topic Re: Remote access VPN on ASA in Network Security

Remote access VPN on ASA

vinayak — Mon, 11 Mar 2019 19:47:57 GMT

Hello All,

I am having Cisco ASA 5510 firewall. i configured Remote VPN on Firewall. But when i am connecting from VPN Client (5.0.06). it gives error as "Secure VPN Connection Terminated by Peer Error: 433"

Can you please help me.

My Config is as below:

Result of the command: "sh runn"

: Saved
:
ASA Version 8.0(3)
!
hostname rama5510
enable password 2ry13OhtG57zeqsA encrypted

interface Ethernet0/0
nameif outside
security-level 0
ip address 121.242.223.102 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
regex Court "\court\.mah\.nic\.in"
regex Domainlist9 "\idbi\.com"
regex Nsdl "\.tin-nsdl\.com"
regex domainlist10 "\.inet\.idbibank\.co\.in"
regex domainlist11 "\billing\.mahadiscom\.in"
regex domainlist12 "\igrmaharashtra\.gov\.in"
regex allow "\.google.\com"
regex justdail "\search\.justdial\.com"
regex PCMC "203.129.227.16:8080\.pcmc"
regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.google\.co\.in"
regex domainlist3 "\.orkut\.com"
regex punecorporation "\punecorporation\.org"
regex pcmcindia "\pcmcindia\.gov\.in"
regex domainlist4 "\.orkut\.co\.in"
regex domainlist5 "\.facebook\.com"
regex domainlist6 "\.gmail\.com"
regex domainlist7 "\.google\.com"
regex domainlist8 "\mahabhulekh\.mumbai\.nic\.in"
regex bsnl "\bsnl\.co\.in"
regex rcom "\myservices\.relianceada\.com"
regex lic "\licindia\.com"
regex pcntda "\pcntda\.org\.in"
regex mahabhulekh "164.100.111.5:8080\.mahabhulekh"
regex contenttype "content-type"
regex applicationheader "application/.*"
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 121.242.190.180
name-server 121.242.190.211
object-group network allow
network-object host Amit
network-object host Vinod
network-object host Ram
network-object host server
network-object host Quadra
network-object host Hr-2
network-object host Hr-1
network-object host SunilSir
network-object host RonakSirAppleLaptop
network-object host Suhas
network-object host 192.168.0.199
network-object host 192.168.0.12
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit tcp any interface outside eq 2598
access-list outside_access_in extended permit tcp any interface outside eq 37777
access-list user-acl extended deny tcp object-group allow any eq 8080
access-list user-acl extended deny tcp object-group allow any eq www
access-list user-acl extended deny tcp any host server eq www
access-list user-acl extended deny tcp any host server eq 8080
access-list user-acl extended deny tcp any host 164.100.111.5 eq www
access-list user-acl extended deny tcp any host 164.100.111.5 eq 8080
access-list user-acl extended permit tcp any any eq www
access-list user-acl extended permit tcp any any eq 8080
access-list user-acl extended deny tcp any host 192.168.0.199 eq www
access-list user-acl extended deny tcp any host 192.168.0.199 eq 8080
access-list Outside_access_in extended permit tcp any host 121.242.223.102 eq www
access-list Outside_access_in extended permit tcp any host 121.242.223.102 eq 2598
access-list Outside_access_in extended permit tcp any host 121.242.223.102 eq citrix-ica
access-list inside_mpc extended deny tcp object-group allow any eq www
access-list inside_mpc extended deny tcp object-group allow any eq 8080
access-list inside_mpc extended deny tcp any host 164.100.111.5 eq www
access-list inside_mpc extended deny tcp any host 164.100.111.5 eq 8080
access-list inside_mpc extended deny tcp any host server eq www
access-list inside_mpc extended deny tcp any host server eq 8080
access-list inside_mpc extended deny tcp any host 192.168.0.199 eq 8080
access-list inside_mpc extended deny ip 192.168.0.0 255.255.255.240 192.168.0.0 255.255.255.0
access-list inside_mpc extended deny object-group TCPUDP 192.168.0.0 255.255.255.240 192.168.0.0 255.255.255.0
access-list inside_mpc extended deny tcp any host 192.168.0.199 eq www
access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq www
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteVPN 192.168.0.2-192.168.0.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface citrix-ica server citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 2598 server 2598 netmask 255.255.255.255
static (inside,outside) tcp interface www server www netmask 255.255.255.255
static (inside,outside) tcp interface 37777 192.168.0.199 37777 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 121.242.223.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.10 inside
dhcpd dns 121.242.190.180 121.242.190.211 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy ramagroup internal
group-policy ramagroup attributes
dns-server value 121.242.190.180 121.242.190.211
vpn-tunnel-protocol IPSec
username rama5510 password NQ35L.CrXDGEh3Wo encrypted privilege 15
username vinayak password hj81.pmVitNx/DEr encrypted privilege 0
username vinayak attributes
vpn-group-policy ramagroup
tunnel-group ramagroup type remote-access
tunnel-group ramagroup general-attributes
address-pool RemoteVPN
default-group-policy ramagroup
tunnel-group ramagroup ipsec-attributes
pre-shared-key *
!
class-map allow-user-class
match access-list user-acl
class-map type inspect http match-all appheaderclass
match request header regex contenttype regex applicationheader
match req-resp content-type mismatch
class-map inside-class
match access-list inside_mpc
class-map type inspect http match-all allow-url-class
match not request header host regex domainlist8
match not request header host regex Domainlist9
match not request header host regex domainlist10
match not request header host regex domainlist11
match not request header host regex domainlist12
match not request header host regex mahabhulekh
match not request header host regex Nsdl
match not request header host regex Court
match not request header host regex pcntda
match not request header host regex lic
match not request header host regex justdail
match not request header host regex pcmcindia
match not request header host regex rcom
match not request header host regex punecorporation
match not request header host regex PCMC
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
policy-map inside-policy
class inside-class
inspect http allow-url-policy
!
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:42a2d5a7c132830439479d26c3be896d
: end

Re: Remote access VPN on ASA

Federico Coto Fajardo — Wed, 09 Feb 2011 14:48:38 GMT

Vinayak,

To see the reason why is failing please post the output of debug cry isa 127 and debug cry ips 127 when attempting the VPN connection.

Federico.

Re: Remote access VPN on ASA

vinayak — Thu, 10 Feb 2011 04:56:50 GMT

Hi,

Actually i am able to connect to the Public IP of my Network. But then it ask for Username & password.

Even if i enter correct Username & Passwd it Gives the Same Error.

Please help me out.

Re: Remote access VPN on ASA

vinayak — Thu, 10 Feb 2011 06:22:34 GMT

Hi Federico,

There is no output for these 2 commands.

when i put command sh crypto ipsec sa -> Output is -> there are no ipsec sa

What is this means?

Re: Remote access VPN on ASA

andamani — Thu, 10 Feb 2011 06:48:02 GMT

Hi VInayak,

This means that your tunnel is not up.

please do deb cry isa 127 and debug cry ips 127. then initiate the tunnel . Post the outputs of the debugs.

we will look into it and get back

regards,

anisha

Re: Remote access VPN on ASA

vinayak — Thu, 10 Feb 2011 07:19:19 GMT

Hi Anisha,

here are the logs that i received.

6|Feb 09 2011|23:43:19|113012|||AAA user authentication Successful : local database : user = vinayak

6|Feb 09 2011|23:43:19|113003|||AAA group policy for user vinayak is being set to ramagroup

6|Feb 09 2011|23:43:19|113011|||AAA retrieved user specific group policy (ramagroup) for user = vinayak

6|Feb 09 2011|23:43:19|113009|||AAA retrieved default group policy (ramagroup) for user = vinayak

6|Feb 09 2011|23:43:19|113008|||AAA transaction status ACCEPT : user = vinayak

6|Feb 09 2011|23:43:19|734001|||DAP: User vinayak, Addr 114.143.163.232, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy

5|Feb 09 2011|23:43:19|713130|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Received unsupported transaction mode attribute: 5

6|Feb 09 2011|23:43:19|713184|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Client Type: WinNT Client Application Version: 5.0.06.0160

3|Feb 09 2011|23:43:19|713132|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Cannot obtain an IP address for remote peer

3|Feb 09 2011|23:43:19|713902|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Removing peer from peer table failed, no match!

4|Feb 09 2011|23:43:19|713903|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Error: Unable to remove PeerTblEntry

4|Feb 09 2011|23:43:19|113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:02s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

6|Feb 09 2011|23:43:22|106015|192.168.0.78|63.150.131.42|Deny TCP (no connection) from 192.168.0.78/1558 to 63.150.131.42/80 flags PSH ACK on interface inside

Re: Remote access VPN on ASA

vinayak — Thu, 10 Feb 2011 11:17:07 GMT

Can Anyone reply on this post ?

Re: Remote access VPN on ASA

andamani — Thu, 10 Feb 2011 11:34:05 GMT

Hi Vinayaka,

The client is not getting the ip address. Do you have a DAP configured? what is it configured as?

Regards,

Anisha

Re: Remote access VPN on ASA

vinayak — Thu, 10 Feb 2011 11:45:08 GMT

DAP is activated.

I didnt get the statement "What it is configured as" ?

Re: Remote access VPN on ASA

andamani — Fri, 11 Feb 2011 04:51:01 GMT

hi,

Could you click on the DAP and edit it. Check the action defined in the Action type. Please let us know if it is terminate or continue.

The following link will give you more details about DAP.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml#t3

Regards,

Anisha

Re: Remote access VPN on ASA

vinayak — Fri, 11 Feb 2011 05:09:01 GMT

Hi Anisha,

Now i am connected sucessfully to Remote Network through my VPN Client.

I am getting IP Also. But now i am only able to access Internal network. I am not able to access internet not @ my side or not @ remote site.

It is possible to access internet of remote network through Remote VPN ?