Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2703
Views
0
Helpful
10
Replies

Remote access VPN on ASA

vinayak
Level 1
Level 1

‎02-09-2011 05:58 AM - edited ‎03-11-2019 12:47 PM

Hello All,

I am having Cisco ASA 5510 firewall. i configured Remote VPN on Firewall. But when i am connecting from VPN Client (5.0.06). it gives error as "Secure VPN Connection Terminated by Peer Error: 433"

Can you please help me.

My Config is as below:

Result of the command: "sh runn"

: Saved
:
ASA Version 8.0(3)
!
hostname rama5510
enable password 2ry13OhtG57zeqsA encrypted

interface Ethernet0/0
nameif outside
security-level 0
ip address 121.242.223.102 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
regex Court "\court\.mah\.nic\.in"
regex Domainlist9 "\idbi\.com"
regex Nsdl "\.tin-nsdl\.com"
regex domainlist10 "\.inet\.idbibank\.co\.in"
regex domainlist11 "\billing\.mahadiscom\.in"
regex domainlist12 "\igrmaharashtra\.gov\.in"
regex allow "\.google.\com"
regex justdail "\search\.justdial\.com"
regex PCMC "203.129.227.16:8080\.pcmc"
regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.google\.co\.in"
regex domainlist3 "\.orkut\.com"
regex punecorporation "\punecorporation\.org"
regex pcmcindia "\pcmcindia\.gov\.in"
regex domainlist4 "\.orkut\.co\.in"
regex domainlist5 "\.facebook\.com"
regex domainlist6 "\.gmail\.com"
regex domainlist7 "\.google\.com"
regex domainlist8 "\mahabhulekh\.mumbai\.nic\.in"
regex bsnl "\bsnl\.co\.in"
regex rcom "\myservices\.relianceada\.com"
regex lic "\licindia\.com"
regex pcntda "\pcntda\.org\.in"
regex mahabhulekh "164.100.111.5:8080\.mahabhulekh"
regex contenttype "content-type"
regex applicationheader "application/.*"
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 121.242.190.180
name-server 121.242.190.211
object-group network allow
network-object host Amit
network-object host Vinod
network-object host Ram
network-object host server
network-object host Quadra
network-object host Hr-2
network-object host Hr-1
network-object host SunilSir
network-object host RonakSirAppleLaptop
network-object host Suhas
network-object host 192.168.0.199
network-object host 192.168.0.12
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq citrix-ica
access-list outside_access_in extended permit tcp any interface outside eq 2598
access-list outside_access_in extended permit tcp any interface outside eq 37777
access-list user-acl extended deny tcp object-group allow any eq 8080
access-list user-acl extended deny tcp object-group allow any eq www
access-list user-acl extended deny tcp any host server eq www
access-list user-acl extended deny tcp any host server eq 8080
access-list user-acl extended deny tcp any host 164.100.111.5 eq www
access-list user-acl extended deny tcp any host 164.100.111.5 eq 8080
access-list user-acl extended permit tcp any any eq www
access-list user-acl extended permit tcp any any eq 8080
access-list user-acl extended deny tcp any host 192.168.0.199 eq www
access-list user-acl extended deny tcp any host 192.168.0.199 eq 8080
access-list Outside_access_in extended permit tcp any host 121.242.223.102 eq www
access-list Outside_access_in extended permit tcp any host 121.242.223.102 eq 2598
access-list Outside_access_in extended permit tcp any host 121.242.223.102 eq citrix-ica
access-list inside_mpc extended deny tcp object-group allow any eq www
access-list inside_mpc extended deny tcp object-group allow any eq 8080
access-list inside_mpc extended deny tcp any host 164.100.111.5 eq www
access-list inside_mpc extended deny tcp any host 164.100.111.5 eq 8080
access-list inside_mpc extended deny tcp any host server eq www
access-list inside_mpc extended deny tcp any host server eq 8080
access-list inside_mpc extended deny tcp any host 192.168.0.199 eq 8080
access-list inside_mpc extended deny ip 192.168.0.0 255.255.255.240 192.168.0.0 255.255.255.0
access-list inside_mpc extended deny object-group TCPUDP 192.168.0.0 255.255.255.240 192.168.0.0 255.255.255.0
access-list inside_mpc extended deny tcp any host 192.168.0.199 eq www
access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq www
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteVPN 192.168.0.2-192.168.0.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface citrix-ica server citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 2598 server 2598 netmask 255.255.255.255
static (inside,outside) tcp interface www server www netmask 255.255.255.255
static (inside,outside) tcp interface 37777 192.168.0.199 37777 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 121.242.223.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.10 inside
dhcpd dns 121.242.190.180 121.242.190.211 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy ramagroup internal
group-policy ramagroup attributes
dns-server value 121.242.190.180 121.242.190.211
vpn-tunnel-protocol IPSec
username rama5510 password NQ35L.CrXDGEh3Wo encrypted privilege 15
username vinayak password hj81.pmVitNx/DEr encrypted privilege 0
username vinayak attributes
vpn-group-policy ramagroup
tunnel-group ramagroup type remote-access
tunnel-group ramagroup general-attributes
address-pool RemoteVPN
default-group-policy ramagroup
tunnel-group ramagroup ipsec-attributes
pre-shared-key *
!
class-map allow-user-class
match access-list user-acl
class-map type inspect http match-all appheaderclass
match request header regex contenttype regex applicationheader
match req-resp content-type mismatch
class-map inside-class
match access-list inside_mpc
class-map type inspect http match-all allow-url-class
match not request header host regex domainlist8
match not request header host regex Domainlist9
match not request header host regex domainlist10
match not request header host regex domainlist11
match not request header host regex domainlist12
match not request header host regex mahabhulekh
match not request header host regex Nsdl
match not request header host regex Court
match not request header host regex pcntda
match not request header host regex lic
match not request header host regex justdail
match not request header host regex pcmcindia
match not request header host regex rcom
match not request header host regex punecorporation
match not request header host regex PCMC
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
  drop-connection
policy-map allow-user-url-policy
class allow-user-class
  inspect http allow-url-policy
policy-map inside-policy
class inside-class
  inspect http allow-url-policy
!
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:42a2d5a7c132830439479d26c3be896d
: end

Labels:
0 Helpful
10 Replies 10

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-09-2011 06:48 AM

Vinayak,

To see the reason why is failing please post the output of debug cry isa 127 and debug cry ips 127 when attempting the VPN connection.

Federico.

0 Helpful

vinayak
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-09-2011 08:56 PM

Hi,

Actually i am able to connect to the Public IP of my Network. But then it ask for Username & password.

Even if i enter correct Username & Passwd it Gives the Same Error.

Please help me out.

0 Helpful

vinayak
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-09-2011 10:22 PM

Hi Federico,

There is no output for these 2 commands.

when i put command sh crypto ipsec sa -> Output is -> there are no ipsec sa

What is this means?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to vinayak

‎02-09-2011 10:48 PM

Hi VInayak,

This means that your tunnel is not up.

please do deb cry isa 127 and debug cry ips 127. then initiate the tunnel . Post the outputs of the debugs.

we will look into it and get back

regards,

anisha

0 Helpful

vinayak
Level 1
Level 1
In response to andamani

‎02-09-2011 11:19 PM

Hi Anisha,

here are the logs that i received.

6|Feb 09 2011|23:43:19|113012|||AAA user authentication Successful : local database : user = vinayak

6|Feb 09 2011|23:43:19|113003|||AAA group policy for user vinayak is being set to ramagroup

6|Feb 09 2011|23:43:19|113011|||AAA retrieved user specific group policy (ramagroup) for user = vinayak

6|Feb 09 2011|23:43:19|113009|||AAA retrieved default group policy (ramagroup) for user = vinayak

6|Feb 09 2011|23:43:19|113008|||AAA transaction status ACCEPT : user = vinayak

6|Feb 09 2011|23:43:19|734001|||DAP: User vinayak, Addr 114.143.163.232, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy

5|Feb 09 2011|23:43:19|713130|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Received unsupported transaction mode attribute: 5

6|Feb 09 2011|23:43:19|713184|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Client Type: WinNT  Client Application Version: 5.0.06.0160

3|Feb 09 2011|23:43:19|713132|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Cannot obtain an IP address for remote peer

3|Feb 09 2011|23:43:19|713902|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Removing peer from peer table failed, no match!

4|Feb 09 2011|23:43:19|713903|||Group = ramagroup, Username = vinayak, IP = 114.143.163.232, Error: Unable to remove PeerTblEntry

4|Feb 09 2011|23:43:19|113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:02s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

6|Feb 09 2011|23:43:22|106015|192.168.0.78|63.150.131.42|Deny TCP (no connection) from 192.168.0.78/1558 to 63.150.131.42/80 flags PSH ACK  on interface inside

0 Helpful

vinayak
Level 1
Level 1
In response to vinayak

‎02-10-2011 03:17 AM

Can Anyone reply on this post ?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to vinayak

‎02-10-2011 03:34 AM

Hi Vinayaka,

The client is not getting the ip address. Do you have a DAP configured? what is it configured as?

Regards,

Anisha

0 Helpful

vinayak
Level 1
Level 1
In response to andamani

‎02-10-2011 03:45 AM

DAP is activated.

I didnt get the statement "What it is configured as" ?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to vinayak

‎02-10-2011 08:51 PM

hi,

Could you click on the DAP and edit it. Check the action defined in the Action type. Please let us know if it is terminate or continue.

The following link will give you more details about DAP.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml#t3

Regards,

Anisha

0 Helpful

vinayak
Level 1
Level 1
In response to andamani

‎02-10-2011 09:09 PM

Hi Anisha,

Now i am connected sucessfully to Remote Network through my VPN Client.

I am getting IP Also. But now i am only able to access Internal network. I am not able to access internet not @ my side or not @ remote site.

It is possible to access internet of remote network through Remote VPN ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card