Unity client VID</P><P>%ASA-7-713906: IP = 76.199.251.254, Connection landed on tunnel_group NetworkRA</P><P>%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing IKE SA payload</P><P>%ASA-7-715028: Group = NetworkRA, IP = 76.199.251.254, IKE SA Proposal # 1, Transform # 9 acceptable&nbsp; Matches global IKE entry # 1</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ISAKMP SA payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ke payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing nonce payload</P><P>%ASA-7-713906: Group = NetworkRA, IP = 76.199.251.254, Generating keys for Responder...</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ID payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing hash payload</P><P>%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Cisco Unity VID payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing xauth V6 VID payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing dpd vid payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Fragmentation VID + extended capabilities payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing VID payload</P><P>%ASA-7-715048: Group = NetworkRA, IP = 76.199.251.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120</P><P>%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP</P><P>%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing notify payload</P><P>%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload</P><P>%ASA-7-715038: Group = NetworkRA, IP = 76.199.251.254, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)</P><P>%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload</P><P>%ASA-7-715049: Group = NetworkRA, IP = 76.199.251.254, Received Cisco Unity client VID</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82</P><P>%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, process_attr(): Enter!</P><P>%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, Processing MODE_CFG Reply attributes.</P><P>%ASA-6-113012: AAA user authentication Successful : local database : user = user</P><P>%ASA-6-113009: AAA retrieved default group policy (Network) for user = user</P><P>%ASA-6-113008: AAA transaction status ACCEPT : user = user</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary DNS = cleared</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary DNS = cleared</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary WINS = cleared</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary WINS = cleared</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: split tunneling list = vpn_SplitTunnel</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: IP Compression = disabled</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Split Tunneling Policy = Split Network</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Setting = no-modify</P><P>%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Bypass Local = disable</P><P>%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.grouppolicy = Network</P><P>%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username = user</P><P>%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username1 = user</P><P>%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username2 = </P><P>%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.tunnelgroup = NetworkRA</P><P>%ASA-6-734001: DAP: User user, Addr 76.199.251.254, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy</P><P> %ASA-7-713052: Group = NetworkRA, Username = user, IP = 76.199.251.254, User (user) authenticated.</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg ACK attributes</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 174</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg Request attributes</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 address!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 net mask!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DNS server address!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for WINS server address!</P><P>%ASA-5-713130: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received unsupported transaction mode attribute: 5</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Banner!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Save PW setting!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Default Domain Name!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split Tunnel List!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split DNS!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for PFS setting!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Browser Proxy Setting!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for backup ip-sec peer list!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Application Version!</P><P>%ASA-6-713184: Group = NetworkRA, Username = user, IP = 76.199.251.254, Client Type: WinNT&nbsp; Client Application Version: 5.0.07.0440</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for FWTYPE!</P><P>%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DHCP hostname for DDNS is: MARS!</P><P>%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'</P><P>%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'NetworkRA'</P><P>%ASA-6-737026: IPAA: Client assigned 10.11.12.150 from local pool</P><P>%ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'NetworkRA'</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Obtained IP addr (10.11.12.150) prior to initiating Mode Cfg (XAuth enabled)</P><P>%ASA-6-713228: Group = NetworkRA, Username = user, IP = 76.199.251.254, Assigned private IP address 10.11.12.150 to remote user</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Client Browser Proxy Attributes!</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply</P><P>%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Cisco Smartcard Removal Disconnect enable!!</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 241</P><P>%ASA-7-714003: IP = 76.199.251.254, IKE Responder starting QM: msg id = 9db6fb00</P><P>%ASA-7-715021: Group = NetworkRA, Username = user, IP = 76.199.251.254, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress</P><P>%ASA-6-713905: Group = NetworkRA, Username = user, IP = 76.199.251.254, Gratuitous ARP sent for 10.11.12.150</P><P>%ASA-7-746012: user-identity: Add IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user</P><P>%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user</P><P>%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user</P><P>%ASA-7-715022: Group = NetworkRA, Username = user, IP = 76.199.251.254, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed</P><P>%ASA-5-713119: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 1 COMPLETED</P><P>%ASA-7-713121: IP = 76.199.251.254, Keep-alive type for this connection: DPD</P><P>%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P1 rekey timer: 41040 seconds.</P><P>%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending notify message</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=22ab08a8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing SA payload</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing nonce payload</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload</P><P>%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR ID received</P><P>10.11.12.150</P><P>%ASA-7-713025: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received remote Proxy Host data in ID Payload:&nbsp; Address 10.11.12.150, Protocol 0, Port 0</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload</P><P>%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0</P><P>%ASA-7-713034: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received local IP Proxy Subnet data in ID Payload:&nbsp;&nbsp; Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, QM IsRekeyed old sa not found by addr</P><P>%ASA-7-713066: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing IPSec SA payload</P><P>%ASA-7-715027: Group = NetworkRA, Username = user, IP = 76.199.251.254, IPSec SA Proposal # 8, Transform # 1 acceptable&nbsp; Matches global IPSec SA entry # 65535</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE: requesting SPI!</P><P>%ASA-7-715006: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got SPI from key engine: SPI = 0x2a9e7c0a</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, oakley constucting quick mode</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec SA payload</P><P>%ASA-5-713075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec nonce payload</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing proxy ID</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Transmitting Proxy Id:</P><P>&nbsp; Remote host: 10.11.12.150&nbsp; Protocol 0&nbsp; Port 0</P><P>&nbsp; Local subnet:&nbsp; 0.0.0.0&nbsp; mask 0.0.0.0 Protocol 0&nbsp; Port 0</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending RESPONDER LIFETIME notification to Initiator</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-714005: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Responder sending 2nd QM pkt: msg id = 9db6fb00</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + NONE (0) total length : 52</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, loading all IPSEC SAs</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!</P><P>%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!</P><P>%ASA-5-713049: Group = NetworkRA, Username = user, IP = 76.199.251.254, Security negotiation complete for User (user)&nbsp; Responder, Inbound SPI = 0x2a9e7c0a, Outbound SPI = 0x5bb276fb</P><P>%ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.</P><P>%ASA-7-715007: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got a KEY_ADD msg for SA: SPI = 0x5bb276fb</P><P>%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user</P><P>%ASA-7-609001: Built local-host DMZ:10.11.12.150</P><P>%ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.</P><P>%ASA-7-715077: Group = NetworkRA, Username = user, IP = 76.199.251.254, Pitcher: received KEY_UPDATE, spi 0x2a9e7c0a</P><P>%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P2 rekey timer: 27360 seconds.