cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8624
Views
0
Helpful
33
Replies

Cisco Easy VPN Configuration for ASA 5515-X version 9.1

Rizwan
Level 1
Level 1

Hi, 

I want to configure Easy vpn on ASA 5515-X firewall IOS version 9.1 and I don't want to use asdm. 

Please let me know the configuration. Thanks. 

33 Replies 33

I have applied nat-traversal command but still not working. 

Is there any access-list required to permit vpn traffic from outdside interface to inside interface?

Is it necessary my LAN users default-gateway should be inside interface of firewall? 

> Is there any access-list required to permit vpn traffic from outdside interface to inside interface?

no, that's not needed.
What's the output of "sh vpn-sessiondb detail ra-ikev1-ipsec" while connected?
And show the statistics-window of the VPN-client while connected.
 

Please check the output below and screen shot of VPN client window is attached. I also observe that packets are only encrypting but not decrypting. There is some issue in return path. 

 

 sh vpn-sessiondb detail ra-ikev1-ipsec

Session Type: IKEv1 IPsec Detailed

Username     : vpn                    Index        : 37
Assigned IP  : 192.168.50.100         Public IP    : 202.59.94.141
Protocol     : IKEv1 IPsecOverNatT
License      : Other VPN
Encryption   : IKEv1: (1)AES256  IPsecOverNatT: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsecOverNatT: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 0
Pkts Tx      : 0                      Pkts Rx      : 0
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : RAS-MEDIA              Tunnel Group : RAS-MEDIA
Login Time   : 13:09:50 UTC Fri Aug 22 2014
Duration     : 0h:03m:03s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKEv1 Tunnels: 1
IPsecOverNatT Tunnels: 1

IKEv1:
  Tunnel ID    : 37.1
  UDP Src Port : 49885                  UDP Dst Port : 4500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
  Encryption   : AES256                 Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86274 Seconds
  D/H Group    : 2
  Filter Name  : 
  Client OS    : WinNT                  Client OS Ver: 5.0.07.0410            

IPsecOverNatT:
  Tunnel ID    : 37.2
  Local Addr   : 0.0.0.0/0.0.0.0/0/0
  Remote Addr  : 192.168.50.100/255.255.255.255/0/0
  Encryption   : AES128                 Hashing      : SHA1                   
  Encapsulation: Tunnel                 
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28670 Seconds          
  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes             
  Bytes Tx     : 0                      Bytes Rx     : 0                      
  Pkts Tx      : 0                      Pkts Rx      : 0                      
  
NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 130 Seconds

Hello 

Any update on it?

The traffic doesn't get to your ASA, so I would look for problems on the local PC.

  1. Try it with a completely different PC
  2. Remove the VPN-client and do a fresh install
  3. Are there other VPN-clients on your PC? Remove them for a test and then reinstall the Cisco client.
  4. Is there other software installed that can intercept the sender traffic? It could also be an antivirus-scanner going wild. I've seen that with Kaspersky just days ago.
  5. Which Windows-version are you using?

It works only when I assign vpn remote users same IP address pool as for LAN. 

I have re installed VPN client and check on other PC too but same problem. 

I am using Cisco VPN client version vpnclient-win-msi-5.0.07.0410-k9 and Windows 7 Ultimate 1 service pack 1 

VPN client shows LAN IP pool as secured routes. Please check in attached screen shots

In the previous screenshot the received/decrypted packets were 0, in this screenshot there are received packets which looks good. In exactly the same situation how do the contours on the ASA look like? (sh vpn-sessiondb detail ra-ikev1-ipsec)

Do you have an internal system where you can capture packets? Or a cisco catalyst? On that device you could do a "debug ip icmp" and then ping that switch from the VPN-client. It should show the ping-packets.

I have identified the issue, it is with following command; 

 split-tunnel-policy tunnelspecified
 

When I used this command internet works while connected with VPN but Local LAN does not work and when I use   "split-tunnel-policy excludespecified" Local LAN works and internet does not works 

How to make both Local LAN and internet work at the same time?

no its not working actually. It is for remote user side Local LAN access

Its working for Cisco Switch but not able to ping any machine. You can see logs 

from debug ip icmp below

00:23:27: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101
00:23:28: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101
00:23:29: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101
00:23:30: ICMP: echo reply sent, src 172.20.58.250, dst 192.168.50.101

 

That shows that the VPN is working. Troubleshoot the machines that are not accessible. Windows-Firewall or something like that?

yup, after making machine gateway inside interface IP of firewall its working on one machine, I am also unable to access or ping inside interface of firewall using vpn. How it is possible to access firewall using VPN?

> How it is possible to access firewall using VPN?

"management-access inside"

One last question. If my internal LAN users has some other gateway not inside interface of ASA Firewall, how they will reachable from VPN? 

I can access cisco switches without gateway but on desktop machines works only when inside interface of firewall is used. as a gateway.

In general, each system should have a valid gateway that knows how to reach all your networks. If a different gateway is used for a particular system, that router needs a route for your VPN-pool pointing to the ASA.