Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4562
Views
0
Helpful
6
Replies

ASA 5505 VPN ikev1 bind error

Go to solution
wchestnutt
Level 1
Level 1

‎03-19-2014 06:41 AM

Hello,

 

I previously had set up our VPN using IPsec, on our ASA 5505 via the ASDM.   This was workign fine until a power outtage lost my settings on the device.  (possibly a save command not being pressed)

 

Now when I try and set it up again I am recieveing a port bind error.  I set up as normal using the wizard, and enable split tunelling and exempt the Inside Network.

 

The isssue when applying the settings I am getting is:

 

"[ERROR] crypto ikev 1 enable  outside

IkevReceiverInit, unable to bind port"

 

When I try and connect to the VPN I am then getting an error "server cannot be reached" or somethign similar to that...

 

Could someone please shed some light on what may be causing this issue?..

 

Bets regards,

 

William.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
laramire2
Level 1
Level 1
In response to wchestnutt

‎03-20-2014 11:18 AM

Hello,

 

Thanks for the information!

 

We will need to find out why that host is using UDP 4500 and if that host really needs to use that port.

 

What type of application is running on that host?

Is that an internal or external host?

 

You could also block the host on the ASA on the incoming interface to avoid the use of port UDP 4500 using an access-group (outside or inside). Remember that you will need a permit ip any any at the end of the ACL to avoid any issue. Another option would be to use IPsec/IKEv1 over TCP 

 

IPsec/IKEv1 over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or IKEv1 cannot function or can function only with modification to existing firewall rules. IPsec over TCP encapsulates both the IKEv1 and IPsec protocols within a TCP-like packet and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default.

 

The default port is 10000.

 

hostname(config)# crypto ikev1 ipsec-over-tcp

 

You also will need to enable it on the VPN client under the profile. 

Modify > Transport > IPSec over TCP. 

 

I hope this helps,

 

Luis. 

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Santhosha Shetty
Cisco Employee
Cisco Employee

‎03-19-2014 08:51 AM

Hi William,

 

Could you please attach running config from the device? Also try and execute the same command on CLI of ASA .

 

Regards,

Shetty

 

0 Helpful

Go to solution
wchestnutt
Level 1
Level 1
In response to Santhosha Shetty

‎03-20-2014 10:32 AM

Hello, here is the running config.  I have tried clearing the xlate but port 4500 seems to jump back into teh list within a few seconds so I don't have time to set up the vpn!...

Any advice on this would be much appreciated

 

Kind regards,

 

Result of the command show run

 Saved

ASA Version 9.1(3)
!
hostname Nine23ASA
domain-name WORKGROUP
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool VPN_POOL_1 192.168.0.10-192.168.0.25 mask 255.255.255.0
ip local pool POOL_SUBNET_2 192.168.10.0-192.168.10.20 mask 255.255.255.0
!
interface Ethernet00
 switchport access vlan 2
!
interface Ethernet01
!
interface Ethernet02
!
interface Ethernet03
!
interface Ethernet04
!
interface Ethernet05
!
interface Ethernet06
!
interface Ethernet07
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name WORKGROUP
object network 192.168.0.234
 host 192.168.0.234
 description Training Web Server
object network 192.168.0.248
 host 192.168.0.248
 description FTP1 Server
object network 192.168.0.238
 host 192.168.0.238
 description MobileIron Appliance
object network network_obj_public_ip_2
 host xxx.xxx.xxx.xxx
 description Secondary Public IP Address
object network object_outside_pat
 subnet 192.168.0.0 255.255.255.0
 description Inside to Outside PAT
object network NETWORK_OBJ_192.168.0.0_27
 subnet 192.168.0.0 255.255.255.224
object-group network network_obj_group_ftpservers
 description Network Object Group containing FTP Servers
 network-object object 192.168.0.248
object-group network network_obj_group_webservers
 description Network Object Group containing Web Servers
 network-object object 192.168.0.234
object-group service tcp_service_group_MobileIron_Ports tcp
 description Service Object Group containing MobileIron ports
 port-object eq 8080
 port-object eq 9997
 port-object eq 9998
 port-object eq www
 port-object eq https
access-list outside_access_in remark Access rule that permits inbound FTP access to FTP servers
access-list outside_access_in extended permit tcp any object-group network_obj_group_ftpservers eq ftp
access-list outside_access_in remark Access rule permits inbound HTTP access to Web Servers
access-list outside_access_in extended permit tcp any object-group network_obj_group_webservers eq www
access-list outside_access_in remark Access rule that permits inbound access to MobileIron
access-list outside_access_in extended permit tcp any object 192.168.0.238 object-group tcp_service_group_MobileIron_Ports
access-list Nine23_VPN_5_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Nine23_VPN_1_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Nine23_VPN_5_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static any any destination static NETWORK_OBJ_192.168.0.0_27 NETWORK_OBJ_192.168.0.0_27 no-proxy-arp route-lookup
!
object network 192.168.0.234
 nat (inside,outside) static interface service tcp www www
object network 192.168.0.248
 nat (inside,outside) static interface service tcp ftp ftp
object network 192.168.0.238
 nat (inside,outside) static network_obj_public_ip_2
object network object_outside_pat
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 30000
timeout pat-xlate 00030
timeout conn 10000 half-closed 01000 udp 00200 icmp 00002
timeout sunrpc 01000 h323 00500 h225 10000 mgcp 00500 mgcp-pat 00500
timeout sip 03000 sip_media 00200 sip-invite 00300 sip-disconnect 00200
timeout sip-provisional-media 00200 uauth 00500 absolute
timeout tcp-proxy-reassembly 00100
timeout floating-conn 00000
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
snmp-server host outside xxx.xxx.xxx.xxx community
snmp-server host outside xxx.xxx.xxx.xxx community
snmp-server host outside xxx.xxx.xxx.xxx community
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.0.200-192.168.0.250 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable inside
 enable outside
group-policy Nine23_VPN_5 internal
group-policy Nine23_VPN_5 attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1
 default-domain value WORKGROUP
username wchestnutt password o6h4GadEenOobIH encrypted privilege 0
username wchestnutt attributes
 vpn-group-policy DfltGrpPolicy
username admin password k6ejnWfgRfwZcojn encrypted privilege 15
username agossage password EnfxhNuOKRuvHaxy encrypted privilege 0
username agossage attributes
 vpn-group-policy DfltGrpPolicy
username dbrindley password KX4DZUuTEJ6BgwW encrypted privilege 0
username dbrindley attributes
 vpn-group-policy DfltGrpPolicy
username nbeet password HRnT9pMoT6Rf6Fnh encrypted privilege 0
username nbeet attributes
 vpn-group-policy DfltGrpPolicy
username amckean password 0dGcS8RjxhaTBeAR encrypted privilege 0
username amckean attributes
 vpn-group-policy DfltGrpPolicy
username ithomson password MBXNlDQUshVpuBp3 encrypted privilege 0
username ithomson attributes
 vpn-group-policy DfltGrpPolicy
username mservice password 7HrGbA5fHZFBMDSC encrypted privilege 0
username mservice attributes
 vpn-group-policy DfltGrpPolicy
username smckean password kDoqRbPlJcnb2QIX encrypted privilege 0
username smckean attributes
 vpn-group-policy DfltGrpPolicy
username clenaghan password k6EzN9p1zGn1GUe encrypted privilege 0
username clenaghan attributes
 vpn-group-policy DfltGrpPolicy
tunnel-group Nine23_VPN_5 type remote-access
tunnel-group Nine23_VPN_5 general-attributes
 address-pool VPN_POOL_1
 default-group-policy Nine23_VPN_5
tunnel-group Nine23_VPN_5 ipsec-attributes
 ikev1 pre-shared-key
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum3fc8360df9b1030aea473679749306f4
 end

 

0 Helpful

Go to solution
laramire2
Level 1
Level 1
In response to wchestnutt

‎03-20-2014 11:18 AM

Hello,

 

Thanks for the information!

 

We will need to find out why that host is using UDP 4500 and if that host really needs to use that port.

 

What type of application is running on that host?

Is that an internal or external host?

 

You could also block the host on the ASA on the incoming interface to avoid the use of port UDP 4500 using an access-group (outside or inside). Remember that you will need a permit ip any any at the end of the ACL to avoid any issue. Another option would be to use IPsec/IKEv1 over TCP 

 

IPsec/IKEv1 over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or IKEv1 cannot function or can function only with modification to existing firewall rules. IPsec over TCP encapsulates both the IKEv1 and IPsec protocols within a TCP-like packet and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default.

 

The default port is 10000.

 

hostname(config)# crypto ikev1 ipsec-over-tcp

 

You also will need to enable it on the VPN client under the profile. 

Modify > Transport > IPSec over TCP. 

 

I hope this helps,

 

Luis. 

 

0 Helpful

Go to solution
wchestnutt
Level 1
Level 1
In response to laramire2

‎03-21-2014 09:04 AM

Thank you Luis, i will give this a shot on Monday.  I am not sure what is being used by 4500!! strange...

 

best regards,

 

William.

0 Helpful

Go to solution
wchestnutt
Level 1
Level 1
In response to laramire2

‎03-25-2014 10:30 AM

Hello Luis,

 

Thank you for the help. I managed to stop that host from using the port and managed to establish my VPN policy properly!!

 

Now I have another issue though... I can't connect to the File Server when I am connect to teh VPN!?.. This worked last time So I am not sure what has gone wrong.

 

I have set up a VPN to the Inside network and given the IP address Pool the same subnet range (and also tried giving it a different subnet, and also terminating on teh outside network). Nothign seem to allow me to connect!.. I am unable to ping the File server even though I get given a local IP address!.. Any Ideas? - He is my runnign config....

 

Result of the command: "show run"

: Saved
:
ASA Version 9.1(3)
!
hostname Nine23ASA
domain-name WORKGROUP
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool VPN_POOL_1 192.168.0.10-192.168.0.25 mask 255.255.255.0
ip local pool POOL_SUBNET_2 192.168.10.0-192.168.10.20 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.111.111.92 255.255.255.248
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name WORKGROUP
object network 192.168.0.234
 host 192.168.0.234
 description Training Web Server
object network 192.168.0.248
 host 192.168.0.248
 description FTP1 Server
object network 192.168.0.238
 host 192.168.0.238
 description MobileIron Appliance
object network network_obj_public_ip_2
 host 111.111.111.73
 description Secondary Public IP Address
object network object_outside_pat
 subnet 192.168.0.0 255.255.255.0
 description Inside to Outside PAT
object network NETWORK_OBJ_192.168.0.0_24
 subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
 subnet 192.168.10.0 255.255.255.224
object-group network network_obj_group_ftpservers
 description Network Object Group containing FTP Servers
 network-object object 192.168.0.248
object-group network network_obj_group_webservers
 description Network Object Group containing Web Servers
 network-object object 192.168.0.234
object-group service tcp_service_group_MobileIron_Ports tcp
 description Service Object Group containing MobileIron ports
 port-object eq 8080
 port-object eq 9997
 port-object eq 9998
 port-object eq www
 port-object eq https
access-list outside_access_in remark Access rule that permits inbound FTP access to FTP servers
access-list outside_access_in extended permit tcp any object-group network_obj_group_ftpservers eq ftp
access-list outside_access_in remark Access rule permits inbound HTTP access to Web Servers
access-list outside_access_in extended permit tcp any object-group network_obj_group_webservers eq www
access-list outside_access_in remark Access rule that permits inbound access to MobileIron
access-list outside_access_in extended permit tcp any object 192.168.0.238 object-group tcp_service_group_MobileIron_Ports
access-list Nine23_VPN_5_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
!
object network 192.168.0.234
 nat (inside,outside) static interface service tcp www www
object network 192.168.0.248
 nat (inside,outside) static interface service tcp ftp ftp
object network 192.168.0.238
 nat (inside,outside) static network_obj_public_ip_2
object network object_outside_pat
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.89 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
snmp-server host outside 111.111.68.57 community *****
snmp-server host outside 111.111.70.34 community *****
snmp-server host outside 111.111.85.40 community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.0.200-192.168.0.250 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable inside
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy Nine23_VPN_5 internal
group-policy Nine23_VPN_5 attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Nine23_VPN_5_splitTunnelAcl
username wchestnutt password o6h4/GadEenOobIH encrypted privilege 0
username wchestnutt attributes
 vpn-group-policy Nine23_VPN_5
username admin password k6ejnWfgRfwZcojn encrypted privilege 15
username agossage password EnfxhNuOKRuvHaxy encrypted privilege 0
username dbrindley password KX4DZUuTEJ6Bg/wW encrypted privilege 0
username nbeet password HRnT9pMoT6Rf6Fnh encrypted privilege 0
username amckean password 0dGcS8RjxhaTBeAR encrypted privilege 0
username ithomson password MBXNlDQUshVpuBp3 encrypted privilege 0
username mservice password 7HrGbA5fHZFBMDSC encrypted privilege 0
username smckean password kDoqRbPlJcnb2QIX encrypted privilege 0
username clenaghan password k6Ez/N9p1zGn1GUe encrypted privilege 0
tunnel-group Nine23_VPN_5 type remote-access
tunnel-group Nine23_VPN_5 general-attributes
 address-pool POOL_SUBNET_2
 default-group-policy Nine23_VPN_5
tunnel-group Nine23_VPN_5 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:78b1f090d33c5976cdcce54b931745fa
: end

0 Helpful

Go to solution
laramire2
Level 1
Level 1

‎03-19-2014 09:16 AM

Hi William,

Please check the Xlate table and make sure that you do not have any NAT entry using UDP 500. The cause of the error can be that a client behind ASA gets NAT'd to udp port 500 before enable isakmp on the interface. If you have one please remove it (clear xlate), then you will be able to enable isakmp again.

You could check if any translation is using port UDP 500 using the command show xlate | in 500.

Once you find the translation you could use the clear xlate command. However, this will clear all the translations. You could use the command clear xlate local x.x.x.x to be more specific.

 

Note: Always make sure that UDP 500 and 4500 port numbers are reserved for the negotiation of ISAKMP connections with the peer.

 

I hope this helps,

 

Luis.

0 Helpful
Customers Also Viewed These Support Documents