03-12-2007 04:26 PM - edited 03-09-2019 05:35 PM
below is my setup.
business class dsl modem with a static ip (100.0.0.1) connects to a asa5510.
the isp provided me another static routable ip for the asa5510 and I configured the 5510 outside interface with this (100.0.0.2).
I also have couple of machines behind the inside interface of the 5510. (172.16.1.0)
All i want to do is let some ppl vpn into the inside network to do some troubleshooting.
I don't need anyone from the inside to access the net, so no nat needed.
I went through the normal vpn config and the remote vpn wizard.
however, using the cisco vpn client, i'm unable to log in.
I can ping the 100.0.0.1 interface but cannot vpn in.
I think there is no path from 100.0.0.1 to 100.0.0.2
any suggestions?
Solved! Go to Solution.
03-13-2007 12:50 PM
good news and bad news.
the good news is that ssh works.
the bad news is that I'm unable to logon with my password.
I tried to login as 'admin' 'pix' and blank and I input my enable/console password and it didn't take any!
also, I tried the vpn client and it failed.
I tried to login thru ipsec/tcp port 10000 and it established tcp connection and then tried to send the ISAKMP OAK AG packet but no response from the 5510.
anything else I can try? and what can I use to logon thru ssh.
thanks for all the help
03-13-2007 04:07 PM
Hello Vishal,
Lets divide and conquer instead of putting every problem in the same basket.
Lets fix the ssh issue first.
So, the ASA has two password. Normal telnet password and enabled password.
When you ssh into the ASA, use the username "pix" and telnet password
Then you will get the prompt for enable
ASA>
After that, type enable and insert the enable password. You should be able to log in.
Please rate this topic, if it helps.
Thanks
Gilbert
03-13-2007 07:16 PM
Gilbert,
good news is ssh issue is resolved.
bad news is that i'm an idiot.
I had not set a telnet password and didn't realize this.
i used the default username and the default password and sure enough, it let me in.
so i'm all set with ssh which is a great relief bcoz now I do not have to go on site to configure the 5510. I can sit in my office and play with it and then dial out to an isp to test the vpn.
so what's next...guru?
03-14-2007 05:49 AM
Vishal,
Good to hear that you got it working.
Now, lets get the VPN client to work.
ssh into your ASA and enable the debugs
"deb cry isa 128" & "deb cry ipsec 128"
issue the command "term mon"
Connect with your VPN client and lets see where this is failing.
Run the logs on the client at the same time you are trying to connect.
Attached both - the debugs and the logs - let me take a look at them.
Cheers
Gilbert
03-14-2007 07:29 AM
this is what the term mon shows which may explain the whole problem...
the x.x.105.96 IP is the machine that has the vpn client trying to connect to the 5510.
ciscoasa# Mar 14 14:22:50 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt
Mar 14 14:22:55 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt
Mar 14 14:23:00 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt
Mar 14 14:23:05 [IKEv1]: IP = x.x.105.96, No crypto map bound to interface... dropping pkt
03-14-2007 07:53 AM
Are you connecting to the interface with the IP "x.x.80.98" - as per your ASA configuration posted previously.
If so, can you please apply this command
cry map outside_map interface outside
Run the commands again - see if it gets connected. :)
Cheers
Gilbert
03-14-2007 08:09 AM
no dice.
the x.x.80.98 is the outside int of 5510. this is a routable ip.
the x.x.105.96 is the ip of the vpn client which is trying to establish a vpn connection with the 5510.
this is what I got from term mon
ciscoasa# debug cry isa 128
ciscoasa# debug cry ipsec 128
ciscoasa# term mon
ciscoasa# Mar 14 15:01:40 [IKEv1]: IP = x.x.105.96, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 808
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing SA payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ke payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ISA_KE payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing nonce payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing ID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received xauth V6 VID
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received DPD VID
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, processing VID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: IP = x.x.105.96, Received Cisco Unity client VID
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, processing IKE SA payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ISAKMP SA payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ke payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing nonce payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Generating keys for Responder...
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing ID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing hash payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Computing hash for ISAKMP
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing Cisco Unity VID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing xauth V6 VID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing Fragmentation VID + extended capabilities payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, constructing VID payload
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 14 15:01:40 [IKEv1]: IP = x.x.105.96, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 352
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE AM Responder FSM error history (struct &0x3f6c458)
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, IKE SA AM:b53d7823 terminating: flags 0x0104c001, refcnt 0, tuncnt 0
Mar 14 15:01:40 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x.x.105.96, sending delete/delete with reason message
Mar 14 15:01:40 [IKEv1]: Group = DefaultRAGroup, IP = x.x.105.96, Removing peer from peer table failed, no match!
Mar 14 15:01:40 [IKEv1]: Group = DefaultRAGroup, IP = x.x.105.96, Error: Unable to remove PeerTblEntry.
Also, on the vpn client, the reason for failure was because of "DEL_REASON_IKE_NEG_FAILED"
03-14-2007 08:23 AM
Ok - Lets go step by step.
I need the following...
a. current config on the ASA.
b. If you go to the client, what is the groupname you have entered.
03-14-2007 08:33 AM
groupname --> vgoradia
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxx
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.80.98 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.4.x 255.255.252.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 172.16.4.0 255.255.252.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 172.16.4.220-172.16.4.230 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 x.x.80.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy EAT internal
group-policy EAT attributes
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
username xxx password xxxx
privilege 15
username vgoradia attributes
vpn-group-policy EAT
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group EAT type ipsec-ra
tunnel-group EAT general-attributes
address-pool vpnpool
default-group-policy EAT
tunnel-group EAT ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 5
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxx
: end
ciscoasa#
03-14-2007 08:50 AM
The group name should be EAT which is configured on the tunnel-group parameters in your ASA. It should not be "vgoradia" but what is configured on the ASA.
And the password should be the one that you have configured under the tunnel-group parameter for pre-shared key.
tunnel-group EAT type ipsec-ra
tunnel-group EAT general-attributes
address-pool vpnpool
default-group-policy EAT
tunnel-group EAT ipsec-attributes
pre-shared-key *
Let me know how this pans out.
Rate this post, if it helps.
Thanks
Gilbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide