11-19-2010 02:08 AM
Hi all,
I'm new to cisco VPN client. I had tried to use the Cisco ASDM 6.2 IP-sec VPN wizard to configured remote side to main office VPN with static IP address. After the wizard complete, i tried to connected using the Cisco VPN client ver. 5.0.07.0410 to connected. But the connection fail.
The connection is very simple. I want the mobile user to be able to use it laptop to access main office LAN network.
Please refer to the attach document for futher understanding.
11-19-2010 03:36 AM
Vincent, just wondering if you see the VPN client log file. It clearly says that the group password is wrong.
Please correct the group passwod in the VPN Client and try again.
The configuration looks fine.
11-19-2010 07:23 AM
Thanks. Finally, i know what thing i do wrong. I'm connected now. But i was unable to ping the LAN ip of the firewall LAN interface.
C:\Users\netaxis>tracert 10.1.20.100
Tracing route to 10.1.20.100 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 ^C
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a047:be97:6c1e:f65f%21(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.80.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 486540698
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-76-49-4C-00-1A-4B-61-CD-E1
DNS Servers . . . . . . . . . . . : 202.188.0.133
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Why the gateway don't have any IP address. Thanks.
11-19-2010 07:25 PM
Enable NAT-T so, remove 'no' from 'no crypto isakmp nat-traversal' (just enter the command again without 'no') and check again.
Please post the output of show cry ipsec sa from the ASA. I want to see if the VPN Client is encrypting the traffic or not.
Please post a screen shot of VPNClient ->Statistics window.
I will suggest you to change the pool to /24.
Tracert is not a good idea to check VPN connectivity. Try pining some host on the LAN. Please make sure that the host on the LAN does not have any FW turned on which could be dropping the icmp requests.
From the GUI .jpg it seems you are on Windows 7 or Vista, please give an output of route print from the PC after the client connects.
11-19-2010 08:09 PM
I had enable the NAT-T. But the result still the same.
The ping result:
C:\Users\netaxis>ping 10.1.20.99
Pinging 10.1.20.99 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.1.20.99:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
C:\Users\netaxis>ping 10.1.20.100
Pinging 10.1.20.100 with 32 bytes of data:
Request timed out.
Ping statistics for 10.1.20.100:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Users\netaxis>ping 10.1.19.99
Pinging 10.1.19.99 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.19.99:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\netaxis>ping 10.1.20.98
Pinging 10.1.20.98 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.20.98:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\netaxis>
show cry ipsec sa output:
interface: Public
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.80.1/255.255.255.255/0/0)
current_peer:
dynamic allocated peer ip: 10.1.80.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.:
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 3DDF40A2
inbound esp sas:
spi: 0x102D7022 (271413282)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 24576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28429
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3DDF40A2 (1038041250)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 24576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28429
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Routr Print Result:
C:\Users\netaxis>route print
===========================================================================
Interface List
21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter
12...00 1b 77 af 65 ae ......Intel(R) PRO/Wireless 3945ABG Network Connection
11...00 1a 4b 61 cd e1 ......Broadcom NetLink (TM) Gigabit Ethernet
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.102 20
10.1.0.0 255.255.0.0 On-link 10.1.80.1 276
10.1.0.0 255.255.0.0 10.1.0.1 10.1.80.1 100
10.1.80.1 255.255.255.255 On-link 10.1.80.1 276
10.1.255.255 255.255.255.255 On-link 10.1.80.1 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.102 276
192.168.1.102 255.255.255.255 On-link 192.168.1.102 276
192.168.1.254 255.255.255.255 On-link 192.168.1.102 100
192.168.1.255 255.255.255.255 On-link 192.168.1.102 276
218.208.72.122 255.255.255.255 192.168.1.254 192.168.1.102 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.102 276
224.0.0.0 240.0.0.0 On-link 10.1.80.1 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.102 276
255.255.255.255 255.255.255.255 On-link 10.1.80.1 276
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
13 58 ::/0 On-link
1 306 ::1/128 On-link
13 58 2001::/32 On-link
13 306 2001:0:4137:9e76:c1a:2dbe:c3ca:75cf/128
On-link
11 276 fe80::/64 On-link
21 276 fe80::/64 On-link
13 306 fe80::/64 On-link
13 306 fe80::c1a:2dbe:c3ca:75cf/128
On-link
21 276 fe80::a047:be97:6c1e:f65f/128
On-link
11 276 fe80::bd6c:1b6d:d353:6e7a/128
On-link
1 306 ff00::/8 On-link
13 306 ff00::/8 On-link
11 276 ff00::/8 On-link
21 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Users\netaxis>
I had attach the VPN client statistic. Thanks Vikas Saxena.
11-19-2010 09:17 PM
It seems that the VPN client is encrypting traffic, sending it on the wire to the ASA, ASA is decrypting it but not encrypting anything back.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121
In the above output you have #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121 exactly the same number as the VPN Client encrypt in the statistics. In the same image you have Decrypts as 0, on ASA #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
Lets take
C:\Users\netaxis>ping 10.1.20.99
Pinging 10.1.20.99 with 32 bytes of data:
Request timed out.
Request timed out.
as a sample host to test with.
When the VPN Client pool will be same as the inside subnet range then ASA will do proxy ARP for the VPN client ip address.
on this host if you do 'arp -a' you should have ASA LAN interface MAC address for 10.1.80.1 (VPN Client ip address).
You can also run:
'debug icmp trace' on the ASA to find out if the ASA is processing the ICMP packet from the VPN Client.
You can put a capture on the LAN interface to find out if the ASA is sending out the ICMP packet to the 10.1.20.99 host and if it is getting a reply from it or not.
access-list captcha permit icmp host 10.1.20.99 10.1.80.0 255.255.255.0
access-li captcha permit icmp 10.1.80.0 255.255.255.0 host 10.1.20.99
capture capLan access-list captcha interface LAN
start pining from the VPN Client:
then on ASA do
show capture capLan
post the output.
11-19-2010 10:21 PM
I had tried on what you suggest.
The ping and arp result:
C:\Users\netaxis>ping 10.1.20.99 -t
Pinging 10.1.20.99 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.1.20.99:
Packets: Sent = 14, Received = 0, Lost = 14 (100% loss),
Control-C
^C
C:\Users\netaxis>arp -a
Interface: 192.168.1.102 --- 0xb
Internet Address Physical Address Type
192.168.1.100 f0-7b-cb-66-2c-1b dynamic
192.168.1.101 00-22-fa-44-8a-36 dynamic
192.168.1.103 00-22-fa-44-8a-36 dynamic
192.168.1.254 00-09-0f-17-50-1c dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Interface: 10.1.80.1 --- 0x15
Internet Address Physical Address Type
10.1.19.99 00-09-0f-17-50-1c dynamic
10.1.20.98 00-09-0f-17-50-1c dynamic
10.1.20.99 00-09-0f-17-50-1c dynamic
10.1.20.100 00-09-0f-17-50-1c dynamic
10.1.255.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
C:\Users\netaxis>
I had attach the acl hit result too. Please kindly refer. Thanks.
11-20-2010 12:11 AM
The arp -a output should be from the remote host 10.1.20.99 rather the VPN client PC.
Please post the capture the way I mentioned in my earlier post.
It seems that the Client packet is not reaching to the destined host by the ASA. Capture will help.
11-24-2010 08:10 PM
I'm trying to arrange a PC inside the network for me to rdp inside and do the testing. By the way,
1. do i need to configure any access in my scenario?
2. the ike interface must be public? can it be private?
3. the ip address pools assign for VPN must be public interface ip? can it be internal ip?
4. any NAT needed to configure?
11-24-2010 10:31 PM
Hello Vincent,
1. do i need to configure any access in my scenario?
Please elaborate on this question.
2. the ike interface must be public? can it be private?
It can be private, this depends upon your requirement. However, the crypto map and the crypto isakmp should go together and are directional. That means if you are coming from 'outside' then they should be on outside, if you are coming from inside then both should be on inside.
3. the ip address pools assign for VPN must be public interface ip? can
it be internal ip?
The ip address pool does not need to be public, you can assign private address range to it. Normally it should be a totally different subnet range then your inside network.
4. any NAT needed to configure?
You will need to configure NAT exempt for the inside traffic to talk to the VPN pool.
11-25-2010 06:19 AM
what i mean is do i need to configure any additional access list to allow or control the traffic? Thanks for your patient.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide