Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2120
Views
0
Helpful
2
Replies

VPN traffic will not route for windows vpn client

squidwardseabob93
Level 1
Level 1

‎08-01-2012 02:32 AM - edited ‎03-04-2019 05:08 PM

Hi,

I have an ASa 5510 and setup remote dial in users.

I wanted to use the windows 7 built in client and also the draytek site to site VPN options however when they connect VPN traffic will not work however when i use the cisco VPN client then everything works fine.

All the VPN's connect pretty quickly

In the syslog I a getting errors when i try and ping something:

3Aug 01 201209:19:00IKE Initiator unable to find policy: Intf inside, Src: 195.171.223.67, Dst: 192.168.32.17

Please help?!

Thanks

Christian

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa

 
names
name 192.168.15.0 Warehouse description Warehouse
name 81.137.231.247 WarehouseExt
name 192.168.16.0 appassure
name 192.168.10.0 Jmedia
name 192.168.34.0 VpnSubnet
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 195.171.223.67 255.255.240.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.32.233 255.255.255.0 
!
interface Ethernet0/2
 nameif inside2
 security-level 50
 ip address 192.168.33.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
 port-object eq 3389
access-list outside_cryptomap_1 extended permit ip any any 
access-list inside_access_in extended permit ip any any 
access-list inside2_access_in extended permit ip any any 
access-list inside_access_out extended permit ip any any 
access-list inside2_access_out extended permit ip any any 
access-list inside2_access_out extended permit ip interface inside2 interface inside 
access-list inside2_access_out extended permit tcp any any 
access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 Warehouse 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 appassure 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 192.168.33.0 255.255.255.128 
access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 Jmedia 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 VpnSubnet 255.255.255.0 
access-list DialIn_splitTunnelAcl standard permit 192.168.32.0 255.255.255.0 
access-list outside_access_in extended permit tcp any interface outside object-group RDP 
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 8080 
access-list outside_access_in extended permit tcp any interface outside eq imap4 
access-list outside_access_in extended permit tcp any interface outside eq 65123 
access-list outside_access_in extended permit tcp any interface outside eq 265 
access-list outside_access_in extended permit tcp any interface outside eq 3399 
access-list outside_access_in extended permit tcp any interface outside eq 50000 
access-list outside_access_in extended permit tcp any interface outside eq 4401 
access-list outside_access_in extended permit tcp any interface outside eq 8000 
access-list outside_access_in extended permit tcp any interface outside eq 5000 
access-list outside_access_in extended permit tcp any interface outside eq 11111 
access-list outside_access_in extended permit tcp any interface outside eq 11112 
access-list outside_access_in extended permit tcp any interface outside eq 35300 
access-list outside_access_in extended permit icmp any any 
access-list Localp-segment standard permit 192.168.32.0 255.255.255.0 
access-list WindowsVPN_splitTunnelAcl standard permit 192.168.32.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.32.0 255.255.255.0 appassure 255.255.255.0 
access-list outside_cryptomap_65535.65535 extended permit ip any any 
pager lines 24
logging enable
logging trap warnings
logging asdm informational
logging host inside 192.168.32.1
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu management 1500
ip local pool VPNpool 192.168.33.50-192.168.33.100 mask 255.255.255.0
ip local pool VPNpool2 192.168.34.1-192.168.34.100 mask 255.255.255.0
ip local pool testVPN 192.168.32.15-192.168.32.17 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 1 0.0.0.0 0.0.0.0 norandomseq
static (inside,outside) tcp interface 3389 192.168.32.181 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.32.15 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface smtp 192.168.32.1 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 8080 192.168.32.1 8080 netmask 255.255.255.255 
static (inside,outside) tcp interface 65123 192.168.32.137 65123 netmask 255.255.255.255 
static (inside,outside) tcp interface 265 192.168.32.126 www netmask 255.255.255.255 
static (inside,outside) tcp interface 3399 192.168.32.64 3399 netmask 255.255.255.255 
static (inside,outside) tcp interface 50000 192.168.32.100 50000 netmask 255.255.255.255 
static (inside,outside) tcp interface 4401 192.168.32.137 4401 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.32.1 https netmask 255.255.255.255 
static (inside,outside) tcp interface 8000 192.168.32.222 8000 netmask 255.255.255.255 
static (inside,outside) tcp interface 5000 192.168.32.100 5000 netmask 255.255.255.255 
static (inside,outside) tcp interface 11111 192.168.32.210 www netmask 255.255.255.255 
static (inside,outside) tcp interface 11112 192.168.32.210 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 35300 192.168.32.235 35300 netmask 255.255.255.255 
static (inside,inside2) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group inside2_access_in in interface inside2
access-group inside2_access_out out interface inside2
route outside 0.0.0.0 0.0.0.0 195.171.223.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NPS protocol radius
 reactivation-mode depletion deadtime 1200
 max-failed-attempts 5
aaa-server NPS (inside) host 192.168.32.1
 key *****
 radius-common-pw *****
http server enable
http 192.168.32.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TransAES esp-aes esp-sha-hmac 
crypto ipsec transform-set TransAES mode transport
crypto ipsec transform-set TransAES2 esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set TransAES2 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address outside_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TransAES2 TransAES TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set connection-type answer-only
crypto map outside_map 2 set peer 81.133.25.38 
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable inside2
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 170
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
group-delimiter @
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.33.100-192.168.33.200 inside2
dhcpd dns 192.168.32.1 192.168.32.2 interface inside2
dhcpd option 3 ip 192.168.33.1 interface inside2
dhcpd enable inside2
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Localp-segment
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy DialIn internal
group-policy DialIn attributes
 dns-server value 192.168.32.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DialIn_splitTunnelAcl
tunnel-group DefaultRAGroup general-attributes
 address-pool testVPN
 authentication-server-group NPS
 authentication-server-group (outside) NPS
 authentication-server-group (inside) NPS
 authorization-server-group LOCAL
 default-group-policy DefaultRAGroup
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group 81.133.25.38 type ipsec-l2l
tunnel-group 81.133.25.38 general-attributes
 default-group-policy GroupPolicy1
tunnel-group 81.133.25.38 ipsec-attributes
 pre-shared-key *****
tunnel-group DialIn type remote-access
tunnel-group DialIn general-attributes
 address-pool VPNpool
 authentication-server-group NPS
 authentication-server-group (inside) NPS
 default-group-policy DialIn
 strip-group
tunnel-group DialIn ipsec-attributes
 pre-shared-key *****
tunnel-group DialIn ppp-attributes
 authentication pap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:a908c4ffc425bb4671c045dbcad01028
: end
asdm location Warehouse 255.255.255.0 inside
asdm location WarehouseExt 255.255.255.255 inside
asdm location appassure 255.255.255.0 inside
asdm location Jmedia 255.255.255.0 inside
asdm location VpnSubnet 255.255.255.0 inside
no asdm history enable
Labels:
0 Helpful
2 Replies 2

squidwardseabob93
Level 1
Level 1

‎08-01-2012 06:26 AM

We are also getting these errors:

4Aug 01 201213:26:2494.193.84.53195.171.223.67IPSEC: Received an ESP packet (SPI= 0x4632E59E, sequence number= 0x4D) from 94.193.84.53 (user= jm3diasupp0rt) to 195.171.223.67. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 255.255.255.255, its source as 192.168.10.9, and its protocol as udp. The SA specifies its local proxy as 195.171.223.67/255.255.255.255/udp/42246 and its remote_proxy as 94.193.84.53/255.255.255.255/udp/42246.
0 Helpful

squidwardseabob93
Level 1
Level 1
In response to squidwardseabob93

‎08-01-2012 07:00 AM

It looks like the VPN traffic is getting encrypted therefore doesnt work to me but i have no idea how to fix it. I have played about with the ACL's.

     

Also if i run a debug from the command line i get the error no crypto map matched

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card