cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7713
Views
0
Helpful
22
Replies

Please assist, RA [VPN] failing

droberts1124
Level 1
Level 1

I'm trying to create a RA VPN. The thing is, the network is not "normal" in terms of topology. We have (coming from the internet) a T1 going straight to a Cisco 1720, which then goes to an ASA 5510 which hosts the VPN configuration. I can't get connected when I use the Cisco VPN client, and I think it's because of these two routers and their odd arrangement. I have been told that there is no way to drop the 1720 from the equation (it's the only CSU/DSU). If I can put the CSU/DSU expansion card in the 5510, then I MIGHT be able to remove it if I have to in order for this to work. 

Here is the error from the client:

Initializing the connection...
Contacting the security gateway at 65.114.65.30...
Contacting the security gateway at 65.114.109.33... (backup)
Contacting the security gateway at 65.114.109.34... (backup)
Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN connection.

-or-  (depending on which IP I try to connect to)

Contacting the security gateway at 208.44.133.177...
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.

I can access the 1720 from the internet via Hyper Terminal and make changes. To make any changes to the 5510, I need to use Remote Desktop and use the ASDM from an internal network server. I believe that the VPN configuration itself is complete and correct. I think its the 1720 thats the problem. Here is the config:

Building configuration...

Current configuration : 867 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CSCORTR
!
boot system flash c1700-y-mz.121-19.bin
boot system flash c1700-y-mz.121-1.bin
[pwd omitted]

!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
ip address 65.114.65.30 255.255.255.252
service-module t1 timeslots 1-24
!
interface FastEthernet0
ip address 208.44.133.177 255.255.255.248 secondary
ip address 65.114.109.33 255.255.255.224
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 65.114.109.0 255.255.255.0 65.114.109.34
no ip http server
!
!
[omitted pwd info]

!
no scheduler allocate
end

I greatly appreciate any help I can get. This is turning into a real nightmare for me...

22 Replies 22

Jennifer Halim
Cisco Employee
Cisco Employee

From the VPN Client logs, it seems that you are trying to VPN to the router instead of the ASA firewall because the IP Address that the VPN is trying to connect are all the routers ip addresses: 65.114.65.30, 65.114.109.33, 65.114.109.34.

Can you please advise what is the ASA external ip address that terminates the VPN tunnel? The vpn client needs to be configured with that ip address instead.

Please also share the ASA configuration if it still doesn't work after changing the vpn client to connect to the ASA external ip address.

The IP structure looks like this:

[INTERNET] --> [65.114.65.30/30 ~ 1720 router ~ 65.114.109.33/27] --> [65.114.109.34/27 ~ ASA 5510] --> [Miscrosoft ISA server] --> [Internal network]

The ASA is the VPN device, configured correctly I think. I have tried using all the IPs after the edge IP (in order, as backup servers) for the client connection. However, even with the host specified as 65.114.109.34, there is still no connectivity. The 1720 has only 2 interfaces (serial0 and Fa0) and I believe the configuration of this router is intended for it to just simply pass things to the ASA (pretty much do nothing). The only reason we still even use it is because the 5510 doesn't have any CSU/DSU cards (at least that I can find) to connect our T1's. I wonder if the expansion CSU/DSU module out of the 1720 could be transplanted into the 5510, because then the ASA could be the internet edge router and I can retire that 1720...

Here is the config of the ASA via the ASDM:

asdm image disk0:/asdm-507.bin

asdm location 10.1.11.0 255.255.255.0 Inside

asdm location 10.1.9.57 255.255.255.255 PublicServers

asdm location 10.1.9.58 255.255.255.255 PublicServers

asdm location 10.1.9.53 255.255.255.255 PublicServers

asdm location 10.1.9.56 255.255.255.255 PublicServers

no asdm history enable

: Saved

:

ASA Version 7.0(7)

!

hostname InfoASA

domain-name Info.invalid

enable password [omitted] encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 65.114.109.34 255.255.255.224

!

interface Ethernet0/1

nameif PublicServers

security-level 20

ip address 10.1.9.1 255.255.255.0

!

interface Ethernet0/2

nameif Inside

security-level 90

ip address 10.1.10.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd .X/yQ4L.WTBO0KZ7 encrypted

ftp mode passive

object-group service WebFTP tcp

description HTTP HTTPS FTP SFTP

port-object eq www

port-object eq ssh

port-object eq ftp

port-object eq https

port-object range 49898 49918

access-list Outside_access_in extended permit tcp any host 65.114.109.60 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq smtp

access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq pop3

access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 7777

access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8181

access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8888

access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 9999

access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq www

access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq https

access-list Outside_access_in extended permit tcp any host 65.114.109.46 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.47 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.53 eq www

access-list Outside_access_in extended permit tcp any host 65.114.109.55 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.44 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.44 eq 9888

access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ftp

access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ssh

access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq 49898

access-list Outside_access_in extended permit tcp any host 65.114.109.49 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.54 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ftp

access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ssh

access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq 49898

access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq www

access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq https

access-list Outside_access_in extended permit tcp any host 65.114.109.57 object-group WebFTP

access-list Outside_access_in extended permit tcp any host 65.114.109.58 object-group WebFTP

access-list management_nat0_outbound extended permit ip any 10.1.11.0 255.255.255.0

access-list VPNGroup1_splitTunnelAcl standard permit any

access-list PublicServers_access_in extended permit ip 10.1.9.0 255.255.255.0 any

access-list remote2info_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu PublicServers 1500

mtu Inside 1500

mtu management 1500

ip local pool VPNPool 10.1.11.100-10.1.11.200 mask 255.255.255.0

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (Outside) 10 65.114.109.48

nat (PublicServers) 10 10.1.9.13 255.255.255.255 dns

nat (PublicServers) 10 10.1.9.100 255.255.255.255 dns

nat (PublicServers) 10 10.1.9.101 255.255.255.255 dns

nat (PublicServers) 10 10.1.9.102 255.255.255.255 dns

nat (PublicServers) 10 10.1.9.103 255.255.255.255 dns

nat (management) 0 access-list management_nat0_outbound

nat (management) 0 0.0.0.0 0.0.0.0

static (Inside,Outside) 65.114.109.60 10.1.10.60 netmask 255.255.255.255 dns

static (Inside,PublicServers) 65.114.109.60 10.1.10.60 netmask 255.255.255.255

static (Outside,Inside) 10.1.10.60 65.114.109.60 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.45 65.114.109.45 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.45 10.1.9.45 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.58 65.114.109.58 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.58 10.1.9.58 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.47 65.114.109.47 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.47 10.1.9.47 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.55 65.114.109.55 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.55 10.1.9.55 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.44 65.114.109.44 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.44 10.1.9.44 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.46 65.114.109.46 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.46 10.1.9.46 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.53 65.114.109.53 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.53 10.1.9.53 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.49 65.114.109.49 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.49 10.1.9.49 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.54 65.114.109.54 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.54 10.1.9.54 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.51 65.114.109.51 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.51 10.1.9.51 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.56 65.114.109.56 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.56 10.1.9.56 netmask 255.255.255.255 dns

static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns

access-group Outside_access_in in interface Outside

access-group PublicServers_access_in in interface PublicServers

route Outside 0.0.0.0 0.0.0.0 65.114.109.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy VPNGroup1 internal

group-policy VPNGroup1 attributes

dns-server value 65.114.109.35 65.114.109.41

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNGroup1_splitTunnelAcl

webvpn

group-policy remote2info internal

group-policy remote2info attributes

dns-server value 192.168.60.1 192.168.60.1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value remote2info_splitTunnelAcl

webvpn

username TecXpert password 46GRhAP4rEiuTBVv encrypted privilege 15

username TecXpert attributes

vpn-group-policy VPNGroup1

webvpn

username administrator password QeFLSERcQLidAbeD encrypted privilege 15

username droberts password sFmLtvOypKeXXHu3 encrypted privilege 15

username droberts attributes

vpn-group-policy remote2info

webvpn

http server enable

http 10.1.10.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp PublicServers

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA

crypto map Inside_map 65535 ipsec-isakmp dynamic Inside_dyn_map

crypto map Inside_map interface Inside

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp enable Inside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

isakmp nat-traversal  30

tunnel-group VPNGroup1 type ipsec-ra

tunnel-group VPNGroup1 general-attributes

address-pool VPNPool

default-group-policy VPNGroup1

tunnel-group VPNGroup1 ipsec-attributes

pre-shared-key *

tunnel-group remote2info type ipsec-ra

tunnel-group remote2info general-attributes

address-pool VPNPool

default-group-policy remote2info

tunnel-group remote2info ipsec-attributes

pre-shared-key *

tunnel-group-map default-group remote2info

vpn-sessiondb max-session-limit 7

telnet 0.0.0.0 0.0.0.0 Inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 20

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect esmtp

  inspect dns maximum-length 2048

!

service-policy global_policy global

Cryptochecksum: blah blah blah

: end

From your vpn client, you can only connect to the ASA outside ip address which is 65.114.109.34. You can't connect to the router ip address because the router is not terminating the vpn tunnel.


1) Set the VPN Client to connect to 65.114.109.34.

2) Which tunnel-group did you use to connect to the VPN? VPNGroup1 or remote2info?

3) You also have "vpn-sessiondb max-session-limit 7" configured, which limit the number of VPN to only 7. Can anyone connect at all? How many vpn is connected when you try to connect: "show vpn-sessiondb summ" will give you the answer.

4) You would also need to allow the ipsec protocol on your group policy:

group-policy VPNGroup1 attributes

     vpn-tunnel-protocol ipsec

group-policy remote2info attributes

     vpn-tunnel-protocol ipsec



Lastly, not related to your VPN configuration, the static NAT statements, you have configured 2 NAT statements for each host which is incorrect.

Example:

static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns


You would only need to configure the second line, and should remove the first line, as static NAT works bidirectionally. You should remove all the other ones as well: static (Outside,PublicServers).

Hope that helps.

halijenn wrote:

From your vpn client, you can only connect to the ASA outside ip address which is 65.114.109.34. You can't connect to the router ip address because the router is not terminating the vpn tunnel.


1) Set the VPN Client to connect to 65.114.109.34.

2) Which tunnel-group did you use to connect to the VPN? VPNGroup1 or remote2info?

3) You also have "vpn-sessiondb max-session-limit 7" configured, which limit the number of VPN to only 7. Can anyone connect at all? How many vpn is connected when you try to connect: "show vpn-sessiondb summ" will give you the answer.

4) You would also need to allow the ipsec protocol on your group policy:

group-policy VPNGroup1 attributes

     vpn-tunnel-protocol ipsec

group-policy remote2info attributes

     vpn-tunnel-protocol ipsec



Lastly, not related to your VPN configuration, the static NAT statements, you have configured 2 NAT statements for each host which is incorrect.

Example:

static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns

static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns


You would only need to configure the second line, and should remove the first line, as static NAT works bidirectionally. You should remove all the other ones as well: static (Outside,PublicServers).

Hope that helps.

1) That was the original IP I had been trying. It never was able to get a successful connection. Thats when I started trying the edge router [1700].

2) VPNGrp1 Was already there when I got to it, but all users were configured for/on remote2info.

3) I set max vpns specifically by request because of the tenacious misuse of VPNs we have had in the past...but anyways, it still does not work.

     *There are only 5 regular vpn users at this time, with me as the 6th [administrator]. I think I omitted them from the configuration I posted.*

4) I can only use Remote Desktop to access the router via ASDM as things currently stand (hence why the VPNs are important!) - I have no local access for a while here.

5) Those static statements were in there before I was granted admin access to the device (previous admin retired). The thing is, the servers on that line are all Microsoft Bing and Bing Maps servers connected to a Catalyst 2960[?] and recieve pretty regular traffic. I would be a little worried about breaking that link.

Okay, I enabled the IPSec on the group policy for remote2info.

I had the client set to use the correct IP, but I got error 401: unrecognized error (or 412: remote peer stopped responding). Here's the thing though, I have to use the VPN client through a virtual machine (Windows XP Mode) on Windows 7 because the laptop I travel with is x64 and the client I have is x86. That wouldn't affect it correct? If the VM can browse the internet and do Remote Desktop to the server with the ASDM - shouldn't the VPN work? It's bridged/captured the external [Windows 7] physical interface.

I can output a new running-config and show you if you need. I am online 24/7 (at least it seems so), which means I can reply nearly instantly to any posts here.

And on that note, I just want to say that I appreciate your time immensely. I don't know many people who have Cisco knowledge [I have up to CCNA 4 so far], so this forum was a shot in the dark for me. It's working out way better than I had hoped (much faster specifically). So...

Thank you!!!

You can also open a Cisco TAC case that would allow you to troubleshoot the issue with Cisco engineer over the phone/webex.

I assume that you are able to ping the ASA external interface, right?

Please kindly run the following debugs on ASA to better understand where exactly is the VPN connection failing:

debug cry isa

debug cry ipsec

Also on the VPN Client itself, turn on logging, and try to connect again to the ASA, and please share the logs from both ASA debug output and VPN Client.

Thanks.

Yea, I can ping the ASA from here.

Pinging 65.114.109.34 with 32 bytes of data:
Reply from 65.114.109.34: bytes=32 time=70ms TTL=241
Reply from 65.114.109.34: bytes=32 time=50ms TTL=241
Reply from 65.114.109.34: bytes=32 time=53ms TTL=241
Reply from 65.114.109.34: bytes=32 time=56ms TTL=241

Ping statistics for 65.114.109.34:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% los
Approximate round trip times in milli-seconds:
    Minimum = 50ms, Maximum = 70ms, Average = 57ms

This is from a DMZ enabled IP on a standard router.

I am not aware that I can run debug commands from the ASDM, so I will try to telnet to the ASA.

The Windows Server that has the ASDM is not connected to the console on the ASA, and it doesn't have Hyperterminal installed. Also, putty is not working on it (at least via remote desktop) so I can't issue the debug commands.The soonest I would have physical access would be Monday, as I am away.

Here is the log from the client, with what I see might be client issues after all:

Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      12:24:10.388  09/25/10  Sev=Info/4 CM/0x63100002
Begin connection process

2      12:24:10.418  09/25/10  Sev=Info/4 CM/0x63100004
Establish secure connection

3      12:24:10.418  09/25/10  Sev=Info/4 CM/0x63100024
Attempt connection with server "65.114.109.34"

4      12:24:10.428  09/25/10  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 65.114.109.34.

5      12:24:10.438  09/25/10  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      12:24:10.448  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 65.114.109.34

7      12:24:10.518  09/25/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34

8      12:24:10.518  09/25/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 65.114.109.34

9      12:24:10.518  09/25/10  Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

10     12:24:10.518  09/25/10  Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

11     12:24:10.518  09/25/10  Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

12     12:24:10.518  09/25/10  Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

13     12:24:10.528  09/25/10  Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified

14     12:24:10.528  09/25/10  Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.

15     12:24:10.528  09/25/10  Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)

16     12:24:10.528  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 65.114.109.34

17     12:24:10.528  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 65.114.109.34

18     12:24:10.528  09/25/10  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

19     12:24:10.528  09/25/10  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=4EF0E8528C759FED R_Cookie=AADF49C806234FFA) reason = DEL_REASON_IKE_NEG_FAILED

20     12:24:10.688  09/25/10  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

21     12:24:10.688  09/25/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

22     12:24:11.189  09/25/10  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=4EF0E8528C759FED R_Cookie=AADF49C806234FFA) reason = DEL_REASON_IKE_NEG_FAILED

23     12:24:11.189  09/25/10  Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "65.114.109.34" because of "DEL_REASON_IKE_NEG_FAILED"

24     12:24:11.219  09/25/10  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

25     12:24:12.221  09/25/10  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

26     12:24:12.231  09/25/10  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

27     12:24:12.241  09/25/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

28     12:24:12.241  09/25/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

29     12:24:12.241  09/25/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

30     12:24:12.241  09/25/10  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Hello,

Could you please check the group password configured on the client. Just make sure that the password on ASA(i.e the pre-shared key under the tunnel-group) and  group password on the client are same.

Okay, I think I got it working, I don't know exactly WHY it's working - but I can connect now. I think that there was something wrong with the commands I sent to the asdm. I'm used to the direct input of commands via CLI, not the ASDM. Anyways, heres the log after a connection attempt.

Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

373    14:08:13.737  09/25/10  Sev=Info/4 CM/0x63100002
Begin connection process

374    14:08:13.797  09/25/10  Sev=Info/4 CM/0x63100004
Establish secure connection

375    14:08:13.797  09/25/10  Sev=Info/4 CM/0x63100024
Attempt connection with server "65.114.109.34"

376    14:08:13.807  09/25/10  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 65.114.109.34.

377    14:08:13.807  09/25/10  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

378    14:08:13.807  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 65.114.109.34

379    14:08:13.877  09/25/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34

380    14:08:13.877  09/25/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 65.114.109.34

381    14:08:13.877  09/25/10  Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

382    14:08:13.877  09/25/10  Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

383    14:08:13.877  09/25/10  Sev=Info/5 IKE/0x63000001
Peer supports DPD

384    14:08:13.877  09/25/10  Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

385    14:08:13.877  09/25/10  Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

386    14:08:13.877  09/25/10  Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

387    14:08:13.877  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 65.114.109.34

388    14:08:13.877  09/25/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

389    14:08:13.877  09/25/10  Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port =  0x0AB9, Remote Port = 0x1194

390    14:08:13.877  09/25/10  Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

391    14:08:13.877  09/25/10  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

392    14:08:13.937  09/25/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34

393    14:08:13.937  09/25/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 65.114.109.34

394    14:08:13.937  09/25/10  Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.

395    14:08:13.937  09/25/10  Sev=Info/4 CM/0x63100015
Launch xAuth application

396    14:08:14.017  09/25/10  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

397    14:08:14.027  09/25/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

398    14:08:14.027  09/25/10  Sev=Info/6 IPSEC/0x6370002C
Sent 11 packets, 0 were fragmented.

399    14:08:16.591  09/25/10  Sev=Info/4 CM/0x63100017
xAuth application returned

400    14:08:16.591  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 65.114.109.34

401    14:08:16.721  09/25/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34

402    14:08:16.721  09/25/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 65.114.109.34

403    14:08:16.721  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 65.114.109.34

404    14:08:16.721  09/25/10  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

405    14:08:16.831  09/25/10  Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

406    14:08:16.831  09/25/10  Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

407    14:08:16.841  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 65.114.109.34

408    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34

409    14:08:16.902  09/25/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 65.114.109.34

410    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.1.11.100

411    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

412    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.60.1

413    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.168.60.1

414    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

415    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

416    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 0.0.0.0
mask = 0.0.0.0
protocol = 0
src port = 0
dest port=0

417    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

418    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 7.0(7) built by builders on Fri 06-Jul-07 10:37

419    14:08:16.902  09/25/10  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

420    14:08:16.912  09/25/10  Sev=Info/4 CM/0x63100019
Mode Config data received

421    14:08:16.952  09/25/10  Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.1.11.100, GW IP = 65.114.109.34, Remote IP = 0.0.0.0

422    14:08:16.952  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 65.114.109.34

423    14:08:17.022  09/25/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

424    14:08:17.112  09/25/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34

425    14:08:17.122  09/25/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 65.114.109.34

426    14:08:17.122  09/25/10  Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

427    14:08:17.122  09/25/10  Sev=Info/5 IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 86396 seconds from now

428    14:08:17.122  09/25/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34

429    14:08:17.122  09/25/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 65.114.109.34

430    14:08:17.122  09/25/10  Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

431    14:08:17.122  09/25/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 65.114.109.34

432    14:08:17.122  09/25/10  Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D08FEEB7 OUTBOUND SPI = 0x17C4C8CE INBOUND SPI = 0x072C89E0)

433    14:08:17.122  09/25/10  Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x17C4C8CE

434    14:08:17.122  09/25/10  Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x072C89E0

435    14:08:17.272  09/25/10  Sev=Info/5 CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       192.168.1.1       192.168.1.4       20
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    192.168.1.0     255.255.255.0       192.168.1.4       192.168.1.4       20
    192.168.1.4   255.255.255.255         127.0.0.1         127.0.0.1       20
  192.168.1.255   255.255.255.255       192.168.1.4       192.168.1.4       20
      224.0.0.0         240.0.0.0       192.168.1.4       192.168.1.4       20
255.255.255.255   255.255.255.255       192.168.1.4       192.168.1.4        1


436    14:08:17.953  09/25/10  Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.1.11.100/255.255.255.0
DNS=192.168.60.1,192.168.60.1
WINS=0.0.0.0,0.0.0.0
Domain=
Split DNS Names=

437    14:08:17.963  09/25/10  Sev=Info/5 CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       192.168.1.1       192.168.1.4       20
      10.1.11.0     255.255.255.0       10.1.11.100       10.1.11.100       20
    10.1.11.100   255.255.255.255         127.0.0.1         127.0.0.1       20
10.255.255.255   255.255.255.255       10.1.11.100       10.1.11.100       20
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    192.168.1.0     255.255.255.0       192.168.1.4       192.168.1.4       20
    192.168.1.4   255.255.255.255         127.0.0.1         127.0.0.1       20
  192.168.1.255   255.255.255.255       192.168.1.4       192.168.1.4       20
      224.0.0.0         240.0.0.0       10.1.11.100       10.1.11.100       20
      224.0.0.0         240.0.0.0       192.168.1.4       192.168.1.4       20
255.255.255.255   255.255.255.255       10.1.11.100       10.1.11.100        1
255.255.255.255   255.255.255.255       192.168.1.4       192.168.1.4        1


438    14:08:17.973  09/25/10  Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 20: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 10.1.11.100
Interface 10.1.11.100

439    14:08:17.973  09/25/10  Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: a010b64, Gateway: a010b64.

440    14:08:17.993  09/25/10  Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.

441    14:08:17.993  09/25/10  Sev=Info/5 CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       10.1.11.100       10.1.11.100        1
        0.0.0.0           0.0.0.0       192.168.1.1       192.168.1.4       20
      10.1.11.0     255.255.255.0       10.1.11.100       10.1.11.100       20
    10.1.11.100   255.255.255.255         127.0.0.1         127.0.0.1       20
10.255.255.255   255.255.255.255       10.1.11.100       10.1.11.100       20
  65.114.109.34   255.255.255.255       192.168.1.1       192.168.1.4        1
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    192.168.1.0     255.255.255.0       192.168.1.4       192.168.1.4       20
    192.168.1.0     255.255.255.0       10.1.11.100       10.1.11.100       20
    192.168.1.1   255.255.255.255       192.168.1.4       192.168.1.4        1
    192.168.1.4   255.255.255.255         127.0.0.1         127.0.0.1       20
  192.168.1.255   255.255.255.255       192.168.1.4       192.168.1.4       20
      224.0.0.0         240.0.0.0       10.1.11.100       10.1.11.100       20
      224.0.0.0         240.0.0.0       192.168.1.4       192.168.1.4       20
255.255.255.255   255.255.255.255       10.1.11.100       10.1.11.100        1
255.255.255.255   255.255.255.255       192.168.1.4       192.168.1.4        1


442    14:08:17.993  09/25/10  Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter

443    14:08:18.273  09/25/10  Sev=Info/4 CM/0x6310001A
One secure connection established

444    14:08:18.454  09/25/10  Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.1.4.  Current hostname: VirtualXP-13158, Current address(es): 10.1.11.100, 192.168.1.4.

445    14:08:18.464  09/25/10  Sev=Info/4 CM/0x6310003B
Address watch added for 10.1.11.100.  Current hostname: VirtualXP-13158, Current address(es): 10.1.11.100, 192.168.1.4.

446    14:08:18.464  09/25/10  Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal

447    14:08:18.464  09/25/10  Sev=Info/4 IPSEC/0x63700010
Created a new key structure

448    14:08:18.464  09/25/10  Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xcec8c417 into key list

449    14:08:18.474  09/25/10  Sev=Info/4 IPSEC/0x63700010
Created a new key structure

450    14:08:18.474  09/25/10  Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xe0892c07 into key list

451    14:08:18.474  09/25/10  Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.1.11.100

452    14:08:18.474  09/25/10  Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.1.4. SG: 65.114.109.34

453    14:08:18.474  09/25/10  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.

Now, if no one sees anything abnormal about the above, I have another question or two.

1) Is it possible to add any kind of CSU/DSU expansion modules to the 5510? We have a CSU/DSU in the 1720 for one of our T1's. We have another one we want to add as a failover connection. There is only one connection on the 1720, but neither of the two expansion slots on the back of the ASA have anything in them. Where and what, if possible, would I be able to get cards to upgrade the ASA so I can retire the 1720? Or, is it possible to take the CSU out of the 1720 and install it into the ASA?

2) I still can't access the networked PC's and servers after I have connected. Any attempts at name resolution or local network discovery aren't working right (at least I think so). What is one way I can test to make sure that I have a working connection from the ASA into the internal network? (I don't know if that is descriptive enough)

Thanks for all the great support thus far!

Great great improvement on the VPN Connectivity.. well done, Daniel.

To answer your 2 questions:

1) No, ASA does not support CSU/DSU expansion modules unfortunately hence you would still need to have the 1720 router.

2) The reason why you are not able to access the internal network from VPN is because you haven't configured the NAT exemption yet.

Here is how to configure it:

access-list PublicServers-nonat permit ip 10.1.9.0 255.255.255.0 10.1.11.0 255.255.255.0

nat (PublicServers) 0 access-list PublicServers-nonat

access-list Inside-nonat permit ip 10.1.10.0 255.255.255.0 10.1.11.0 255.255.255.0

nat (Inside) 0 access-list Inside-nonat

Hope that helps.

Okay, I will try that now. I was told by a friend that the reason I was not able to use the internal services was that I'm "not using your internal dns server and also not logging into active directory". I have tried to setup the ASA to use the AD DNS server, but it doesn't seem to want to do it at all...

