08-01-2012 02:32 AM - edited 03-04-2019 05:08 PM
Hi,
I have an ASa 5510 and setup remote dial in users.
I wanted to use the windows 7 built in client and also the draytek site to site VPN options however when they connect VPN traffic will not work however when i use the cisco VPN client then everything works fine.
All the VPN's connect pretty quickly
In the syslog I a getting errors when i try and ping something:
3 | Aug 01 2012 | 09:19:00 | IKE Initiator unable to find policy: Intf inside, Src: 195.171.223.67, Dst: 192.168.32.17 |
Please help?!
Thanks
Christian
: Saved : ASA Version 8.2(5) ! hostname ciscoasa
names name 192.168.15.0 Warehouse description Warehouse name 81.137.231.247 WarehouseExt name 192.168.16.0 appassure name 192.168.10.0 Jmedia name 192.168.34.0 VpnSubnet ! interface Ethernet0/0 nameif outside security-level 0 ip address 195.171.223.67 255.255.240.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.32.233 255.255.255.0 ! interface Ethernet0/2 nameif inside2 security-level 50 ip address 192.168.33.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service RDP tcp port-object eq 3389 access-list outside_cryptomap_1 extended permit ip any any access-list inside_access_in extended permit ip any any access-list inside2_access_in extended permit ip any any access-list inside_access_out extended permit ip any any access-list inside2_access_out extended permit ip any any access-list inside2_access_out extended permit ip interface inside2 interface inside access-list inside2_access_out extended permit tcp any any access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 Warehouse 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 appassure 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 192.168.33.0 255.255.255.128 access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 Jmedia 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 VpnSubnet 255.255.255.0 access-list DialIn_splitTunnelAcl standard permit 192.168.32.0 255.255.255.0 access-list outside_access_in extended permit tcp any interface outside object-group RDP access-list outside_access_in extended permit tcp any interface outside eq ftp access-list outside_access_in extended permit tcp any interface outside eq smtp access-list outside_access_in extended permit tcp any interface outside eq https access-list outside_access_in extended permit tcp any interface outside eq 8080 access-list outside_access_in extended permit tcp any interface outside eq imap4 access-list outside_access_in extended permit tcp any interface outside eq 65123 access-list outside_access_in extended permit tcp any interface outside eq 265 access-list outside_access_in extended permit tcp any interface outside eq 3399 access-list outside_access_in extended permit tcp any interface outside eq 50000 access-list outside_access_in extended permit tcp any interface outside eq 4401 access-list outside_access_in extended permit tcp any interface outside eq 8000 access-list outside_access_in extended permit tcp any interface outside eq 5000 access-list outside_access_in extended permit tcp any interface outside eq 11111 access-list outside_access_in extended permit tcp any interface outside eq 11112 access-list outside_access_in extended permit tcp any interface outside eq 35300 access-list outside_access_in extended permit icmp any any access-list Localp-segment standard permit 192.168.32.0 255.255.255.0 access-list WindowsVPN_splitTunnelAcl standard permit 192.168.32.0 255.255.255.0 access-list outside_cryptomap extended permit ip 192.168.32.0 255.255.255.0 appassure 255.255.255.0 access-list outside_cryptomap_65535.65535 extended permit ip any any pager lines 24 logging enable logging trap warnings logging asdm informational logging host inside 192.168.32.1 mtu outside 1500 mtu inside 1500 mtu inside2 1500 mtu management 1500 ip local pool VPNpool 192.168.33.50-192.168.33.100 mask 255.255.255.0 ip local pool VPNpool2 192.168.34.1-192.168.34.100 mask 255.255.255.0 ip local pool testVPN 192.168.32.15-192.168.32.17 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (inside2) 1 0.0.0.0 0.0.0.0 norandomseq static (inside,outside) tcp interface 3389 192.168.32.181 3389 netmask 255.255.255.255 static (inside,outside) tcp interface ftp 192.168.32.15 ftp netmask 255.255.255.255 static (inside,outside) tcp interface smtp 192.168.32.1 smtp netmask 255.255.255.255 static (inside,outside) tcp interface 8080 192.168.32.1 8080 netmask 255.255.255.255 static (inside,outside) tcp interface 65123 192.168.32.137 65123 netmask 255.255.255.255 static (inside,outside) tcp interface 265 192.168.32.126 www netmask 255.255.255.255 static (inside,outside) tcp interface 3399 192.168.32.64 3399 netmask 255.255.255.255 static (inside,outside) tcp interface 50000 192.168.32.100 50000 netmask 255.255.255.255 static (inside,outside) tcp interface 4401 192.168.32.137 4401 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.32.1 https netmask 255.255.255.255 static (inside,outside) tcp interface 8000 192.168.32.222 8000 netmask 255.255.255.255 static (inside,outside) tcp interface 5000 192.168.32.100 5000 netmask 255.255.255.255 static (inside,outside) tcp interface 11111 192.168.32.210 www netmask 255.255.255.255 static (inside,outside) tcp interface 11112 192.168.32.210 3389 netmask 255.255.255.255 static (inside,outside) tcp interface 35300 192.168.32.235 35300 netmask 255.255.255.255 static (inside,inside2) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group inside2_access_in in interface inside2 access-group inside2_access_out out interface inside2 route outside 0.0.0.0 0.0.0.0 195.171.223.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server NPS protocol radius reactivation-mode depletion deadtime 1200 max-failed-attempts 5 aaa-server NPS (inside) host 192.168.32.1 key ***** radius-common-pw ***** http server enable http 192.168.32.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set TransAES esp-aes esp-sha-hmac crypto ipsec transform-set TransAES mode transport crypto ipsec transform-set TransAES2 esp-aes-256 esp-sha-hmac crypto ipsec transform-set TransAES2 mode transport crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address outside_cryptomap_65535.65535 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TransAES2 TransAES TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map outside_map 2 match address outside_cryptomap crypto map outside_map 2 set connection-type answer-only crypto map outside_map 2 set peer 81.133.25.38 crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp enable inside crypto isakmp enable inside2 crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 group-delimiter @ telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.33.100-192.168.33.200 inside2 dhcpd dns 192.168.32.1 192.168.32.2 interface inside2 dhcpd option 3 ip 192.168.33.1 interface inside2 dhcpd enable inside2 ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 8.8.8.8 vpn-tunnel-protocol IPSec l2tp-ipsec pfs disable split-tunnel-policy tunnelspecified split-tunnel-network-list value Localp-segment group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-tunnel-protocol IPSec l2tp-ipsec group-policy DialIn internal group-policy DialIn attributes dns-server value 192.168.32.1 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DialIn_splitTunnelAcl tunnel-group DefaultRAGroup general-attributes address-pool testVPN authentication-server-group NPS authentication-server-group (outside) NPS authentication-server-group (inside) NPS authorization-server-group LOCAL default-group-policy DefaultRAGroup strip-group tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes authentication pap authentication ms-chap-v2 tunnel-group DefaultWEBVPNGroup ppp-attributes authentication pap authentication ms-chap-v2 tunnel-group 81.133.25.38 type ipsec-l2l tunnel-group 81.133.25.38 general-attributes default-group-policy GroupPolicy1 tunnel-group 81.133.25.38 ipsec-attributes pre-shared-key ***** tunnel-group DialIn type remote-access tunnel-group DialIn general-attributes address-pool VPNpool authentication-server-group NPS authentication-server-group (inside) NPS default-group-policy DialIn strip-group tunnel-group DialIn ipsec-attributes pre-shared-key ***** tunnel-group DialIn ppp-attributes authentication pap authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:a908c4ffc425bb4671c045dbcad01028 : end asdm location Warehouse 255.255.255.0 inside asdm location WarehouseExt 255.255.255.255 inside asdm location appassure 255.255.255.0 inside asdm location Jmedia 255.255.255.0 inside asdm location VpnSubnet 255.255.255.0 inside no asdm history enable
08-01-2012 06:26 AM
We are also getting these errors:
4 | Aug 01 2012 | 13:26:24 | 94.193.84.53 | 195.171.223.67 | IPSEC: Received an ESP packet (SPI= 0x4632E59E, sequence number= 0x4D) from 94.193.84.53 (user= jm3diasupp0rt) to 195.171.223.67. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 255.255.255.255, its source as 192.168.10.9, and its protocol as udp. The SA specifies its local proxy as 195.171.223.67/255.255.255.255/udp/42246 and its remote_proxy as 94.193.84.53/255.255.255.255/udp/42246. |
08-01-2012 07:00 AM
It looks like the VPN traffic is getting encrypted therefore doesnt work to me but i have no idea how to fix it. I have played about with the ACL's.
Also if i run a debug from the command line i get the error no crypto map matched
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide