03-18-2020 02:05 PM
I'm new to this and I'm taking over a network here that was setup before.
It looks like there is a VPN Setup but it keeps giving Error 412 when trying to connect.
here is the config, if someone can direct me to solve this. it would be greatly appreciated.
I'm trying to connect to the interface "xxx.xxx.xxx.226"
:
: Serial Number: FCH184972UC
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
:
ASA Version 9.4(1)
!
hostname FW
domain-name torhotel.local
enable password 4/tlpco/DEKOLO.w encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 4/tlpco/LUKUHY.w encrypted
names
ip local pool vpnpool 192.168.20.1-192.168.20.10
ip local pool vpnpool2 192.168.2.10-192.168.2.20
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.226 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.100.253 255.255.255.0
!
interface GigabitEthernet0/2
nameif HotelWanVLAN911
security-level 50
ip address 192.168.2.253 255.255.255.0
!
interface GigabitEthernet0/3
nameif outsideBell
security-level 0
ip address yyy.yyy.yyy.18 255.255.255.240
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description Bell DSL
nameif outside2
security-level 0
ip address 192.168.3.2 255.255.255.0
!
interface Management0/0
management-only
shutdown
nameif management
security-level 100
ip address 192.168.240.253 255.255.255.0
!
boot system disk0:/asa941-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server mmm.mmm.141.11
domain-name torhotel.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Private
subnet mmm.mmm.140.0 255.255.254.0
object network HotelWan
host 192.168.2.251
object network EquipmentManagement
subnet 10.10.100.0 255.255.255.0
object network PWCTL
host 10.10.100.201
object network MonHost
host 10.10.100.200
object network RAVPNNET
subnet 192.168.20.0 255.255.255.0
object network CoreSW
host 10.10.100.254
object network WLC
host 10.10.100.252
object network NVR
host mmm.mmm.141.101
object network NVRCLIENT
host mmm.mmm.141.15
object network ACCSERVER
host mmm.mmm.141.8
object network ACCSERVER2
host mmm.mmm.141.17
object network Private_to_outsideBell
subnet mmm.mmm.140.0 255.255.254.0
object network HotelWan_to_outsideBell
host 192.168.2.251
object network ACCSERVERBELL
host mmm.mmm.141.8
access-list splittunnel standard permit 10.10.100.0 255.255.255.0
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
access-list splittunnel standard permit mmm.mmm.140.0 255.255.254.0
access-list splittunnel standard permit 192.168.20.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp any host 192.168.2.251 eq ssh
access-list outside_access_in extended permit tcp any host 192.168.2.251 eq https
access-list outside_access_in extended permit tcp any host 10.10.100.200 eq 3389
access-list outside_access_in extended permit tcp any host 10.10.100.201 eq www
access-list outside_access_in extended permit tcp any host 10.10.100.254 eq telnet
access-list outside_access_in extended permit tcp any host 10.10.100.252 eq https
access-list outside_access_in extended permit tcp any host mmm.mmm.141.101 eq www
access-list outside_access_in extended permit tcp any host mmm.mmm.141.15 eq 3389
access-list outside_access_in extended permit tcp any host mmm.mmm.141.17 eq www
access-list outside_access_in extended permit tcp any host mmm.mmm.141.17 eq 9002
access-list outside_access_in extended permit tcp any host mmm.mmm.141.8 eq 3389
access-list bell_access_in extended permit icmp any any echo-reply
access-list bell_access_in extended permit icmp any any echo
access-list bell_access_in extended permit icmp any any time-exceeded
access-list bell_access_in extended permit icmp any any unreachable
access-list bell_access_in extended permit tcp any host mmm.mmm.141.8 eq pptp
access-list bell_access_in extended permit gre any host mmm.mmm.141.8
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap errors
logging history notifications
logging asdm warnings
logging host inside 10.10.100.200
mtu outside 1500
mtu inside 1500
mtu HotelWanVLAN911 1500
mtu outside2 1492
mtu management 1500
mtu outsideBell 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo outsideBell
icmp permit any echo-reply outsideBell
asdm image disk0:/asdm-732-102.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,outside) source dynamic RAVPNNET interface
nat (inside,outside) source static Private Private destination static RAVPNNET RAVPNNET
nat (inside,outside) source static EquipmentManagement EquipmentManagement destination static RAVPNNET RAVPNNET
!
object network Private
nat (inside,outside) dynamic interface
object network HotelWan
nat (HotelWanVLAN911,outside) static xxx.xxx.xxx.227
object network EquipmentManagement
nat (inside,outside) dynamic interface
object network PWCTL
nat (inside,outside) static xxx.xxx.xxx.228 service tcp www 8001
object network MonHost
nat (inside,outside) static xxx.xxx.xxx.228 service tcp 3389 3989
object network CoreSW
nat (inside,outside) static xxx.xxx.xxx.228 service tcp telnet 2323
object network WLC
nat (inside,outside) static xxx.xxx.xxx.228 service tcp https 4443
object network NVR
nat (inside,outside) static xxx.xxx.xxx.228 service tcp www www
object network NVRCLIENT
nat (inside,outside) static xxx.xxx.xxx.228 service tcp 3389 3389
object network ACCSERVER
nat (inside,outside) static xxx.xxx.xxx.229
object network ACCSERVER2
nat (inside,outside) static xxx.xxx.xxx.230 service tcp 9002 www
object network Private_to_outsideBell
nat (inside,outsideBell) dynamic interface
object network HotelWan_to_outsideBell
nat (HotelWanVLAN911,outsideBell) dynamic interface
object network ACCSERVERBELL
nat (inside,outsideBell) static yyy.yyy.yyy.19
access-group outside_access_in in interface outside
access-group bell_access_in in interface outsideBell
route outsideBell 0.0.0.0 0.0.0.0 yyy.yyy.yyy.17 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.225 250
route outside2 0.0.0.0 0.0.0.0 192.168.3.1 254
route inside mmm.mmm.140.0 255.255.254.0 10.10.100.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.240.0 255.255.255.0 management
http 10.10.100.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server location "NO Location"
snmp-server contact "IT System Administrator"
snmp-server community *****
sla monitor 123
type echo protocol ipIcmpEcho 8.8.4.4 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-WIN esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-WIN mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-Cisco esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-WIN esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-WIN mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DynMap 10 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-SHA-WIN ESP-AES-256-SHA-Cisco
crypto map VPNMap 65535 ipsec-isakmp dynamic DynMap
crypto map VPNMap interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009854cbef4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto isakmp nat-traversal 60
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.240.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.100.100.128 source outsideBell
group-policy remoteipsec internal
group-policy remoteipsec attributes
dns-server value 8.8.8.8
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
split-dns value torhotel.local
split-tunnel-all-dns enable
group-policy L2TPvpn internal
group-policy L2TPvpn attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
default-domain value torhotel.local
dynamic-access-policy-record DfltAccessPolicy
username raja password dnfK0KJhekgstsVy encrypted
username admin password Mbci2/c3HLKUMRsx encrypted
username itadmin password DWyxiD8OCPDYw1xb encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
authorization-server-group LOCAL
default-group-policy L2TPvpn
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group remoteipsecvpn type remote-access
tunnel-group remoteipsecvpn general-attributes
address-pool vpnpool
default-group-policy remoteipsec
tunnel-group remoteipsecvpn ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 9
subscribe-to-alert-group configuration periodic monthly 9
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cc99cf844f3510a8afb54dee8df42eb1
: end
FW#
Solved! Go to Solution.
03-18-2020 04:50 PM
You will need to amend your existing NAT rules as traffic is via the "outsideBell" interface now.
nat (outsideBell,outsideBell) source dynamic RAVPNNET interface
nat (inside,outsideBell) source static Private Private destination static RAVPNNET RAVPNNET
nat (inside,outsideBell) source static EquipmentManagement EquipmentManagement destination static RAVPNNET RAVPNNET
Create an additional nat rule for the network 192.168.2.0 as it is not included in the group "Private" or "EquipmentManagement"
object network NET_2
subnet 192.168.2.0 255.255.255.0
nat (inside,outsideBell) source static NET_2 NET_2 destination static RAVPNNET RAVPNNET no-proxy-arp
HTH
03-18-2020 02:17 PM
Hi,
You are connecting to the "outside" interface, but your default route is via the interface "outsideBell".
Change either the default route to go via the "outside" interface or amend the VPN configuration and enable ikev1 on the "outsideBell" interface.
HTH
03-18-2020 03:12 PM
Thank you for the quick response.
what commands do i need to do to make that change.
03-18-2020 03:17 PM
Enter the commands
crypto ikev1 enable outsideBell
crypto map VPNMap interface outsideBell
You will then obviously connect to the VPN using the outsideBell IP address - yyy.yyy.yyy.18
HTH
03-18-2020 04:41 PM
Thanks again, i was able to connect to the VPN.
This is another issue where i'm not able to connect to any of the following two networks inside.
mmm.mmm.140.0 255.255.254.0
192.168.2.0
03-18-2020 04:45 PM
The IP Address that I got assigned was 192.168.20.1
03-18-2020 04:50 PM
You will need to amend your existing NAT rules as traffic is via the "outsideBell" interface now.
nat (outsideBell,outsideBell) source dynamic RAVPNNET interface
nat (inside,outsideBell) source static Private Private destination static RAVPNNET RAVPNNET
nat (inside,outsideBell) source static EquipmentManagement EquipmentManagement destination static RAVPNNET RAVPNNET
Create an additional nat rule for the network 192.168.2.0 as it is not included in the group "Private" or "EquipmentManagement"
object network NET_2
subnet 192.168.2.0 255.255.255.0
nat (inside,outsideBell) source static NET_2 NET_2 destination static RAVPNNET RAVPNNET no-proxy-arp
HTH
03-18-2020 04:57 PM
Thank you, you are a life saver.
With this Covid-19 issue, everyone has been scrambling to work from home.
again, Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide