Solved: Re: IPSEC VPN help !!!

bsn1980in · ‎07-01-2008

Hi All

I have ASA 5520 and want to enable IPSEC VPN and want to access it through cisco VPN client.

I have done natting on router which is connected on outside interface of the ASA. I have done a static nat of private IP address of outside i/f of ASA to the public IP, on router. I am able to ping that public IP from internet and also able to access firewall thru ASDM using that public IP.

I have done the configuration using VPN wizard but some how not able to connect thru VPN client. Please guide, if I have missed something.

Configuration of ASA is attached.

Regards

bsn

a.alekseev · ‎07-02-2008

try to do this

conf t

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

no crypto map WAN_map interface WAN

crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed

and show

debug crypto isa 10

debug crypto ipsec 10

View solution in original post

a.alekseev · ‎07-01-2008

no access-list LAN extended permit ip 10.0.0.0 255.0.0.0 any

no access-group LAN in interface LAN

no access-list WAN extended permit ip any 10.0.0.0 255.0.0.0

no access-group WAN in interface WAN

ip local pool VPN-Pool 10.0.5.1-10.0.5.255 mask 255.255.255.0

access-list LAN_nat0_outbound extended permit ip any 10.0.5.0 255.255.255.0

nat (LAN) 0 access-list LAN_nat0_outbound

no access-list cisco_splitTunnelAcl standard permit any

access-list cisco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

route WAN 10.0.5.0 255.255.255.0 10.0.0.25 1

route WAN 0.0.0.0 0.0.0.0 10.0.0.25 1

route LAN 10.0.0.0 255.0.0.0 10.0.0.1 1

sysopt connection permit-vpn

bsn1980in · ‎07-01-2008

If I will remove access-list LAN and WAN, then I will loose my connectivity to internet from inside network.

Rest I have configured but no luck.

Regards

bsn

a.alekseev · ‎07-01-2008

Could you explain how did you check the vpn?

bsn1980in · ‎07-01-2008

I have Cisco VPN client software Ver 4.0.01 installed on one of my machine in remote office.

I tried to access the public IP (natted to ASA outside private IP) with following settings:

group user: cisco

password: cisco

Transport: IPSEC over UDP ( I have tried IPSEC over TCP 10000 as well)

Thats all

Regards

BSN

a.alekseev · ‎07-01-2008

ok... then add following

crypto isakmp ipsec-over-tcp port 10000

group-policy cisco attributes

ipsec-udp enable

bsn1980in · ‎07-01-2008

I have added this:

crypto isakmp ipsec-over-tcp port 10000

and rest were already there in configuration.

Still not able to connect. Can you suggest some debugs.

Regards/bsn

a.alekseev · ‎07-01-2008

debug crypto isakmp 10

debug crypto ipsec 10

conf t

logg mon 7

bsn1980in · ‎07-01-2008

Debug is attached. I have replaced the Source Public IP. In the debug output, I can see there are no hits on group policy cisco. It is hitting default policy. please suggest.

Regards/bsn

a.alekseev · ‎07-01-2008

tunnel-group cisco general-attributes

authentication-server-group LOCAL

bsn1980in · ‎07-01-2008

I tried but the command is not executing.

========================================

ASA(config)# tunnel-group cisco general-attributes

ASA(config-tunnel-general)# authentication-server-group LOCAL

ASA(config-tunnel-general)# exi

ASA(config)# sh run | be tunnel-group cisco general-attributes

tunnel-group cisco general-attributes

address-pool VPN-Pool

default-group-policy cisco

tunnel-group cisco ipsec-attributes

pre-shared-key *

==========================================

regards/bsn

a.alekseev · ‎07-01-2008

could you show the running configuration?

bsn1980in · ‎07-02-2008

Show run is attached.

Recent change I have done is md5. Earlier it was SHA:

=================

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5 >>>>>>>>>>>>> It was sha earlier.

group 2

lifetime 86400

===================

bsn1980in · ‎07-02-2008

In the debug I am getting below error messages:

Jul 02 14:26:12 [IKEv1]: Group = cisco, IP = , Duplicate Phase 1 packet detected. Retransmitting last packet.

Jul 02 14:26:12 [IKEv1]: Group = cisco, IP = , P1 Retransmit msg dispatched to AM FSM

Complete debug output is attached.

rgds/bsn

a.alekseev · ‎07-02-2008

try to do this

conf t

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

no crypto map WAN_map interface WAN

crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed

and show

debug crypto isa 10

debug crypto ipsec 10