09-24-2010 09:05 AM
I'm trying to create a RA VPN. The thing is, the network is not "normal" in terms of topology. We have (coming from the internet) a T1 going straight to a Cisco 1720, which then goes to an ASA 5510 which hosts the VPN configuration. I can't get connected when I use the Cisco VPN client, and I think it's because of these two routers and their odd arrangement. I have been told that there is no way to drop the 1720 from the equation (it's the only CSU/DSU). If I can put the CSU/DSU expansion card in the 5510, then I MIGHT be able to remove it if I have to in order for this to work.
Here is the error from the client:
Initializing the connection...
Contacting the security gateway at 65.114.65.30...
Contacting the security gateway at 65.114.109.33... (backup)
Contacting the security gateway at 65.114.109.34... (backup)
Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN connection.
-or- (depending on which IP I try to connect to)
Contacting the security gateway at 208.44.133.177...
Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding.
I can access the 1720 from the internet via Hyper Terminal and make changes. To make any changes to the 5510, I need to use Remote Desktop and use the ASDM from an internal network server. I believe that the VPN configuration itself is complete and correct. I think its the 1720 thats the problem. Here is the config:
Building configuration...
Current configuration : 867 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CSCORTR
!
boot system flash c1700-y-mz.121-19.bin
boot system flash c1700-y-mz.121-1.bin
[pwd omitted]
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
ip address 65.114.65.30 255.255.255.252
service-module t1 timeslots 1-24
!
interface FastEthernet0
ip address 208.44.133.177 255.255.255.248 secondary
ip address 65.114.109.33 255.255.255.224
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 65.114.109.0 255.255.255.0 65.114.109.34
no ip http server
!
!
[omitted pwd info]
!
no scheduler allocate
end
I greatly appreciate any help I can get. This is turning into a real nightmare for me...
09-24-2010 04:55 PM
From the VPN Client logs, it seems that you are trying to VPN to the router instead of the ASA firewall because the IP Address that the VPN is trying to connect are all the routers ip addresses: 65.114.65.30, 65.114.109.33, 65.114.109.34.
Can you please advise what is the ASA external ip address that terminates the VPN tunnel? The vpn client needs to be configured with that ip address instead.
Please also share the ASA configuration if it still doesn't work after changing the vpn client to connect to the ASA external ip address.
09-24-2010 07:01 PM
The IP structure looks like this:
[INTERNET] --> [65.114.65.30/30 ~ 1720 router ~ 65.114.109.33/27] --> [65.114.109.34/27 ~ ASA 5510] --> [Miscrosoft ISA server] --> [Internal network]
The ASA is the VPN device, configured correctly I think. I have tried using all the IPs after the edge IP (in order, as backup servers) for the client connection. However, even with the host specified as 65.114.109.34, there is still no connectivity. The 1720 has only 2 interfaces (serial0 and Fa0) and I believe the configuration of this router is intended for it to just simply pass things to the ASA (pretty much do nothing). The only reason we still even use it is because the 5510 doesn't have any CSU/DSU cards (at least that I can find) to connect our T1's. I wonder if the expansion CSU/DSU module out of the 1720 could be transplanted into the 5510, because then the ASA could be the internet edge router and I can retire that 1720...
Here is the config of the ASA via the ASDM:
asdm image disk0:/asdm-507.bin
asdm location 10.1.11.0 255.255.255.0 Inside
asdm location 10.1.9.57 255.255.255.255 PublicServers
asdm location 10.1.9.58 255.255.255.255 PublicServers
asdm location 10.1.9.53 255.255.255.255 PublicServers
asdm location 10.1.9.56 255.255.255.255 PublicServers
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname InfoASA
domain-name Info.invalid
enable password [omitted] encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 65.114.109.34 255.255.255.224
!
interface Ethernet0/1
nameif PublicServers
security-level 20
ip address 10.1.9.1 255.255.255.0
!
interface Ethernet0/2
nameif Inside
security-level 90
ip address 10.1.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd .X/yQ4L.WTBO0KZ7 encrypted
ftp mode passive
object-group service WebFTP tcp
description HTTP HTTPS FTP SFTP
port-object eq www
port-object eq ssh
port-object eq ftp
port-object eq https
port-object range 49898 49918
access-list Outside_access_in extended permit tcp any host 65.114.109.60 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq smtp
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq pop3
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 7777
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8181
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8888
access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 9999
access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq www
access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq https
access-list Outside_access_in extended permit tcp any host 65.114.109.46 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.47 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.53 eq www
access-list Outside_access_in extended permit tcp any host 65.114.109.55 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.44 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.44 eq 9888
access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ftp
access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ssh
access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq 49898
access-list Outside_access_in extended permit tcp any host 65.114.109.49 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.54 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ftp
access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ssh
access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq 49898
access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq www
access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq https
access-list Outside_access_in extended permit tcp any host 65.114.109.57 object-group WebFTP
access-list Outside_access_in extended permit tcp any host 65.114.109.58 object-group WebFTP
access-list management_nat0_outbound extended permit ip any 10.1.11.0 255.255.255.0
access-list VPNGroup1_splitTunnelAcl standard permit any
access-list PublicServers_access_in extended permit ip 10.1.9.0 255.255.255.0 any
access-list remote2info_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu PublicServers 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 10.1.11.100-10.1.11.200 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 65.114.109.48
nat (PublicServers) 10 10.1.9.13 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.100 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.101 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.102 255.255.255.255 dns
nat (PublicServers) 10 10.1.9.103 255.255.255.255 dns
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) 65.114.109.60 10.1.10.60 netmask 255.255.255.255 dns
static (Inside,PublicServers) 65.114.109.60 10.1.10.60 netmask 255.255.255.255
static (Outside,Inside) 10.1.10.60 65.114.109.60 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.45 65.114.109.45 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.45 10.1.9.45 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.58 65.114.109.58 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.58 10.1.9.58 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.47 65.114.109.47 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.47 10.1.9.47 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.55 65.114.109.55 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.55 10.1.9.55 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.44 65.114.109.44 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.44 10.1.9.44 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.46 65.114.109.46 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.46 10.1.9.46 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.53 65.114.109.53 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.53 10.1.9.53 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.49 65.114.109.49 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.49 10.1.9.49 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.54 65.114.109.54 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.54 10.1.9.54 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.51 65.114.109.51 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.51 10.1.9.51 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.56 65.114.109.56 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.56 10.1.9.56 netmask 255.255.255.255 dns
static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group PublicServers_access_in in interface PublicServers
route Outside 0.0.0.0 0.0.0.0 65.114.109.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNGroup1 internal
group-policy VPNGroup1 attributes
dns-server value 65.114.109.35 65.114.109.41
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGroup1_splitTunnelAcl
webvpn
group-policy remote2info internal
group-policy remote2info attributes
dns-server value 192.168.60.1 192.168.60.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote2info_splitTunnelAcl
webvpn
username TecXpert password 46GRhAP4rEiuTBVv encrypted privilege 15
username TecXpert attributes
vpn-group-policy VPNGroup1
webvpn
username administrator password QeFLSERcQLidAbeD encrypted privilege 15
username droberts password sFmLtvOypKeXXHu3 encrypted privilege 15
username droberts attributes
vpn-group-policy remote2info
webvpn
http server enable
http 10.1.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp PublicServers
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto map Inside_map 65535 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp enable Inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
isakmp nat-traversal 30
tunnel-group VPNGroup1 type ipsec-ra
tunnel-group VPNGroup1 general-attributes
address-pool VPNPool
default-group-policy VPNGroup1
tunnel-group VPNGroup1 ipsec-attributes
pre-shared-key *
tunnel-group remote2info type ipsec-ra
tunnel-group remote2info general-attributes
address-pool VPNPool
default-group-policy remote2info
tunnel-group remote2info ipsec-attributes
pre-shared-key *
tunnel-group-map default-group remote2info
vpn-sessiondb max-session-limit 7
telnet 0.0.0.0 0.0.0.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect esmtp
inspect dns maximum-length 2048
!
service-policy global_policy global
Cryptochecksum: blah blah blah
: end
09-25-2010 12:21 AM
From your vpn client, you can only connect to the ASA outside ip address which is 65.114.109.34. You can't connect to the router ip address because the router is not terminating the vpn tunnel.
1) Set the VPN Client to connect to 65.114.109.34.
2) Which tunnel-group did you use to connect to the VPN? VPNGroup1 or remote2info?
3) You also have "vpn-sessiondb max-session-limit 7" configured, which limit the number of VPN to only 7. Can anyone connect at all? How many vpn is connected when you try to connect: "show vpn-sessiondb summ" will give you the answer.
4) You would also need to allow the ipsec protocol on your group policy:
group-policy VPNGroup1 attributes
vpn-tunnel-protocol ipsec
group-policy remote2info attributes
vpn-tunnel-protocol ipsec
Lastly, not related to your VPN configuration, the static NAT statements, you have configured 2 NAT statements for each host which is incorrect.
Example:
static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns
You would only need to configure the second line, and should remove the first line, as static NAT works bidirectionally. You should remove all the other ones as well: static (Outside,PublicServers).
Hope that helps.
09-25-2010 12:36 AM
halijenn wrote:
From your vpn client, you can only connect to the ASA outside ip address which is 65.114.109.34. You can't connect to the router ip address because the router is not terminating the vpn tunnel.
1) Set the VPN Client to connect to 65.114.109.34.
2) Which tunnel-group did you use to connect to the VPN? VPNGroup1 or remote2info?
3) You also have "vpn-sessiondb max-session-limit 7" configured, which limit the number of VPN to only 7. Can anyone connect at all? How many vpn is connected when you try to connect: "show vpn-sessiondb summ" will give you the answer.
4) You would also need to allow the ipsec protocol on your group policy:
group-policy VPNGroup1 attributes
vpn-tunnel-protocol ipsec
group-policy remote2info attributes
vpn-tunnel-protocol ipsec
Lastly, not related to your VPN configuration, the static NAT statements, you have configured 2 NAT statements for each host which is incorrect.
Example:
static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns
static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns
You would only need to configure the second line, and should remove the first line, as static NAT works bidirectionally. You should remove all the other ones as well: static (Outside,PublicServers).
Hope that helps.
1) That was the original IP I had been trying. It never was able to get a successful connection. Thats when I started trying the edge router [1700].
2) VPNGrp1 Was already there when I got to it, but all users were configured for/on remote2info.
3) I set max vpns specifically by request because of the tenacious misuse of VPNs we have had in the past...but anyways, it still does not work.
*There are only 5 regular vpn users at this time, with me as the 6th [administrator]. I think I omitted them from the configuration I posted.*
4) I can only use Remote Desktop to access the router via ASDM as things currently stand (hence why the VPNs are important!) - I have no local access for a while here.
5) Those static statements were in there before I was granted admin access to the device (previous admin retired). The thing is, the servers on that line are all Microsoft Bing and Bing Maps servers connected to a Catalyst 2960[?] and recieve pretty regular traffic. I would be a little worried about breaking that link.
09-25-2010 12:51 AM
Okay, I enabled the IPSec on the group policy for remote2info.
I had the client set to use the correct IP, but I got error 401: unrecognized error (or 412: remote peer stopped responding). Here's the thing though, I have to use the VPN client through a virtual machine (Windows XP Mode) on Windows 7 because the laptop I travel with is x64 and the client I have is x86. That wouldn't affect it correct? If the VM can browse the internet and do Remote Desktop to the server with the ASDM - shouldn't the VPN work? It's bridged/captured the external [Windows 7] physical interface.
I can output a new running-config and show you if you need. I am online 24/7 (at least it seems so), which means I can reply nearly instantly to any posts here.
And on that note, I just want to say that I appreciate your time immensely. I don't know many people who have Cisco knowledge [I have up to CCNA 4 so far], so this forum was a shot in the dark for me. It's working out way better than I had hoped (much faster specifically). So...
Thank you!!!
09-25-2010 04:35 AM
You can also open a Cisco TAC case that would allow you to troubleshoot the issue with Cisco engineer over the phone/webex.
I assume that you are able to ping the ASA external interface, right?
Please kindly run the following debugs on ASA to better understand where exactly is the VPN connection failing:
debug cry isa
debug cry ipsec
Also on the VPN Client itself, turn on logging, and try to connect again to the ASA, and please share the logs from both ASA debug output and VPN Client.
Thanks.
09-25-2010 09:26 AM
Yea, I can ping the ASA from here.
Pinging 65.114.109.34 with 32 bytes of data:
Reply from 65.114.109.34: bytes=32 time=70ms TTL=241
Reply from 65.114.109.34: bytes=32 time=50ms TTL=241
Reply from 65.114.109.34: bytes=32 time=53ms TTL=241
Reply from 65.114.109.34: bytes=32 time=56ms TTL=241
Ping statistics for 65.114.109.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% los
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 70ms, Average = 57ms
This is from a DMZ enabled IP on a standard router.
I am not aware that I can run debug commands from the ASDM, so I will try to telnet to the ASA.
The Windows Server that has the ASDM is not connected to the console on the ASA, and it doesn't have Hyperterminal installed. Also, putty is not working on it (at least via remote desktop) so I can't issue the debug commands.The soonest I would have physical access would be Monday, as I am away.
Here is the log from the client, with what I see might be client issues after all:
Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 12:24:10.388 09/25/10 Sev=Info/4 CM/0x63100002
Begin connection process
2 12:24:10.418 09/25/10 Sev=Info/4 CM/0x63100004
Establish secure connection
3 12:24:10.418 09/25/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "65.114.109.34"
4 12:24:10.428 09/25/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 65.114.109.34.
5 12:24:10.438 09/25/10 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 12:24:10.448 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 65.114.109.34
7 12:24:10.518 09/25/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34
8 12:24:10.518 09/25/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 65.114.109.34
9 12:24:10.518 09/25/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
10 12:24:10.518 09/25/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
11 12:24:10.518 09/25/10 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
12 12:24:10.518 09/25/10 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
13 12:24:10.528 09/25/10 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
14 12:24:10.528 09/25/10 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
15 12:24:10.528 09/25/10 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)
16 12:24:10.528 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 65.114.109.34
17 12:24:10.528 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 65.114.109.34
18 12:24:10.528 09/25/10 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)
19 12:24:10.528 09/25/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=4EF0E8528C759FED R_Cookie=AADF49C806234FFA) reason = DEL_REASON_IKE_NEG_FAILED
20 12:24:10.688 09/25/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
21 12:24:10.688 09/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 12:24:11.189 09/25/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=4EF0E8528C759FED R_Cookie=AADF49C806234FFA) reason = DEL_REASON_IKE_NEG_FAILED
23 12:24:11.189 09/25/10 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "65.114.109.34" because of "DEL_REASON_IKE_NEG_FAILED"
24 12:24:11.219 09/25/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
25 12:24:12.221 09/25/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
26 12:24:12.231 09/25/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
27 12:24:12.241 09/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
28 12:24:12.241 09/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
29 12:24:12.241 09/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 12:24:12.241 09/25/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
09-25-2010 09:38 AM
Hello,
Could you please check the group password configured on the client. Just make sure that the password on ASA(i.e the pre-shared key under the tunnel-group) and group password on the client are same.
09-25-2010 11:16 AM
Okay, I think I got it working, I don't know exactly WHY it's working - but I can connect now. I think that there was something wrong with the commands I sent to the asdm. I'm used to the direct input of commands via CLI, not the ASDM. Anyways, heres the log after a connection attempt.
Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
373 14:08:13.737 09/25/10 Sev=Info/4 CM/0x63100002
Begin connection process
374 14:08:13.797 09/25/10 Sev=Info/4 CM/0x63100004
Establish secure connection
375 14:08:13.797 09/25/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "65.114.109.34"
376 14:08:13.807 09/25/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 65.114.109.34.
377 14:08:13.807 09/25/10 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
378 14:08:13.807 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 65.114.109.34
379 14:08:13.877 09/25/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34
380 14:08:13.877 09/25/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 65.114.109.34
381 14:08:13.877 09/25/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
382 14:08:13.877 09/25/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
383 14:08:13.877 09/25/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD
384 14:08:13.877 09/25/10 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
385 14:08:13.877 09/25/10 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
386 14:08:13.877 09/25/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
387 14:08:13.877 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 65.114.109.34
388 14:08:13.877 09/25/10 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
389 14:08:13.877 09/25/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0AB9, Remote Port = 0x1194
390 14:08:13.877 09/25/10 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
391 14:08:13.877 09/25/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
392 14:08:13.937 09/25/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34
393 14:08:13.937 09/25/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 65.114.109.34
394 14:08:13.937 09/25/10 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
395 14:08:13.937 09/25/10 Sev=Info/4 CM/0x63100015
Launch xAuth application
396 14:08:14.017 09/25/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
397 14:08:14.027 09/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
398 14:08:14.027 09/25/10 Sev=Info/6 IPSEC/0x6370002C
Sent 11 packets, 0 were fragmented.
399 14:08:16.591 09/25/10 Sev=Info/4 CM/0x63100017
xAuth application returned
400 14:08:16.591 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 65.114.109.34
401 14:08:16.721 09/25/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34
402 14:08:16.721 09/25/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 65.114.109.34
403 14:08:16.721 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 65.114.109.34
404 14:08:16.721 09/25/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
405 14:08:16.831 09/25/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
406 14:08:16.831 09/25/10 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
407 14:08:16.841 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 65.114.109.34
408 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34
409 14:08:16.902 09/25/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 65.114.109.34
410 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.1.11.100
411 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
412 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.60.1
413 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.168.60.1
414 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
415 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
416 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 0.0.0.0
mask = 0.0.0.0
protocol = 0
src port = 0
dest port=0
417 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
418 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 7.0(7) built by builders on Fri 06-Jul-07 10:37
419 14:08:16.902 09/25/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
420 14:08:16.912 09/25/10 Sev=Info/4 CM/0x63100019
Mode Config data received
421 14:08:16.952 09/25/10 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.1.11.100, GW IP = 65.114.109.34, Remote IP = 0.0.0.0
422 14:08:16.952 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 65.114.109.34
423 14:08:17.022 09/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
424 14:08:17.112 09/25/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34
425 14:08:17.122 09/25/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 65.114.109.34
426 14:08:17.122 09/25/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
427 14:08:17.122 09/25/10 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 86396 seconds from now
428 14:08:17.122 09/25/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 65.114.109.34
429 14:08:17.122 09/25/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 65.114.109.34
430 14:08:17.122 09/25/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
431 14:08:17.122 09/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 65.114.109.34
432 14:08:17.122 09/25/10 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D08FEEB7 OUTBOUND SPI = 0x17C4C8CE INBOUND SPI = 0x072C89E0)
433 14:08:17.122 09/25/10 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x17C4C8CE
434 14:08:17.122 09/25/10 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x072C89E0
435 14:08:17.272 09/25/10 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.4 192.168.1.4 20
192.168.1.4 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.4 192.168.1.4 20
224.0.0.0 240.0.0.0 192.168.1.4 192.168.1.4 20
255.255.255.255 255.255.255.255 192.168.1.4 192.168.1.4 1
436 14:08:17.953 09/25/10 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.1.11.100/255.255.255.0
DNS=192.168.60.1,192.168.60.1
WINS=0.0.0.0,0.0.0.0
Domain=
Split DNS Names=
437 14:08:17.963 09/25/10 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 20
10.1.11.0 255.255.255.0 10.1.11.100 10.1.11.100 20
10.1.11.100 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.1.11.100 10.1.11.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.4 192.168.1.4 20
192.168.1.4 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.4 192.168.1.4 20
224.0.0.0 240.0.0.0 10.1.11.100 10.1.11.100 20
224.0.0.0 240.0.0.0 192.168.1.4 192.168.1.4 20
255.255.255.255 255.255.255.255 10.1.11.100 10.1.11.100 1
255.255.255.255 255.255.255.255 192.168.1.4 192.168.1.4 1
438 14:08:17.973 09/25/10 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 20: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 10.1.11.100
Interface 10.1.11.100
439 14:08:17.973 09/25/10 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: a010b64, Gateway: a010b64.
440 14:08:17.993 09/25/10 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
441 14:08:17.993 09/25/10 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.11.100 10.1.11.100 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 20
10.1.11.0 255.255.255.0 10.1.11.100 10.1.11.100 20
10.1.11.100 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.1.11.100 10.1.11.100 20
65.114.109.34 255.255.255.255 192.168.1.1 192.168.1.4 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.4 192.168.1.4 20
192.168.1.0 255.255.255.0 10.1.11.100 10.1.11.100 20
192.168.1.1 255.255.255.255 192.168.1.4 192.168.1.4 1
192.168.1.4 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.4 192.168.1.4 20
224.0.0.0 240.0.0.0 10.1.11.100 10.1.11.100 20
224.0.0.0 240.0.0.0 192.168.1.4 192.168.1.4 20
255.255.255.255 255.255.255.255 10.1.11.100 10.1.11.100 1
255.255.255.255 255.255.255.255 192.168.1.4 192.168.1.4 1
442 14:08:17.993 09/25/10 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
443 14:08:18.273 09/25/10 Sev=Info/4 CM/0x6310001A
One secure connection established
444 14:08:18.454 09/25/10 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.1.4. Current hostname: VirtualXP-13158, Current address(es): 10.1.11.100, 192.168.1.4.
445 14:08:18.464 09/25/10 Sev=Info/4 CM/0x6310003B
Address watch added for 10.1.11.100. Current hostname: VirtualXP-13158, Current address(es): 10.1.11.100, 192.168.1.4.
446 14:08:18.464 09/25/10 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
447 14:08:18.464 09/25/10 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
448 14:08:18.464 09/25/10 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xcec8c417 into key list
449 14:08:18.474 09/25/10 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
450 14:08:18.474 09/25/10 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xe0892c07 into key list
451 14:08:18.474 09/25/10 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.1.11.100
452 14:08:18.474 09/25/10 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.1.4. SG: 65.114.109.34
453 14:08:18.474 09/25/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
Now, if no one sees anything abnormal about the above, I have another question or two.
1) Is it possible to add any kind of CSU/DSU expansion modules to the 5510? We have a CSU/DSU in the 1720 for one of our T1's. We have another one we want to add as a failover connection. There is only one connection on the 1720, but neither of the two expansion slots on the back of the ASA have anything in them. Where and what, if possible, would I be able to get cards to upgrade the ASA so I can retire the 1720? Or, is it possible to take the CSU out of the 1720 and install it into the ASA?
2) I still can't access the networked PC's and servers after I have connected. Any attempts at name resolution or local network discovery aren't working right (at least I think so). What is one way I can test to make sure that I have a working connection from the ASA into the internal network? (I don't know if that is descriptive enough)
Thanks for all the great support thus far!
09-25-2010 05:23 PM
Great great improvement on the VPN Connectivity.. well done, Daniel.
To answer your 2 questions:
1) No, ASA does not support CSU/DSU expansion modules unfortunately hence you would still need to have the 1720 router.
2) The reason why you are not able to access the internal network from VPN is because you haven't configured the NAT exemption yet.
Here is how to configure it:
access-list PublicServers-nonat permit ip 10.1.9.0 255.255.255.0 10.1.11.0 255.255.255.0
nat (PublicServers) 0 access-list PublicServers-nonat
access-list Inside-nonat permit ip 10.1.10.0 255.255.255.0 10.1.11.0 255.255.255.0
nat (Inside) 0 access-list Inside-nonat
Hope that helps.
09-25-2010 05:28 PM
Okay, I will try that now. I was told by a friend that the reason I was not able to use the internal services was that I'm "not using your internal dns server and also not logging into active directory". I have tried to setup the ASA to use the AD DNS server, but it doesn't seem to want to do it at all...
I will edit this when I finish up entering the configuration you posted.
EDIT: Okay, this didn't really work. We have a CRM system running on the network - accessible on http://crminternal - and I still cannot navigate to it. There are 4 branches off the ASA: the inside, outside, public servers, and other stuff. Most of it isn't neccessary for th VPN users, only the internal Active Directory and such. I am uploading the most ridiculous network map of all time, but humor me and see if this makes things slightly clearer.
Message was edited by: Daniel Roberts
09-25-2010 06:39 PM
09-25-2010 06:52 PM
I don't see any routes on the ASA for all your internal networks, does this mean that ISA is performing PAT for all outbound connections?
If ISA is performing PAT for all outbound connections, then there are a few things that needs to be done on the ISA as well as the ASA as follows:
1) On ISA, you would need to configure NAT exemption between the internal network subnets (192.168.60.0/24) towards the VPN Pool subnet (10.1.11.0/24).
2) On ISA, you would need to allow inbound connection if you have any ACL that blocks it.
3) On ASA, you would need to configure routes for all your internal network accordingly, for example: to access the 192.168.60.0/24 network as per your diagram, you would need to configure the following route:
route Inside 192.168.60.0 255.255.255.0 10.1.10.60
4) Lastly, on the ASA, if you have configured the NAT exemption as per my post earlier, then you would need to add the following ACL:
access-list Inside-nonat permit ip 192.168.60.0 255.255.255.0 10.1.11.0 255.255.255.0
09-25-2010 06:59 PM
I think that InfoFIRE (the firewall) doesn't perform PAT. I think I made a mistake (again) in the diagram. The "DNS servers and such" all have 10.1.9.X IP's and the 10.1.10.1 interface is likely whats connected to InfoFIRE. As I said before, I am configuring all this by Remote destop to the server running the ASDM. In the diagram, this would be 'Server' (a fileserver). Remote Desktop works fine, and I added an exception to the Firewall when I first created the VPNs that *should* have allowed any and all VPN traffic through it bidirectionally (I think).
One minute while I remote in and make your suggested changes.
EDIT: Here is the new running config, and I will upload a scrnshot of the ISA server configuration I made.
asdm image disk0:/asdm-507.bin asdm location 10.1.11.0 255.255.255.0 Inside asdm location 10.1.9.57 255.255.255.255 PublicServers asdm location 10.1.9.58 255.255.255.255 PublicServers asdm location 10.1.9.53 255.255.255.255 PublicServers asdm location 10.1.9.56 255.255.255.255 PublicServers no asdm history enable : Saved : ASA Version 7.0(7) ! hostname InfoGrowASA domain-name InfoGrow.invalid enable password .X/yQ4L.WTBO0KZ7 encrypted names dns-guard ! interface Ethernet0/0 nameif Outside security-level 0 ip address 65.114.109.34 255.255.255.224 ! interface Ethernet0/1 nameif PublicServers security-level 20 ip address 10.1.9.1 255.255.255.0 ! interface Ethernet0/2 nameif Inside security-level 90 ip address 10.1.10.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd .X/yQ4L.WTBO0KZ7 encrypted ftp mode passive object-group service WebFTP tcp description HTTP HTTPS FTP SFTP port-object eq www port-object eq ssh port-object eq ftp port-object eq https port-object range 49898 49918 access-list Outside_access_in extended permit tcp any host 65.114.109.60 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq smtp access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq pop3 access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 7777 access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8181 access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 8888 access-list Outside_access_in extended permit tcp any host 65.114.109.60 eq 9999 access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq www access-list Outside_access_in extended permit tcp any host 65.114.109.45 eq https access-list Outside_access_in extended permit tcp any host 65.114.109.46 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.47 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.53 eq www access-list Outside_access_in extended permit tcp any host 65.114.109.55 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.44 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.44 eq 9888 access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ftp access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq ssh access-list Outside_access_in extended permit tcp any host 65.114.109.47 eq 49898 access-list Outside_access_in extended permit tcp any host 65.114.109.49 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.54 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ftp access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq ssh access-list Outside_access_in extended permit tcp any host 65.114.109.51 eq 49898 access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq www access-list Outside_access_in extended permit tcp any host 65.114.109.56 eq https access-list Outside_access_in extended permit tcp any host 65.114.109.57 object-group WebFTP access-list Outside_access_in extended permit tcp any host 65.114.109.58 object-group WebFTP access-list management_nat0_outbound extended permit ip any 10.1.11.0 255.255.255.0 access-list VPNGroup1_splitTunnelAcl standard permit any access-list PublicServers_access_in extended permit ip 10.1.9.0 255.255.255.0 any access-list remote2info_splitTunnelAcl standard permit 192.168.60.0 255.255.255.0 access-list PublicServers-nonat extended permit ip 10.1.9.0 255.255.255.0 10.1.11.0 255.255.255.0 access-list Inside-nonat extended permit ip 10.1.10.0 255.255.255.0 10.1.11.0 255.255.255.0 access-list Inside-nonat extended permit ip 192.168.60.0 255.255.255.0 10.1.11.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu PublicServers 1500 mtu Inside 1500 mtu management 1500 ip local pool VPNPool 10.1.11.100-10.1.11.200 mask 255.255.255.0 ip local pool VPNPool2 192.168.60.30-192.168.60.50 mask 255.255.255.0 asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (Outside) 10 65.114.109.48 nat (PublicServers) 0 access-list PublicServers-nonat nat (PublicServers) 10 10.1.9.13 255.255.255.255 dns nat (PublicServers) 10 10.1.9.100 255.255.255.255 dns nat (PublicServers) 10 10.1.9.101 255.255.255.255 dns nat (PublicServers) 10 10.1.9.102 255.255.255.255 dns nat (PublicServers) 10 10.1.9.103 255.255.255.255 dns nat (Inside) 0 access-list Inside-nonat nat (management) 0 access-list management_nat0_outbound nat (management) 0 0.0.0.0 0.0.0.0 static (Inside,Outside) 65.114.109.60 10.1.10.60 netmask 255.255.255.255 dns static (Inside,PublicServers) 65.114.109.60 10.1.10.60 netmask 255.255.255.255 static (Outside,Inside) 10.1.10.60 65.114.109.60 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.45 65.114.109.45 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.45 10.1.9.45 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.58 65.114.109.58 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.58 10.1.9.58 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.47 65.114.109.47 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.47 10.1.9.47 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.55 65.114.109.55 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.55 10.1.9.55 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.44 65.114.109.44 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.44 10.1.9.44 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.46 65.114.109.46 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.46 10.1.9.46 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.53 65.114.109.53 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.53 10.1.9.53 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.49 65.114.109.49 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.49 10.1.9.49 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.54 65.114.109.54 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.54 10.1.9.54 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.51 65.114.109.51 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.51 10.1.9.51 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.56 65.114.109.56 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.56 10.1.9.56 netmask 255.255.255.255 dns static (Outside,PublicServers) 10.1.9.57 65.114.109.57 netmask 255.255.255.255 dns static (PublicServers,Outside) 65.114.109.57 10.1.9.57 netmask 255.255.255.255 dns access-group Outside_access_in in interface Outside access-group PublicServers_access_in in interface PublicServers route Outside 0.0.0.0 0.0.0.0 65.114.109.33 1 route Inside 192.168.60.0 255.255.255.0 10.1.10.60 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy VPNGroup1 internal group-policy VPNGroup1 attributes dns-server value 65.114.109.35 65.114.109.41 split-tunnel-policy tunnelspecified split-tunnel-network-list value VPNGroup1_splitTunnelAcl webvpn group-policy remote2info internal group-policy remote2info attributes dns-server value 192.168.60.1 vpn-tunnel-protocol IPSec password-storage enable split-tunnel-policy tunnelspecified split-tunnel-network-list value remote2info_splitTunnelAcl webvpn username gwilliams password SVOBMaXej0VAEXTH encrypted privilege 0 username gwilliams attributes vpn-group-policy remote2info webvpn username TecXpert password 46GRhAP4rEiuTBVv encrypted privilege 15 username TecXpert attributes vpn-group-policy remote2info webvpn username bsullivan password tST/8Y1SJLxkg5bO encrypted privilege 0 username bsullivan attributes vpn-group-policy remote2info webvpn username gseitzinger password Jsc.rB5RhoI7rH7v encrypted privilege 0 username gseitzinger attributes vpn-group-policy remote2info webvpn username administrator password QeFLSERcQLidAbeD encrypted privilege 15 username droberts password sFmLtvOypKeXXHu3 encrypted privilege 15 username droberts attributes vpn-group-policy remote2info webvpn username lbrown password pK9IlrpUffBnck.r encrypted privilege 15 username lbrown attributes vpn-group-policy remote2info webvpn username sluc password s5jDKx5rAxzga.D3 encrypted privilege 0 username sluc attributes vpn-group-policy remote2info webvpn http server enable http 10.1.10.0 255.255.255.0 Inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt noproxyarp PublicServers crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA crypto map Inside_map 65535 ipsec-isakmp dynamic Inside_dyn_map crypto map Inside_map interface Inside crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map crypto map Outside_map interface Outside isakmp enable Outside isakmp enable Inside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption aes-256 isakmp policy 30 hash sha isakmp policy 30 group 5 isakmp policy 30 lifetime 86400 isakmp nat-traversal 30 tunnel-group VPNGroup1 type ipsec-ra tunnel-group VPNGroup1 general-attributes address-pool VPNPool default-group-policy VPNGroup1 tunnel-group VPNGroup1 ipsec-attributes pre-shared-key * tunnel-group remote2info type ipsec-ra tunnel-group remote2info general-attributes address-pool (Outside) VPNPool2 address-pool VPNPool default-group-policy remote2info dhcp-server 192.168.60.12 tunnel-group remote2info ipsec-attributes pre-shared-key * tunnel-group-map default-group remote2info vpn-sessiondb max-session-limit 7 telnet 0.0.0.0 0.0.0.0 Inside telnet 192.168.1.0 255.255.255.0 management telnet timeout 20 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect esmtp inspect dns maximum-length 2048 ! service-policy global_policy global Cryptochecksum:4c8a03d61da3d67b568a9b6d3a4b461a : end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide