01-31-2009 06:00 AM - edited 02-21-2020 04:08 PM
<p>I need a document to tell me how to set up ipsec tunnel between ASA5505(version 7.2) and vpnclient.</p>
<p>Thanks a lot.</p>
01-31-2009 06:18 AM
Hi,
Look at http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_configuration_examples_list.html
I hope this helps.
Best regards.
Massimiliano.
02-02-2009 12:24 AM
I configure ASA according to a document but it dones't work.When connecting the ASA with Cisco VPN Client4.7.00.0533, "username and password" window pops up. After completing these entries, "Not connected" shows in the left corner of the window.Attached file is running-configuration of ASA.
02-02-2009 11:12 AM
Hi,
3 things..
The 'nonat' ACL need to be reversed as the traffic goes from 192.168.0.0 (inside) to 192.168.1.0 (outside)
And for connectivity... you need to apply the group-policy 'vpngroup' to your tunnel-group.
tunnel-group vpngroup general-attributes
address-pool vpnpool
default-group-policy vpngroup
add this command as well...
same-security-traffic permit intra-interface
try both and let us know how it goes..
hth
MS
02-04-2009 01:24 AM
Thanks you very much for your reply. But it also doesn't work after adding those commands.Maybe I need collect debug information to try.
I also have a problem. I input the command "sysopt connection permit-vpn". But I cann't see this command in "show running".Why?Is this command necessary?
02-04-2009 03:08 AM
Hi,
here a template for VPN-Client on ASA5505:
Replace everything with $...
ip local pool USER $VPN_POOL_START-$VPN_POOL_END
access-list NO-NAT-INSIDE extended permit ip $INSIDE-IP $INSIDE-MASK $VPN_POOL_IP $VPN_POOL_NETMASK
access-list SPLIT-TUNNEL-USER extended permit ip $INSIDE-IP $INSIDE-MASK $VPN_POOL_IP $VPN_POOL_NETMASK
nat (inside) 0 access-list NO-NAT-INSIDE
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10 set transform-set MYSET
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map MYMAP 1000 ipsec-isakmp dynamic DYNMAP
crypto map MYMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
group-policy USER internal
group-policy USER attributes
vpn-idle-timeout none
vpn-session-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-USER
default-domain value $DOMAIN
tunnel-group USER type ipsec-ra
tunnel-group USER general-attributes
address-pool USER
default-group-policy USER
tunnel-group USER ipsec-attributes
pre-shared-key $GROUP_PASSWD
username $USER1 password $USER1_PASSWD
username $USER1 attributes
vpn-group-policy USER
group-lock value USER
Regards, Celio
02-05-2009 03:45 AM
debug information:
Feb 04 19:56:04 [IKEv1]: Group = vpngroup, Username
= cisco, IP = x.x.177.227, Removing peer from peer table failed, no match!
Feb 04 19:56:04 [IKEv1]: Group = vpngroup, Username = cisco, IP = xx.xx.177.227
, Error: Unable to remove PeerTblEntry
02-05-2009 07:00 AM
Please post the current config. That helps in further t-shoot.
thanks
MS
02-05-2009 06:54 PM
02-05-2009 10:44 PM
Hi,
this command is missed:
crypto isakmp identity address
and this command is needed for Client behind NAT devices:
crypto isakmp nat-traversal 20
Regards, Celio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide