https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892258#M973898 <HTML><HEAD></HEAD><BODY><P>Let me take a crack at this for ya.</P><P></P><P>First thing I do not see is a DHCP Pool to assign clients addreses:</P><P></P><P>! The user vpn dhcp pool cannot overlap with internally used subnets.</P><P>!</P><P>ip local pool VPN-DHCP-POOL 192.168.168.1-192.168.168.20 mask 255.255.255.0</P><P>!</P><P>! Assigning the VPN DHCP Pool subnet as a no-nat on the outside interface allows the user</P><P>! traffic to enter the outside interface from the VPN Client in order to be NAT's on its way to the Inet</P><P>!</P><P>nat (OUTSIDE) 1 192.168.168.0 255.255.255.0</P><P>!</P><P></P><P></P><P>Next thing I do not see is a group policy and associated access list that defines user attributes and access, see this</P><P></P><P>group-policy REMOTEVPN internal</P><P>group-policy REMOTEVPN attributes</P><P> wins-server value 192.168.15.112</P><P> dns-server value 192.168.15.112</P><P> vpn-idle-timeout 30</P><P> vpn-filter value VPN-USERACCESS</P><P> vpn-tunnel-protocol IPSec </P><P> default-domain value mydoamin.com</P><P></P><P>You may also want to have usernames for authentication</P></BODY></HTML> Sun, 07 Oct 2007 17:50:27 GMT whisperwind 2007-10-07T17:50:27Z https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892255#M973895 <P>Hi, all, I am running 8.0(2), I am trying to set up IPsec RA on ASA. The IPsec tunnel from Client will terminate on ASA's Outside interface. </P><P></P><P>It did not work, debug shows that ISAKMP connection request (UDP destination port 500) is either denied by ASA or ASA complains the no translation group found. I don't understand why ASA is denying ISAKMP connection when such connection is by default permitted. (I also tried to configure ACL on Outside interface to explicitly permit udp isakmp, and toggled "crypto map &lt;&gt; interface Outside", "crytp isakmp enable Outside"), And in what scenario ASA would treat isakmp connection request like a normal inbound traffic and tries to look for translation entry?</P><P></P><P>It should be a simple configuration, I followed every step in documentation, I am scratching my head to get it the first step of IPsec VPN RA working...</P> Mon, 11 Mar 2019 11:21:46 GMT https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892255#M973895 oldcreek12 2019-03-11T11:21:46Z https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892256#M973896 <HTML><HEAD></HEAD><BODY><P>Jian</P><P></P><P>My first guess is that something in the ASA configuration for the RA VPN is not set up correctly and the ASA is attempting to forward the packet to somewhere else. Can you post the config of the ASA (most especially the VPN parts of the config)?</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Sun, 07 Oct 2007 15:26:53 GMT https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892256#M973896 Richard Burts 2007-10-07T15:26:53Z https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892257#M973897 <HTML><HEAD></HEAD><BODY><P>Hi, Rick, thank you for your reply, here is the relevant configuration, please let me know if you need any other configurations:</P><P></P><P>crypto map:</P><P>============</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto dynamic-map Outside_dynamic_map 20 set transform-set ESP-3DES-SHA</P><P>crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dynamic_map</P><P>crypto map Outside_map interface Outside</P><P>crypto isakmp identity address </P><P>crypto isakmp enable Outside</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P></P><P>Tunnel group configuration:</P><P>===========================</P><P>tunnel-group ipsec-remote type remote-access</P><P>tunnel-group ipsec-remote general-attributes</P><P> address-pool ra_pool</P><P> authentication-server-group RADIUS_SVRS</P><P> authorization-server-group RADIUS_SVRS</P><P> accounting-server-group RADIUS_SVRS</P><P>tunnel-group ipsec-remote ipsec-attributes</P><P> pre-shared-key *</P><P></P><P>NAT related configuration</P><P>=========================</P><P>nat (Inside) 0 access-list inside-nonat</P><P>access-list inside-nonat extended permit ip INTERNAL-NETS 255.255.255.0 VPN-Client-NET 255.255.255.0 </P><P></P></BODY></HTML> Sun, 07 Oct 2007 16:24:18 GMT https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892257#M973897 oldcreek12 2007-10-07T16:24:18Z https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892258#M973898 <HTML><HEAD></HEAD><BODY><P>Let me take a crack at this for ya.</P><P></P><P>First thing I do not see is a DHCP Pool to assign clients addreses:</P><P></P><P>! The user vpn dhcp pool cannot overlap with internally used subnets.</P><P>!</P><P>ip local pool VPN-DHCP-POOL 192.168.168.1-192.168.168.20 mask 255.255.255.0</P><P>!</P><P>! Assigning the VPN DHCP Pool subnet as a no-nat on the outside interface allows the user</P><P>! traffic to enter the outside interface from the VPN Client in order to be NAT's on its way to the Inet</P><P>!</P><P>nat (OUTSIDE) 1 192.168.168.0 255.255.255.0</P><P>!</P><P></P><P></P><P>Next thing I do not see is a group policy and associated access list that defines user attributes and access, see this</P><P></P><P>group-policy REMOTEVPN internal</P><P>group-policy REMOTEVPN attributes</P><P> wins-server value 192.168.15.112</P><P> dns-server value 192.168.15.112</P><P> vpn-idle-timeout 30</P><P> vpn-filter value VPN-USERACCESS</P><P> vpn-tunnel-protocol IPSec </P><P> default-domain value mydoamin.com</P><P></P><P>You may also want to have usernames for authentication</P></BODY></HTML> Sun, 07 Oct 2007 17:50:27 GMT https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892258#M973898 whisperwind 2007-10-07T17:50:27Z https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892259#M973899 <HTML><HEAD></HEAD><BODY><P>Thanks for your reply, I do have VPN pool "ra-pool" defined and group policy is DfltGrpPolicy which I modified to include all tunnel protocols. Usernames and authentication is configured in RADIUS server. I doubt the points you made would lead ASA to deny incoming ISAKMP connection.</P><P></P><P>Sorry I did not post every line of my configuration.</P></BODY></HTML> Sun, 07 Oct 2007 19:28:34 GMT https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892259#M973899 oldcreek12 2007-10-07T19:28:34Z https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892260#M973900 <HTML><HEAD></HEAD><BODY><P>Well you can either post the entire config here for the community to review or call TAC</P></BODY></HTML> Sun, 07 Oct 2007 20:24:36 GMT https://community.cisco.com/t5/network-security/isakmp-connection-request-from-client-denied-by-asa/m-p/892260#M973900 whisperwind 2007-10-07T20:24:36Z