Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3379
Views
0
Helpful
22
Replies

Cisco ASA5505 vpn client access setup

alamb200
Level 1
Level 1

ā€Ž04-12-2011 05:06 AM

Hi,

I want to set up our ASA5505 firewall to allow access from the Cisco VPN Client software can anyone help.

I have nstalled the client software then tried using the VPN wizard to set up the connection without success, I am running Windows 7 32 bit and Cisco client 5.0.03.0530 th elog messages I get on th eclient are :

Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      10:52:25.490  04/12/11  Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified

2      10:52:25.490  04/12/11  Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.

3      10:52:25.490  04/12/11  Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)

4      10:52:25.490  04/12/11  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)

I have removed all the settings I had in place after this thinking I had made a mistake so I do not have anything set up for this now.

Can anyone help?

Thanks,

alamb200

Labels:
0 Helpful
22 Replies 22

alamb200
Level 1
Level 1

ā€Ž04-12-2011 06:21 AM

I have made some progress with this I can now connect my VPN Client but when I do I lo

se all remote connections and I am still unable to ping the remote network.

0 Helpful

mvsheik123
Level 7
Level 7
In response to alamb200

ā€Ž04-12-2011 02:04 PM

Hi,

It appears that you have issues with Spilt tunneling configurations. Post your ASA configuration. Someone will be able to assist with your issue.

Thx

MS

0 Helpful

alamb200
Level 1
Level 1
In response to mvsheik123

ā€Ž04-13-2011 01:23 AM

I have attached my config to see if that helps.

I did not set this box up and my experience of Cisco devices was 7 years ago using a PIX firewall so if there are any mistakes please let me know how I can sort them out.

The VPN Tunnel I have tried to set up is prestige_remote the others were there before me.

Thanks,

alamb200

84778-config.txt.zip
0 Helpful

jose cortes
Level 1
Level 1
In response to alamb200

ā€Ž04-13-2011 07:23 AM

Hi Alamb200

I've check your config and I will suggest a couple of things:

If you are trying to user Split Tunnel, the first you have to define is what kind of traffic to encrypt. According to your ACLs you are encrypting all the traffic from the Remote Client

access-list Prestige_Remote_splitTunnelAcl standard permit any

I suggest you use this ACL specifing the traffic like this

access-list Prestige_Remote_splitTunnelAcl standard permit 192.168.215.0 255.255.255.0

this way the traffic that does not match will not be encrypted and this improves the use of your VPN Tunnel. Just in case you want to Split the Tunnel

Also, if you want to split the tunnel add the split-tunnel commands to the group-policy like this:

group-policy prestige_remote internal

group-policy prestige_remote attributes

dns-server value 192.168.215.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list Prestige_Remote_splitTunnelAcl

default-domain value prestige.ad

in your user's attributes add this line:

username alamb200 attributes

vpn-group-policy prestige_remote

vpn-tunnel-protocol IPSec

One last recommendation, try to use another subnet for the VPN remote clients instead of the same subnet of your inside interface.

I have some doubts and requests:

Can you get an IP assigned on your Remote Client? is that IP consistent with the Pool you defined??

Could you please debug the negotiaton process from the ASA perspective and attach the results??

Regards

0 Helpful

alamb200
Level 1
Level 1
In response to jose cortes

ā€Ž04-13-2011 07:39 AM

Hi,

Thanks for the reply do i need to remove any lines from the config first before I add these?

If so which ones and at the risk of been a complete idiot how? It has been years since I have worked with Cisco so i am out of my depth at the moment.

Thanks,


Alamb200

0 Helpful

jose cortes
Level 1
Level 1
In response to alamb200

ā€Ž04-13-2011 09:02 AM

hi,

no worries, at the first beginning you only have to add lines, the ones that I highlighted in a post before, the only remove line should be the one at the ACL for the split tunnel, but if you don't want delete anything try to deactivate the ACL line and add the new one.

try this:

access-list Prestige_Remote_splitTunnelAcl standard permit any inactive

access-list Prestige_Remote_splitTunnelAcl standard permit 192.168.254.0 255.255.255.0

in the case you want to rollback the changes on the ACL do this:

access-list Prestige_Remote_splitTunnelAcl standard permit any

no access-list Prestige_Remote_splitTunnelAcl standard permit 192.168.254.0 255.255.255.0

You also can use the ASDM, it is more intuitive.

also, please answer me, what kind of tests have you done??

is the problem only with the Ping or also with the applications??

Regards,

0 Helpful

alamb200
Level 1
Level 1
In response to jose cortes

ā€Ž04-13-2011 09:31 AM

Hi,

I treid pinging the server for a start but that failed so I checked the status of my VPN connection and the ip address was not correct.

I had origianlly tried to use a different IP address range the 192.168.1.0 range but thought that must be wrong so I changed this to use the same range as the internal network. Normally I use SonicWall Firewalls and with their VPN Client the pc picks up its IP address from the DHCP server but I could not see any way to set this up which is why I added the second ip address scope.

Also when I try to connect using the VPN Client all my connections to remote systems die as well.

Thanks,

alamb200

0 Helpful

jose cortes
Level 1
Level 1
In response to alamb200

ā€Ž04-13-2011 09:42 AM

Hi,

I thought you said that you could connect the client (your second post).

Did you do the changes I proposed to you??

I will check out your config again to see what could generate problems.

Regards

0 Helpful

alamb200
Level 1
Level 1
In response to jose cortes

ā€Ž04-14-2011 01:49 AM

Hi,

Just to clarify when I tried using the client I was asked my user name and password and it told me I had connected but I could not contact anything on the local network.

I have tried adding the  "split-tunnel-policy tunnelspecified" line and got a message back saying:

Result of the command: "split-tunnel-policy tunnelspecified"

split-tunnel-policy tunnelspecified
^
ERROR: % Invalid input detected at '^' marker.

I am accessing the device using the ASDM but then using the command line interface from with in there, is this the correct way?

I tried a straight telnet to the device without any success.

Thanks,

alamb200

0 Helpful

jose cortes
Level 1
Level 1
In response to alamb200

ā€Ž04-14-2011 08:00 AM

Hi,

try this approach in order to ingress the commands throughout the ASDM --> command line Interface. (Look at the Attached Image).

when you get there check the button "Multiple Line" and then paste this template exactly as it's shown here:

conf t

no access-list Prestige_Remote_splitTunnelAcl standard permit any

access-list Prestige_Remote_splitTunnelAcl standard permit 192.168.254.0 255.255.255.0

group-policy prestige_remote internal

group-policy prestige_remote attributes

dns-server value 192.168.215.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Prestige_Remote_splitTunnelAcl

default-domain value prestige.ad

username alamb200 password BppxaA3gtoJDdaMayJPVCQ== nt-encrypted privilege 15

username alamb200 attributes

vpn-group-policy prestige_remote

vpn-tunnel-protocol IPSec l2tp-ipsec

maybe it says there are dupplicated information, once you have this configured, try "sho run" and check the commands above have been configurated.

Don't write into the Startup-config until you have tested the performance of the new commands.

By the way, the ASDM has an built-in Sniffer, could you please try to connect and look to the packets that commes from the IP assigned to your remote VPN client?

Regards.

223 KB
0 Helpful

alamb200
Level 1
Level 1
In response to jose cortes

ā€Ž04-14-2011 09:05 AM

Hi Jose,

I have entered the settings and there was one error but I checked and it looked okay to me.

When I tried connecting with the client it errored straight away so I recreated the connection in the client and it connected but I was still unable to ping the server using the client.

I have attached the running config and some details from the VPN client, I will see if I can find my way aroungd the packet sniffer enough to get some details for you.

Thanks,

alamb200

38 KB
0 Helpful

jose cortes
Level 1
Level 1
In response to alamb200

ā€Ž04-14-2011 02:06 PM

Hi,

Lets try a new approach. By now the split-tunnel should work, that means that you can get Internet access from your home network, and only the traffic to the 192.168.254.0 should be encrypted and sent through the VPN tunnel.

I think we should try this:

-    Change the Local pool for the VPN clients, this is useful because you can manage the ACLs and the diagnostics for the VPN clients apart of the LAN      clients. (use the already defined pool named: "ip local pool DHCP_Pool 192.168.1.0-192.168.1.255 mask 255.255.255.0"

-    Make the traffic from any place to the VPN Clients Addresses pool does not use NAT. This way all the traffic from the LAN to the VPN clients could      pass through the ASA without address translation. (I think this is done already by means of this line "access-list inside_nat0_outbound extended      permit ip any 192.168.1.0 255.255.255.0"

In order to achieve the configuration do the next on the ASDM --> Command Line Interface:

conf t

tunnel-group prestige_remote general-attributes

no address-pool Prestige

address-pool DHCP_Pool

once you do that, check the VPN client can get connected to the ASA and the IP that gets assigned belongs to the DHCP_Pool (192.168.1.0).

If the VPN tunnel is correct then try not only the "ping" to the remote servers but also the Applications themselves to see if the problem is only with the ICMP protocol or with the TCP-UDP/IP traffic also.

Regards,

PS: In case you like this is my MSN: jose_hurtado@hotmail.com (if you want to add me, tell me who you are to accept your request).

0 Helpful

alamb200
Level 1
Level 1
In response to jose cortes

ā€Ž04-15-2011 03:17 AM

Hi Jose,

I added the lines as asked and tried connecting again, again it connected okay but I could not ping the server I also tried connecting using http to the Exchange server and using \\servername, all of these failed.

I have attached the latest config for you to look at at well as the messages from the client side.

One more thing to add, when I try connecting using the VPN client it also disconnects all my connections to my local server.

Thanks

alamb200

0 Helpful

jose cortes
Level 1
Level 1
In response to alamb200

ā€Ž04-15-2011 10:10 AM

Hi,

Please attach the Files, I could not find them on your last post.

When you say "One more thing to add, when I try connecting using the VPN client it also disconnects all my connections to my local server". where are you located and what kind of local serverse do you get disconnected.

Regards,

Jose

0 Helpful
Customers Also Viewed These Support Documents