</P><P>%ASA-7-713204: Group = NetworkRA, Username = user, IP = 76.199.251.254, Adding static route for client address: 10.11.12.150 </P><P>%ASA-5-713120: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 2 COMPLETED (msgid=9db6fb00)</P><P>%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=74c94d21) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload</P><P>%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417ba)</P><P>%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417ba)</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=eda5977f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-7-609001: Built local-host inside:10.10.1.44</P><P>%ASA-6-302015: Built inbound UDP connection 472 for DMZ:10.11.12.150/427 (10.11.12.150/427)(LOCAL\user) to inside:10.10.1.44/427 (10.10.1.44/427) (user)</P><P>%ASA-7-609001: Built local-host inside:10.10.1.76</P><P>%ASA-6-302013: Built inbound TCP connection 473 for DMZ:10.11.12.150/43618 (10.11.12.150/43618)(LOCAL\user) to inside:10.10.1.76/22 (10.10.1.76/22) (user)</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=c168a18) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload</P><P>%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bb)</P><P>%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bb)</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=50284dae) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-7-609001: Built local-host inside:10.10.1.26</P><P>%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02</P><P>%ASA-7-609001: Built local-host inside:10.10.1.26</P><P>%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=29354099) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload</P><P>%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bc)</P><P>%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bc)</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=1bca2b2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02</P><P>%ASA-7-609001: Built local-host inside:10.10.1.26</P><P>%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02</P><P>%ASA-7-609001: Built local-host inside:10.10.1.26</P><P>%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=a6c91f9d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload</P><P>%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bd)</P><P>%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bd)</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=83836fa9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84</P><P>%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)</P><P>%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02</P><P>%ASA-6-302014: Teardown TCP connection 473 for DMZ:10.11.12.150/43618(LOCAL\user) to inside:10.10.1.76/22 duration 0:00:30 bytes 0 SYN Timeout (user)</P><P>%ASA-7-609002: Teardown local-host inside:10.10.1.76 duration 0:00:30</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=2a7b85a0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 72</P><P>%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing delete</P><P>%ASA-5-713050: Group = NetworkRA, Username = user, IP = 76.199.251.254, Connection terminated for peer user.&nbsp; Reason: Peer Terminate&nbsp; Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Active unit receives a delete event for remote peer 76.199.251.254.</P><P></P><P></P><P>%ASA-7-715009: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Deleting SA: Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 rcv'd Terminate: state AM_ACTIVE&nbsp; flags 0x2861d041, refcnt 1, tuncnt 0</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 terminating:&nbsp; flags 0x2961d001, refcnt 0, tuncnt 0</P><P>%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending delete/delete with reason message</P><P>%ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been deleted.</P><P>%ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 76.199.251.254 and 10.11.12.2 (user= user) has been deleted.</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IKE delete payload</P><P>%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload</P><P>%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=a9a78dd5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80</P><P>%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a</P><P>%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a</P><P>%ASA-5-713259: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session is being torn down. Reason: User Requested</P><P>%ASA-6-713273: Group = NetworkRA, Username = user, IP = 76.199.251.254, Deleting static route for client address: 10.11.12.150 </P><P>%ASA-7-746013: user-identity: Delete IP-User mapping 76.199.251.254 - LOCAL\user Failed - VPN user logout</P><P>%ASA-7-746013: user-identity: Delete IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user logout</P><P>%ASA-4-113019: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session disconnected. Session Type: IPsecOverTCP, Duration: 0h:00m:52s, Bytes xmt: 0, Bytes rcv: 536, Reason: User Requested</P><P>%ASA-7-713906: Ignoring msg to mark SA with dsID 45056 dead because SA deleted</P><P>%ASA-6-302014: Teardown TCP connection 469 for DMZ:76.199.251.254/25283 to identity:10.11.12.2/10000 duration 0:00:53 bytes 1724 Flow closed by inspection</P><P>%ASA-6-106015: Deny TCP (no connection) from 76.199.251.254/25283 to 10.11.12.2/10000 flags ACK&nbsp; on interface DMZ</P><P>%ASA-7-710005: TCP request discarded from 76.199.251.254/25283 to DMZ:10.11.12.2/10000</P><P>%ASA-6-737016: IPAA: Freeing local pool address 10.11.12.150</P><P>%ASA-7-609001: Built local-host inside:10.10.1.23</P><P>%ASA-7-609001: Built local-host identity:10.10.1.76</P><P>%ASA-6-302013: Built inbound TCP connection 478 for inside:10.10.1.23/43785 (10.10.1.23/43785) to identity:10.10.1.76/22 (10.10.1.76/22)</P><P>%ASA-6-113012: AAA user authentication Successful : local database : user = user</P><P>%ASA-6-113008: AAA transaction status ACCEPT : user = user</P><P>%ASA-6-611101: User authentication succeeded: Uname: user</P><P>%ASA-6-611101: User authentication succeeded: Uname: user</P><P>%ASA-6-605005: Login permitted from 10.10.1.23/43785 to inside:10.10.1.76/ssh for user "user"</P><P>%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15</P><P>%ASA-5-111008: User 'user' executed the 'enable' command.</P><P></P><P>Let me know what you think.</P><P></P><P>Thanks!</P></BODY></HTML> Thu, 01 Nov 2012 13:01:38 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073996#M396649 Nathan Hawkins 2012-11-01T13:01:38Z Re: Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073997#M396650 <HTML><HEAD></HEAD><BODY><P>Hello Nathan,</P><P></P><P>I know I have asked for it so many times but I will need to see the updated configuration <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/grin.gif"></SPAN></P><P></P><P>Can you share it again</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Thu, 01 Nov 2012 18:54:19 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073997#M396650 Julio Carvajal 2012-11-01T18:54:19Z Re: Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073998#M396651 <HTML><HEAD></HEAD><BODY><P>Hi Nathan,</P><P></P><P>Just wanted to add some details here.</P><P></P><P>According to the logs:</P><P>%ASA-5-713119: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 1 COMPLETED<BR />%ASA-5-713120: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 2 COMPLETED</P><P></P><P>So we know Phase I &amp; II are OK.</P><P></P><P>However:</P><P>%ASA-7-710005: TCP request discarded from 76.199.251.254/25283 to DMZ:10.11.12.2/10000</P><P></P><P>Do you have the following command enabled?</P><P> hostname(config)# <STRONG>crypto ikev1 ipsec-over-tcp port 10000</STRONG></P><P></P><P>Is there any NAT rule causing a conflict?</P><P><BR />Recommendation:</P><P></P><P>I do recommend NAT-T since it performs much better. Besides that, cTCP connections are known to have issues across FWs.</P><P></P><P><STRONG><A href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc6d4c.shtml">IPsec over TCP Fails when Traffic Flows through ASA</A></STRONG></P><P><STRONG> </STRONG></P><P>HTH.</P><P></P><P>Portu.</P><P></P><P>Please rate any helpful posts <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" height="16" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif" width="16"></SPAN></P></BODY></HTML> Fri, 02 Nov 2012 00:56:26 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073998#M396651 Javier Portuguez 2012-11-02T00:56:26Z Re: Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073999#M396652 <HTML><HEAD></HEAD><BODY><P>Here's my current running config:</P><P></P><P>hostname RemoteVPNASA</P><P>domain-name Domain.local</P><P>enable password EknDlaH/tYor46kT encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P>!</P><P>interface Ethernet0/3</P><P> shutdown</P><P>!</P><P>interface Ethernet0/4</P><P> shutdown</P><P>!</P><P>interface Ethernet0/5</P><P> shutdown&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!</P><P>interface Ethernet0/6</P><P> shutdown</P><P>!</P><P>interface Ethernet0/7</P><P> shutdown</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.10.1.76 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif DMZ</P><P> security-level 0</P><P> ip address 10.11.12.2 255.255.255.0 </P><P>!</P><P>banner motd </P><P>banner motd +----------------------------------------------------+</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; *** Unauthorized Use or Access Prohibited ***&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; For Authorized Official Use Only&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; You must have explicit permission to access or&nbsp;&nbsp; |</P><P>banner motd |&nbsp; configure this device. All activities performed&nbsp;&nbsp; |</P><P>banner motd |&nbsp; on this device may be logged, and violations of&nbsp;&nbsp; |</P><P>banner motd | this policy may result in disciplinary action, and |</P><P>banner motd |&nbsp; may be reported to law enforcement authorities.&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp; There is no right to privacy on this device.&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>banner motd +----------------------------------------------------+</P><P>banner motd </P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name Domain.local</P><P>object network Network-10.11.12.0</P><P> subnet 10.11.12.0 255.255.255.0</P><P>object network Network-10.10.1.0</P><P> subnet 10.10.1.0 255.255.255.0</P><P>object-group icmp-type DefaultICMP</P><P> description Default ICMP Types permitted</P><P> icmp-object echo-reply</P><P> icmp-object unreachable</P><P> icmp-object time-exceeded</P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object 10.10.1.0 255.255.255.0</P><P> network-object 10.11.12.0 255.255.255.0</P><P>object-group network DM_INLINE_NETWORK_2</P><P> network-object 10.10.1.0 255.255.255.0</P><P> network-object 10.11.12.0 255.255.255.0</P><P>object-group protocol DM_INLINE_PROTOCOL_1</P><P> protocol-object ip</P><P> protocol-object icmp</P><P>access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel</P><P>access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0 </P><P>access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0 </P><P>access-list vpn_SplitTunnel standard permit 10.11.12.0 255.255.255.0 </P><P>access-list vpn_SplitTunnel standard permit 5.5.0.0 255.255.255.192 </P><P>access-list vpn_SplitTunnel standard permit 5.5.16.0 255.255.255.192 </P><P>access-list nonat remark ACL for Nat Bypass</P><P>access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 </P><P>access-list acl_DMZ extended permit icmp any any object-group DefaultICMP </P><P>pager lines 24</P><P>logging enable</P><P>logging buffer-size 524288</P><P>logging asdm-buffer-size 200</P><P>logging console debugging</P><P>logging buffered debugging</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu DMZ 1500&nbsp; </P><P>ip local pool IPPool 10.11.12.150-10.11.12.200</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat (inside,DMZ) source static Network-10.10.1.0 Network-10.10.1.0 destination static Network-10.11.12.0 Network-10.11.12.0</P><P>access-group acl_DMZ in interface DMZ</P><P>route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication http console LOCAL </P><P>http server enable</P><P>http 10.10.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</P><P>sysopt connection preserve-vpn-flows</P><P>crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet</P><P>crypto dynamic-map DynamicMap 1 set reverse-route</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map NetMap interface DMZ</P><P>crypto isakmp identity address </P><P>crypto ikev1 enable DMZ</P><P>crypto ikev1 ipsec-over-tcp port 10000 </P><P>crypto ikev1 policy 1</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha&nbsp;&nbsp;&nbsp;&nbsp; </P><P> group 2</P><P> lifetime 43200</P><P>crypto ikev1 policy 11</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto ikev1 policy 65535</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet timeout 5</P><P>ssh 10.10.1.0 255.255.255.0 inside</P><P>ssh 10.240.232.0 255.255.252.0 inside</P><P>ssh timeout 5</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P></P><P></P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn</P><P>group-policy Network internal</P><P>group-policy Network attributes</P><P> vpn-idle-timeout 120</P><P> vpn-tunnel-protocol ikev1 </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value vpn_SplitTunnel</P><P>username user password HTfNe5Yf7OKVfTLO encrypted privilege 15</P><P>tunnel-group NetworkRA type remote-access</P><P>tunnel-group NetworkRA general-attributes</P><P> address-pool IPPool</P><P> default-group-policy Network</P><P>tunnel-group NetworkRA ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect ip-options </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com">callhome@cisco.com</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>Cryptochecksum:fdd8944b7886c448137cce902d12b8a3</P><P>: end</P><P></P><P>@Portu - Yes <STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">crypto ikev1 ipsec-over-tcp port 10000 </STRONG>is present, whats the command to implement NAT-T? So far its connecting just fine using TCP 10000.</P><P></P><P>Thanks!</P></BODY></HTML> Fri, 02 Nov 2012 01:25:22 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2073999#M396652 Nathan Hawkins 2012-11-02T01:25:22Z Re: Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2074000#M396653 <HTML><HEAD></HEAD><BODY><P>Nathan,</P><P></P><P>This NAT rule is the one affecting the traffic, since the pool is in the same network.</P><P></P><P>nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0</P><P></P><P>Let´s give it a try as following:</P><P></P><P>ip local pool VPN_NetworkRA 192.168.254.1-192.168.254.254</P><P></P><P>tunnel-group NetworkRA general-attributes</P><P>&nbsp;&nbsp;&nbsp;&nbsp; no address-pool IPPool</P><P>&nbsp;&nbsp;&nbsp;&nbsp; address-pool VPN_NetworkRA</P><P>!</P><P></P><P>object network obj-192.168.254.0</P><P>&nbsp;&nbsp;&nbsp;&nbsp; subnet 192.168.254.0 255.255.255.0</P><P>!</P><P>nat (DMZ,outside) 1 source static any any destination static obj-192.168.254.0 obj-192.168.254.0 </P><P>!</P><P></P><P>Then try to access the network and let me know.</P><P></P><P>Portu.</P><P></P><P>Please rate any helpful posts <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" height="16" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif" width="16"></SPAN></P></BODY></HTML> Fri, 02 Nov 2012 02:01:24 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2074000#M396653 Javier Portuguez 2012-11-02T02:01:24Z Re: Remote Access IKEv1 VPN DMZ ASA https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2074001#M396654 <HTML><HEAD></HEAD><BODY><P>I wont be able to retry the connection attempt until Monday, so I'll update then. Thanks again Julio.</P></BODY></HTML> Fri, 02 Nov 2012 21:40:51 GMT https://community.cisco.com/t5/network-security/remote-access-ikev1-vpn-dmz-asa/m-p/2074001#M396654 Nathan Hawkins 2012-11-02T21:40:51Z