Assistance for correct config for VPN Hairpinning and Android native VPN

support · ‎03-03-2012

Hi there,

This is for an ASA 5505. I am trying to configure an AnyConnect and IPSec VPN connection and I think it's almost there but not quite yet. When I login from an outside network it gives me the following error for the SSL AnyConnect "The VPN client was unable to setup IP filtering" and "Secure VPN connection terminated by peer" for the IPSec. I previously had this working since Oct, but I was trying to modify it a little to accept LT2P for native Android VPN clients and that messed up everything that I had working perfectly. I checked everything as best as I could to try and match the previous settings but still can't get the darn thing to work. I am trying to also do Hairpinning, I want all VPN traffic to pass through this router... remote LAN and Internet traffic for times when I am at unfamiliar wifi hotspots and need to check email securely. I have included my running config for anyone to assist me with. I greatly appreciate any replies to get me on the right track. I also need some assistance to configure the ASA to accept native Android VPN connections. I read the most popular thread that worked for a few users but while doing those modifications that is where everything went downhill. Thank you.

------------------------------------------------------------------------------------------------------------------------------------------------

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.123.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa842-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.220.220

name-server 208.67.222.222

same-security-traffic permit intra-interface

object network obj-SSL-pool

subnet 192.168.132.0 255.255.255.0

object network obj-inside-LAN

subnet 192.168.123.0 255.255.255.0

nat (inside,outside) source static obj-inside-LAN obj-inside-LAN destination static obj-SSL-pool obj-SSL-pool

object network obj-SSL-internet

subnet 192.168.132.0 255.255.255.0

nat (outside,outside) dynamic interface

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp destination eq https

service-object tcp destination eq pptp

service-object tcp destination eq www

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object tcp destination eq https

service-object tcp destination eq pptp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 192.168.123.0 255.255.255.0

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.123.0 255.255.255.0 any

access-list ACL1 standard permit any

access-list ACL1 standard permit 192.168.123.0 255.255.255.0

access-list nat0 extended permit ip any 192.168.123.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPNpool 192.168.132.50-192.168.132.60 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 76.xxx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.123.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd dns 208.67.220.220 208.67.222.222

dhcpd auto_config outside

!

dhcpd address 192.168.123.150-192.168.123.181 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2

anyconnect enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelall

default-domain none

address-pools value SSLVPNpool

webvpn

anyconnect keep-installer installed

anyconnect ssl rekey time 30

anyconnect ssl rekey method ssl

anyconnect ask none default anyconnect

group-policy DfltGrpPolicy attributes

dns-server value 208.67.220.220 208.67.222.222

vpn-tunnel-protocol ssl-client

username Vxxxxx password ZyAw6vc2r45CIuoa encrypted

username Vxxxxx attributes

vpn-group-policy SSLVPN

vpn-tunnel-protocol ssl-client

username admin password 61Ltj5qI0f4Xy3Xwe26sgA== nt-encrypted privilege 15

username Sxxxxx password qvauk1QVzYCihs3c encrypted privilege 15

username Sxxxxx attributes

vpn-group-policy SSLVPN

vpn-tunnel-protocol ssl-client

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool (inside) SSLVPNpool

address-pool SSLVPNpool

default-group-policy SSLVPN

tunnel-group SSLVPN webvpn-attributes

group-alias SSLVPN_users enable

!

policy-map global-policy

class class-default

user-statistics accounting

!

service-policy global-policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:989735d558c9b1f3a3a8d7cca928c046

: end

Jennifer Halim · ‎03-07-2012

Hi Simeon,

Looks like it is computer specific instead of configuration on the ASA. Config of ASA looks ok.

Try to set the following services on your computer to be automatic: BFE (Base Filtering Engine) and try again.

support · ‎03-07-2012

Your suggestion worked along with modifying the local users VPN Group Policy. I was able to connect with the AnyConnect and IPSec. Thank you for your assitance and reply to my request. Were you able to find an answer for an Android device to connect with their native VPN Client. Their options are PPTP, L2TP, L2TP/IPSec, and L2TP/IPSec CRT. From the forum posts that I have reviewed, a few people configured their ASA to have it work with L2TP/IPSec but when I tried that I had no luck.

Thanks again.