I will edit this when I finish up entering the configuration you posted.

EDIT: Okay, this didn't really work. We have a CRM system running on the network - accessible on http://crminternal - and I still cannot navigate to it. There are 4 branches off the ASA: the inside, outside, public servers, and other stuff. Most of it isn't neccessary for th VPN users, only the internal Active Directory and such. I am uploading the most ridiculous network map of all time, but humor me and see if this makes things slightly clearer.

Message was edited by: Daniel Roberts

Hold on, I messed up my network map even worse than I thought. Let me upload this fixed copy. 

I don't see any routes on the ASA for all your internal networks, does this mean that ISA is performing PAT for all outbound connections?

If ISA is performing PAT for all outbound connections, then there are a few things that needs to be done on the ISA as well as the ASA as follows:

1) On ISA, you would need to configure NAT exemption between the internal network subnets (192.168.60.0/24) towards the VPN Pool subnet (10.1.11.0/24).

2) On ISA, you would need to allow inbound connection if you have any ACL that blocks it.

3) On ASA, you would need to configure routes for all your internal network accordingly, for example: to access the 192.168.60.0/24 network as per your diagram, you would need to configure the following route:

route Inside 192.168.60.0 255.255.255.0 10.1.10.60

4) Lastly, on the ASA, if you have configured the NAT exemption as per my post earlier, then you would need to add the following ACL:

access-list Inside-nonat permit ip 192.168.60.0 255.255.255.0 10.1.11.0 255.255.255.0

I think that InfoFIRE (the firewall) doesn't perform PAT. I think I made a mistake (again) in the diagram. The "DNS servers and such" all have 10.1.9.X IP's and the 10.1.10.1 interface is likely whats connected to InfoFIRE. As I said before, I am configuring all this by Remote destop to the server running the ASDM. In the diagram, this would be 'Server' (a fileserver). Remote Desktop works fine, and I added an exception to the Firewall when I first created the VPNs that *should* have allowed any and all VPN traffic through it bidirectionally (I think).

One minute while I remote in and make your suggested changes.

EDIT: Here is the new running config, and I will upload a scrnshot of the ISA server configuration I made.

asdm image disk0:/asdm-507.bin
asdm location 10.1.11.0 255.255.255.0 Inside
asdm location 10.1.9.57 255.255.255.255 PublicServers
asdm location 10.1.9.58 255.255.255.255 PublicServers
asdm location 10.1.9.53 255.255.255.255 PublicServers
asdm location 10.1.9.56 255.255.255.255 PublicServers
no asdm history enable
: Saved
:
ASA Version 7.0(7) 
!
hostname InfoGrowASA
domain-name InfoGrow.invalid
enable password .X/yQ4L.WTBO0KZ7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 65.114.109.34 255.255.255.224 
!
interface Ethernet0/1
 nameif PublicServers
 security-level 20
 ip address 10.1.9.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Inside
 security-level 90
 ip address 10.1.10.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd .X/yQ4L.WTBO0KZ7 encrypted
ftp mode passive
object-group service WebFTP tcp
 description HTTP HTTPS FTP SFTP
 port-object eq www
 port-object eq ssh
 port-object eq ftp
 port-object eq https
 port-object range 49898 49918
access-list Outside_access_in extended permit tcp any host 65.114.109.60 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq smtp 
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq pop3 
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 7777 
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8181 
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8888 
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 9999 
access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq www 
access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq https 
access-list Outside_access_in extended permit tcp any host 65.114.109.46 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.47 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.53 eq www 
access-list Outside_access_in extended permit tcp any host 65.114.109.55 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.44 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.44 eq 9888 
access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ftp 
access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ssh 
access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq 49898 
access-list Outside_access_in extended permit tcp any host 65.114.109.49 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.54 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ftp 
access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ssh 
access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq 49898 
access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq www 
access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq https 
access-list Outside_access_in extended permit tcp any host 65.114.109.57 object-group WebFTP 
access-list Outside_access_in extended permit tcp any host 65.114.109.58 object-group WebFTP 
access-list management_nat0_outbound extended permit ip any 10.1.11.0 255.255.255.0 
access-list VPNGroup1_splitTunnelAcl standard permit any 
access-list PublicServers_access_in extended permit ip 10.1.9.0 255.255.255.0 any 
access-list remote2info_splitTunnelAcl standard permit 192.168.60.0 255.255.255.0 
access-list PublicServers-nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.11.0 255.255.255.0 
access-list Inside-nonat extended permit ip 10.1.10.0 255.255.255.0 10.1.11.0 255.255.255.0 
access-list Inside-nonat extended permit ip 192.168.60.0 255.255.255.0 10.1.11.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu PublicServers 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 10.1.11.100-10.1.11.200 mask 255.255.255.0
ip local pool VPNPool2 192.168.60.30-192.168.60.50 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 65.114.109.48
nat (PublicServers) 0 access-list PublicServers-nonat
nat (PublicServers) 10 10.1.9.13 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.100 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.101 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.102 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.103 255.255.255.255 dns
nat (Inside) 0 access-list Inside-nonat
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) 65.114.109.60 10.1.10.60 netmask 255.255.255.255 dns 
static (Inside,PublicServers) 65.114.109.60 10.1.10.60 netmask 255.255.255.255 
static (Outside,Inside) 10.1.10.60 65.114.109.60 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.45 65.114.109.45 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.45 10.1.9.45 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.58 65.114.109.58 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.58 10.1.9.58 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.47 65.114.109.47 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.47 10.1.9.47 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.55 65.114.109.55 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.55 10.1.9.55 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.44 65.114.109.44 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.44 10.1.9.44 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.46 65.114.109.46 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.46 10.1.9.46 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.53 65.114.109.53 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.53 10.1.9.53 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.49 65.114.109.49 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.49 10.1.9.49 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.54 65.114.109.54 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.54 10.1.9.54 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.51 65.114.109.51 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.51 10.1.9.51 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.56 65.114.109.56 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.56 10.1.9.56 netmask 255.255.255.255 dns 
static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns 
static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns 
access-group Outside_access_in in interface Outside
access-group PublicServers_access_in in interface PublicServers
route Outside 0.0.0.0 0.0.0.0 65.114.109.33 1
route Inside 192.168.60.0 255.255.255.0 10.1.10.60 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNGroup1 internal
group-policy VPNGroup1 attributes
 dns-server value 65.114.109.35 65.114.109.41
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNGroup1_splitTunnelAcl
 webvpn
group-policy remote2info internal
group-policy remote2info attributes
 dns-server value 192.168.60.1
 vpn-tunnel-protocol IPSec 
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remote2info_splitTunnelAcl
 webvpn
username gwilliams password SVOBMaXej0VAEXTH encrypted privilege 0
username gwilliams attributes
 vpn-group-policy remote2info
 webvpn
username TecXpert password 46GRhAP4rEiuTBVv encrypted privilege 15
username TecXpert attributes
 vpn-group-policy remote2info
 webvpn
username bsullivan password tST/8Y1SJLxkg5bO encrypted privilege 0
username bsullivan attributes
 vpn-group-policy remote2info
 webvpn
username gseitzinger password Jsc.rB5RhoI7rH7v encrypted privilege 0
username gseitzinger attributes
 vpn-group-policy remote2info
 webvpn
username administrator password QeFLSERcQLidAbeD encrypted privilege 15
username droberts password sFmLtvOypKeXXHu3 encrypted privilege 15
username droberts attributes
 vpn-group-policy remote2info
 webvpn
username lbrown password pK9IlrpUffBnck.r encrypted privilege 15
username lbrown attributes
 vpn-group-policy remote2info
 webvpn
username sluc password s5jDKx5rAxzga.D3 encrypted privilege 0
username sluc attributes
 vpn-group-policy remote2info
 webvpn
http server enable
http 10.1.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp PublicServers
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto map Inside_map 65535 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp enable Inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
isakmp nat-traversal  30
tunnel-group VPNGroup1 type ipsec-ra
tunnel-group VPNGroup1 general-attributes
 address-pool VPNPool
 default-group-policy VPNGroup1
tunnel-group VPNGroup1 ipsec-attributes
 pre-shared-key *
tunnel-group remote2info type ipsec-ra
tunnel-group remote2info general-attributes
 address-pool (Outside) VPNPool2
 address-pool VPNPool
 default-group-policy remote2info
 dhcp-server 192.168.60.12
tunnel-group remote2info ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group remote2info
vpn-sessiondb max-session-limit 7
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect esmtp 
  inspect dns maximum-length 2048 
!
service-policy global_policy global
Cryptochecksum:4c8a03d61da3d67b568a9b6d3a4b461a
: end
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: