09-23-2011 04:29 AM
Hi,
I am trying to configure remote access VPN to my network, i have a Cisco ASA 5510 IOS 7.0(7).
I configured the VPN using ASDM 5.0.9 and below is the configuration received:
access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248
access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0
ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0
nat (inside) 0 access-list 90
group-policy ClientVPN internal
group-policy ClientVPN attributes
dns-server value 192.xxx.xxx.xxx 192.xxx.xxx.xxx
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN_splitTunnelAcl
webvpn
username user password dkmv9X0FR/3rJ.Jw encrypted privilege 0
username user attributes
vpn-group-policy ClientVPN
webvpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPN
tunnel-group ClientVPN ipsec-attributes
pre-shared-key *
When i trying to connect using a VPN client i got an error:
Reason 412: The remote peer is no longer responding
I have also site to site VPN on the same ASA which are wotking fine and tunnels are up.
Is there any specific ACCESS List i should configure to get this work.
Attaching my entire ASA config for review.
Thank you for your help on this.
09-23-2011 12:24 PM
Hi,
Try by adding this line : sysopt connection permit-ipsec . It is disabled in the config and need to enable for IPSEC to
work.
hth
MS
09-23-2011 12:47 PM
hi,
thanks for your answer,
I have already tried this:
sysopt connection permit-ipsec
Also i have configured the access list as below to enable all outside to inside traffic:
access-list Outside_IN extended permit tcp any host "outside interface ip address".
i also tried to change the client PC same issue.
Trying to connect from same client PC to another ASA VPN remote access works fine.
Could it be something related to the site to site config?
Thanks for ure help
09-23-2011 01:10 PM
Hi,
Few things..
1. make sure your internal IP subnet is different from client VPN pool ip subnet . So use something like
172.16.15.0 255.255.255.0 or anything other than internal subnet.
2. You need to configure transform-set : crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
ESP-3DES-MD5 is just name for the transform set.. you need to create this using:
crypto ipsec transform-set ESP-3DES-MD5
3. Also, check your tunnel group..
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPN
tunnel-group ClientVPN ipsec-attributes
pre-shared-key *
Also, you need different configs for 'tunnel-group' and group-policy.
thx
MS
09-24-2011 10:42 AM
hi,
I have tried what you asked to do and didn't work:
1- Adding
sysopt connection permit-ipsec
to my config
2- Changed the IP pool
ip local pool VPNIpPool 172.16.15.250-172.16.15.252 mask 255.255.255.0
3- Changed the group-policy and tunnel-group as follows:
group-policy ClientVPNPolicy internal
group-policy ClientVPNPolicy attributes
dns-server value 192.xxx.xxx.30 192.xxx.xxx.33
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN_splitTunnelAcl
webvpn
username usertest password ***** encrypted privilege 0
username usertest attributes
vpn-group-policy ClientVPNPolicy
webvpn
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPNPolicy
tunnel-group ClientVPN ipsec-attributes
pre-shared-key ******
Didn't work either.
I am attaching my new config now.
Thank for your help i am really desperate
Regards
ASA Version 7.0(7)
!
hostname MyCompany
domain-name default.domain.invalid
enable password ***** encrypted
names
name 92.xxx.xxx.xxx srv1
dns-guard
!
interface Ethernet0/0
speed 10
nameif outside
security-level 0
ip address 92.xxx.xxx.2 255.xxx.xxx.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.xxx.xxx.1 255.255.255.0
!
passwd ***** encrypted
ftp mode passive
access-list idm extended permit ip any any
access-list Outside_IN extended permit tcp any host 92.xxx.xxx.2 (outside interface)
access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248
access-list 96 extended permit ip host app1srv host 111.111.111.76
access-list 96 extended permit ip host app1srv host 111.111.111.77
access-list 96 extended permit ip host app2srv host 111.111.111.76
access-list 96 extended permit ip host app2srv host 111.111.111.77
access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmzdown 1500
mtu management 1500
ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0
asdm image disk0:/asdm-509.bin
no asdm history enable
arp timeout 14400
global (outside) 1 92.xxx.xxx.254
nat (inside) 0 access-list 90
nat (inside) 1 192.xxx.xxx.0 255.255.255.0
static (inside,outside) srv1 192.xxx.xxx.30 netmask 255.255.255.255
access-group Outside_IN in interface outside
access-group idm in interface inside
route outside 0.0.0.0 0.0.0.0 92.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ClientVPNPolicy internal
group-policy ClientVPNPolicy attributes
dns-server value 192.xxx.xxx.30 192.xxx.xxx.33
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN_splitTunnelAcl
webvpn
username usertest password ***** encrypted privilege 0
username usertest attributes
vpn-group-policy ClientVPNPolicy
webvpn
http server enable
http 192.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site_Site_VPN esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map ToOutside 26 match address 96
crypto map ToOutside 26 set peer 111.111.111.1
crypto map ToOutside 26 set transform-set Site_Site_VPN
crypto map ToOutside 26 set security-association lifetime seconds 86400
crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ToOutside interface outside
isakmp identity address
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
isakmp am-disable
tunnel-group 111.111.111.1 type ipsec-l2l
tunnel-group 111.111.111.1 ipsec-attributes
pre-shared-key *****
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPNPolicy
tunnel-group ClientVPN ipsec-attributes
pre-shared-key ******
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:6905b6ae5815f04794207ff4929351b7
: end
09-24-2011 10:59 AM
Finally found the issue....
it is crypto isakmp am-disable
when putting no
crypto isakmp am-disable
The Client VPN is up
Thank for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide