Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
3
Replies

ASA5505 and Windows 7 issue

kamalverma72
Level 1
Level 1

‎04-16-2012 07:23 AM

My VPN works fine from windows XP but I am having problem when I connect from win 7 machine. MY VPN authenticate fine with win 7 but I cannot reach my internal network. I cannot even ping the default gateway. Can somebody point me to the right direction.

My config is as below,

asa5505# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname asa5505
domain-name xyz.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd dMuVtP.Uz.Jtb7KT encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group 888
ip address pppoe setroute
!
interface Vlan4
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name xyz.com
access-list outside_access_in remark OWA
access-list outside_access_in extended permit tcp any interface outside eq https
--
--
--
--
access-list xyz_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.16.1.0 255.255.255.192
pager lines 24
mtu inside 1500
mtu outside 1454
mtu dmz 1500
ip local pool VPN 10.16.1.1-10.16.1.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 81 10.20.0.9 81 netmask 255.255.255.255
--
--
--
--
access-group outside_access_in in interface outside
route inside 10.0.50.0 255.255.255.0 10.20.0.1 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.20.0.30 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.20.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group 888 request dialout pppoe
vpdn group 888 localname aaabbb@888.com
vpdn group 888 ppp authentication pap
vpdn username aaabbb@888.com password *********

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy xyz internal
group-policy xyz attributes
dns-server value 10.20.0.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xyz_splitTunnelAcl
default-domain value xyz.local
username asa5505 password UewZBds1Zzaa5ROj. encrypted
username GGG password dCUEvOdUg38hk0Q.d encrypted
username GGG attributes
vpn-group-policy xyz
username HHH password C8yc4UdzfJEJWqggS encrypted privilege 0
username HHH attributes
vpn-group-policy xyz
username aaa password Jp2oZ9d9vH67eRuei encrypted privilege 0
username aaa attributes
vpn-group-policy xyz
username cisco password v1CQ9dM6JU/VGAOlT encrypted privilege 15
tunnel-group xyz type remote-access
tunnel-group xyz general-attributes
address-pool VPN
default-group-policy xyz
tunnel-group xyz ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8e48f50db8b2e5ac5a88252b633e64a6
: end
asa5505#

Labels:
0 Helpful
3 Replies 3

kamalverma72
Level 1
Level 1

‎04-18-2012 06:56 AM

no one?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to kamalverma72

‎04-18-2012 09:32 AM

Hi,

I just discussed in another topic regarding this kind  of problem.

First you should look at the Statistics of the VPN connectiong while connected. Try some connections before you check the statistics

The Statistics page of the VPN Client that I'm talking about is the one below:

Please provide the above output when you have tried your VPN Client connection.

What we are trying to check is the fact that is any traffic beeing forwarded to the VPN connection. If traffic is going to the tunnel we could check that theres return traffic for those connections.

One thing to consider also is any firewall software. When installing VPN Client, the most idea situation would be to have no firewall software on the computer. After the VPN Client is installed you could install the firewall software again.

One problem with Win7 and Cisco IPsec VPN Client is also wireless network adapters/cards that are attached to the computer. You usually can connect the VPN but traffic will not go through the VPN tunnel.

- Jouni

0 Helpful

kamalverma72
Level 1
Level 1
In response to Jouni Forss

‎04-18-2012 11:09 AM

Thanks Jouni

  I have done the VPN Connection from windows 7 maching and notice that sent traffic is increasing but receive traffic is not changing at all.

I have also tried to stop the firewall of mu computer but no help.

But when i try the connection from windows xp then both sent and receive traffic is changing during connection.

0 Helpful
Customers Also Viewed These Support Documents