07-01-2008 01:14 AM - edited 02-21-2020 03:47 PM
Hi All
I have ASA 5520 and want to enable IPSEC VPN and want to access it through cisco VPN client.
I have done natting on router which is connected on outside interface of the ASA. I have done a static nat of private IP address of outside i/f of ASA to the public IP, on router. I am able to ping that public IP from internet and also able to access firewall thru ASDM using that public IP.
I have done the configuration using VPN wizard but some how not able to connect thru VPN client. Please guide, if I have missed something.
Configuration of ASA is attached.
Regards
bsn
Solved! Go to Solution.
07-02-2008 01:54 AM
try to do this
conf t
no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
no crypto map WAN_map interface WAN
crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed
and show
debug crypto isa 10
debug crypto ipsec 10
07-01-2008 01:57 AM
no access-list LAN extended permit ip 10.0.0.0 255.0.0.0 any
no access-group LAN in interface LAN
no access-list WAN extended permit ip any 10.0.0.0 255.0.0.0
no access-group WAN in interface WAN
ip local pool VPN-Pool 10.0.5.1-10.0.5.255 mask 255.255.255.0
access-list LAN_nat0_outbound extended permit ip any 10.0.5.0 255.255.255.0
nat (LAN) 0 access-list LAN_nat0_outbound
no access-list cisco_splitTunnelAcl standard permit any
access-list cisco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
route WAN 10.0.5.0 255.255.255.0 10.0.0.25 1
route WAN 0.0.0.0 0.0.0.0 10.0.0.25 1
route LAN 10.0.0.0 255.0.0.0 10.0.0.1 1
sysopt connection permit-vpn
07-01-2008 02:29 AM
If I will remove access-list LAN and WAN, then I will loose my connectivity to internet from inside network.
Rest I have configured but no luck.
Regards
bsn
07-01-2008 02:43 AM
Could you explain how did you check the vpn?
07-01-2008 02:53 AM
I have Cisco VPN client software Ver 4.0.01 installed on one of my machine in remote office.
I tried to access the public IP (natted to ASA outside private IP) with following settings:
group user: cisco
password: cisco
Transport: IPSEC over UDP ( I have tried IPSEC over TCP 10000 as well)
Thats all
Regards
BSN
07-01-2008 03:01 AM
ok... then add following
crypto isakmp ipsec-over-tcp port 10000
group-policy cisco attributes
ipsec-udp enable
07-01-2008 03:34 AM
I have added this:
crypto isakmp ipsec-over-tcp port 10000
and rest were already there in configuration.
Still not able to connect. Can you suggest some debugs.
Regards/bsn
07-01-2008 03:48 AM
debug crypto isakmp 10
debug crypto ipsec 10
conf t
logg mon 7
07-01-2008 04:05 AM
07-01-2008 04:47 AM
tunnel-group cisco general-attributes
authentication-server-group LOCAL
07-01-2008 07:42 PM
I tried but the command is not executing.
========================================
ASA(config)# tunnel-group cisco general-attributes
ASA(config-tunnel-general)# authentication-server-group LOCAL
ASA(config-tunnel-general)# exi
ASA(config)# sh run | be tunnel-group cisco general-attributes
tunnel-group cisco general-attributes
address-pool VPN-Pool
default-group-policy cisco
tunnel-group cisco ipsec-attributes
pre-shared-key *
==========================================
regards/bsn
07-01-2008 11:20 PM
could you show the running configuration?
07-02-2008 01:16 AM
Show run is attached.
Recent change I have done is md5. Earlier it was SHA:
=================
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5 >>>>>>>>>>>>> It was sha earlier.
group 2
lifetime 86400
===================
07-02-2008 01:24 AM
In the debug I am getting below error messages:
Jul 02 14:26:12 [IKEv1]: Group = cisco, IP =
Jul 02 14:26:12 [IKEv1]: Group = cisco, IP =
Complete debug output is attached.
rgds/bsn
07-02-2008 01:54 AM
try to do this
conf t
no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
no crypto map WAN_map interface WAN
crypto map WAN_map interface WAN <- just to be sure that all the changes were applyed
and show
debug crypto isa 10
debug crypto ipsec 10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide