05-13-2013 01:20 AM - edited 02-21-2020 06:53 PM
Hi All,
I'm having problem configuring Client VPN in my ASA 5512 running ASA 9.02. I've tried multiple configuration but still not working even using the VPN WIZARD in ASDM.
Please advise if i missed out anything.
There is no response when i try connecting it using VPN CLient 5.0.07.0410.
ASA VERSION
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)102
###############################################################################################################
Config 1
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
!
ip local pool VPN_POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0
!
crypto ipsec ikev1 transform-set VPNU esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set ikev1 transform-set VPNU
!
crypto map IPSec_map 1 ipsec-isakmp dynamic DYN_MAP
crypto map IPSec_map interface outside
crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy GETUVPN_POLICY internal
group-policy GETUVPN_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
!
tunnel-group GETUVPN type remote-access
tunnel-group GETUVPN general-attributes
address-pool VPN_POOL
authorization-server-group LOCAL
default-group-policy GETUVPN_POLICY
tunnel-group GETUVPN ipsec-attributes
ikev1 pre-shared-key cisco123
!
###############################################################################################################
Config 2
ip local pool vpnpool 192.168.200.1-192.168.200.254
!
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit ip 10.10.100.0 255.255.255.192 192.168.200.0 255.255.255.0
!
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 10.10.100.0 255.255.255.192
!
!
nat (inside) 0 access-list nonat
!
!
group-policy IPSec_map internal
group-policy IPSec_map attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group GETUVPN type ipsec-ra
tunnel-group GETUVPN general-attributes
address-pool vpnpool
default-group-policy IPSec_map
!
!
tunnel-group GETUVPN ipsec-attributes
pre-shared-key Cisco123
!
###############################################################################################################
Config 3
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 identity address
crypto ikev1 enable outside
crypto ikev1 policy 11
!
ip local pool vpnpool 192.168.200.1-192.168.200.254
!
crypto ipsec ikev1 transform-set CLIENTVPN esp-3des esp-md5-hmac
tunnel-group GETUVPN type remote-access
tunnel-group GETUVPN general-attributes
address-pool VPN-Pool
!
tunnel-group GETUVPN ipsec-attributes
ikev1 pre-shared-key Cisco123
crypto dynamic-map dyn1 1 set ikev1 transform-set VPNU
crypto dynamic-map dyn1 1 set reverse-route
crypto map IPSec_map 1 ipsec-isakmp dynamic dyn1
crypto map IPSec_map interface outside
!
Solved! Go to Solution.
05-13-2013 01:55 AM
Hi,
Try the first config with a minor change (marked with red)
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
!
ip local pool VPN_POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0
!
crypto ipsec ikev1 transform-set VPNU esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 65535 set ikev1 transform-set VPNU
!
crypto map IPSec_map 65535 ipsec-isakmp dynamic DYN_MAP
crypto map IPSec_map interface outside
crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy GETUVPN_POLICY internal
group-policy GETUVPN_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
!
tunnel-group GETUVPN type remote-access
tunnel-group GETUVPN general-attributes
address-pool VPN_POOL
authorization-server-group LOCAL
default-group-policy GETUVPN_POLICY
tunnel-group GETUVPN ipsec-attributes
ikev1 pre-shared-key cisco123
Also add a NAT0 configuration in the new NAT format
object network LAN
subnet 10.10.100.0 255.255.255.192
object network VPN-POOL
subnet 192.168.200.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
Hope this helps
- Jouni
05-13-2013 01:23 AM
Hi,
The VPN wizard usually does all the configurations
Can you post your current configurations on the ASA?
Atleast in one of your examples you are using OLD NAT configuration formats. In software 9.0(2) (beginning from 8.3) the ASA uses a totally different NAT format for ALL NAT configurations. They for example dont use any ACL anymore.
The wizard should atleast get you to the point where you can connect with the VPN Client even if you cant access anything behind the ASA.
Is the VPN Client connection forming?
- Jouni
05-13-2013 01:43 AM
ciscoasa# sh run
: Saved
:
ASA Version 9.0(2)
!
hostname ciscoasa
enable password iD6GLB0Ojs0LBMC6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 175.136.235.163 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.100.2 255.255.255.192
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 175.136.235.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password K.6YwQlnpitiutiGz encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 12
subscribe-to-alert-group configuration periodic monthly 12
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c734c82ec4392d319604e5cb878de822
: end
ciscoasa#
This is the configuration. I did not save any with the VPN setup, so i can put in any of the 3 config above.
05-13-2013 01:55 AM
Hi,
Try the first config with a minor change (marked with red)
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
!
ip local pool VPN_POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0
!
crypto ipsec ikev1 transform-set VPNU esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 65535 set ikev1 transform-set VPNU
!
crypto map IPSec_map 65535 ipsec-isakmp dynamic DYN_MAP
crypto map IPSec_map interface outside
crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy GETUVPN_POLICY internal
group-policy GETUVPN_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
!
tunnel-group GETUVPN type remote-access
tunnel-group GETUVPN general-attributes
address-pool VPN_POOL
authorization-server-group LOCAL
default-group-policy GETUVPN_POLICY
tunnel-group GETUVPN ipsec-attributes
ikev1 pre-shared-key cisco123
Also add a NAT0 configuration in the new NAT format
object network LAN
subnet 10.10.100.0 255.255.255.192
object network VPN-POOL
subnet 192.168.200.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
Hope this helps
- Jouni
05-28-2013 11:11 PM
Hi Jouni,
Thank you for your advise, finally i manage to test it out. I am able to connect to through VPN client and i can see all the network in SECURED ROUTES, however, i still not able to ping anything in the network. When i did the following packet tracer, i got the following.
05-28-2013 11:29 PM
Hi,
Seems to me that you have changed your VPN Pool network? Or used different one compared to the one originally suggested.
Can you copy/paste your current ASA configuration in CLI format?
- Jouni
05-28-2013 11:50 PM
Hi Jouni,
I've sent you the current ASA configuration.
05-29-2013 12:26 AM
Hi,
Well my first thought looking at the configuration is that even though one LAN interface and the VPN Pool have the same type of IP addresses they are still on other subnets.
I would however consider changing the VPN Pool to completely different network.
The "packet-tracer" is not very good at testing connections that are supposed to enter from a VPN connection. In the case of VPN Client connections, if you are going to use "packet-tracer" command then have the VPN client be connected to the ASA while you use the command. Also naturally use the IP address the VPN client got as the source address of the "packet-tracer" command.
- Jouni
05-29-2013 12:29 AM
Hi Jouni,
Thank you for your feedback. So, other than the VPN pool, you can see any obvious configuration problem in the running config?
I will try to change the VPN POOL IP after i do another round of test later.
05-29-2013 12:48 AM
Hi,
To my eye the basic configurations needed are there
One thing you could make sure that the link network that you have configured on the ASA "inside" interface has the same 255.255.255.192 mask on the Core side also.
If the core for example had 255.255.255.0 then ALL return traffic from the LAN to the VPN Pool would get lost between the Core and the ASA. This is because the Core would thing the VPN pool hosts were directly connected (because of the larger mask on the core side) and would ARP them and fail at that. But this is just a guess and might not be the problem.
- Jouni
05-29-2013 08:36 AM
Hi Jouni,
Its solved. Apparently it was due to my testing during office hour with Mobile Broadband. I had the same issue the other time at another Cisco ASA5510, which is why i asked if the configuration looks OK. There is some VPN client problem connecting using mobile broadband,which could be due to the setup or routing in Service Provider's environment.
Anyway, thank you very much for your help on this.
05-29-2013 08:41 AM
Hi,
The old Cisco VPN Client software is known for having problems when you are using some other method than Wired or WLAN network connection.
USB connected 3G connections and separate cards have been very common source of problems.
Though personally I have never run into any of the problems so I have not been able to thoroughly troubleshoot the issues.
The new Cisco AnyConnect VPN Client or Cisco AnyConnect Secure Mobility Client (same software, different version number) are the VPN clients that should be currently used for VPN Client connectivity. The Cisco VPN Client is at its end currently so eventually it will become unusable.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide