Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
0
Helpful
5
Replies

Not able to remote access my asa

charbel.soueid
Level 1
Level 1

‎09-23-2011 04:29 AM

Hi,

I am trying to configure remote access VPN to my network, i have a Cisco ASA 5510 IOS 7.0(7).

I configured the VPN using ASDM 5.0.9 and below is the configuration received:

access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248

access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0

ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0

nat (inside) 0 access-list 90

group-policy ClientVPN internal

group-policy ClientVPN attributes

dns-server value 192.xxx.xxx.xxx 192.xxx.xxx.xxx

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ClientVPN_splitTunnelAcl

webvpn

username user password dkmv9X0FR/3rJ.Jw encrypted privilege 0

username user attributes

vpn-group-policy ClientVPN

webvpn

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp policy 70 authentication pre-share

isakmp policy 70 encryption 3des

isakmp policy 70 hash md5

isakmp policy 70 group 2

isakmp policy 70 lifetime 86400

tunnel-group ClientVPN type ipsec-ra

tunnel-group ClientVPN general-attributes

address-pool VPNIpPool

default-group-policy ClientVPN

tunnel-group ClientVPN ipsec-attributes

pre-shared-key *

When i trying to connect using a VPN client i got an error:

Reason 412: The remote peer is no longer responding

I have also site to site VPN on the same ASA which are wotking fine and tunnels are up.

Is there any specific ACCESS List i should configure to get this work.

Attaching my entire ASA config for review.

Thank you for your help on this.

Labels:
114234-asaconfig.txt.zip
0 Helpful
5 Replies 5

mvsheik123
Level 7
Level 7

‎09-23-2011 12:24 PM

Hi,

Try by adding this line :  sysopt connection permit-ipsec  . It is disabled in the config and need to enable for IPSEC to

work.

hth

MS

0 Helpful

charbel.soueid
Level 1
Level 1
In response to mvsheik123

‎09-23-2011 12:47 PM

hi,

thanks for your answer,

I have already tried this:

sysopt connection permit-ipsec

Also i have configured the access list as below to enable all outside to inside traffic:

access-list Outside_IN extended permit tcp any host "outside interface ip address".

i also tried to change the client PC same issue.

Trying to connect from same client PC to another ASA VPN remote access works fine.

Could it be something related to the site to site config?

Thanks for ure help

0 Helpful

mvsheik123
Level 7
Level 7
In response to charbel.soueid

‎09-23-2011 01:10 PM

Hi,

Few things..

1. make sure your internal IP subnet is different from client VPN pool ip subnet . So use something like

172.16.15.0 255.255.255.0 or anything other than internal subnet.

2. You need to configure transform-set : crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

ESP-3DES-MD5 is just name for the transform set.. you need to create this using:

crypto ipsec transform-set ESP-3DES-MD5   

3. Also, check your tunnel group..

tunnel-group ClientVPN type ipsec-ra

tunnel-group ClientVPN general-attributes

address-pool VPNIpPool

default-group-policy ClientVPN

tunnel-group ClientVPN ipsec-attributes

pre-shared-key *

Also, you need different configs for 'tunnel-group' and group-policy.

thx

MS

0 Helpful

charbel.soueid
Level 1
Level 1
In response to mvsheik123

‎09-24-2011 10:42 AM

hi,

I have tried what you asked to do and didn't work:

1- Adding

sysopt connection permit-ipsec

to my config

2- Changed the IP pool

ip local pool VPNIpPool 172.16.15.250-172.16.15.252 mask 255.255.255.0

3- Changed the group-policy and tunnel-group as follows:

group-policy ClientVPNPolicy internal

group-policy ClientVPNPolicy attributes

dns-server value 192.xxx.xxx.30 192.xxx.xxx.33

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ClientVPN_splitTunnelAcl

webvpn

username usertest password ***** encrypted privilege 0

username usertest attributes

vpn-group-policy ClientVPNPolicy

webvpn

tunnel-group ClientVPN type ipsec-ra

tunnel-group ClientVPN general-attributes

address-pool VPNIpPool

default-group-policy ClientVPNPolicy

tunnel-group ClientVPN ipsec-attributes

pre-shared-key ******

Didn't work either.

I am attaching my new config now.

Thank for your help i am really desperate

Regards

ASA Version 7.0(7)

!

hostname MyCompany

domain-name default.domain.invalid

enable password ***** encrypted

names

name 92.xxx.xxx.xxx srv1

dns-guard

!

interface Ethernet0/0

speed 10

nameif outside

security-level 0

ip address 92.xxx.xxx.2 255.xxx.xxx.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.xxx.xxx.1 255.255.255.0

!

passwd ***** encrypted

ftp mode passive

access-list idm extended permit ip any any

access-list Outside_IN extended permit tcp any host 92.xxx.xxx.2 (outside interface)

access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248

access-list 96 extended permit ip host app1srv host 111.111.111.76

access-list 96 extended permit ip host app1srv host 111.111.111.77

access-list 96 extended permit ip host app2srv host 111.111.111.76

access-list 96 extended permit ip host app2srv host 111.111.111.77

access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmzdown 1500

mtu management 1500

ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0

asdm image disk0:/asdm-509.bin

no asdm history enable

arp timeout 14400

global (outside) 1 92.xxx.xxx.254

nat (inside) 0 access-list 90

nat (inside) 1 192.xxx.xxx.0 255.255.255.0

static (inside,outside) srv1 192.xxx.xxx.30 netmask 255.255.255.255

access-group Outside_IN in interface outside

access-group idm in interface inside

route outside 0.0.0.0 0.0.0.0 92.xxx.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy ClientVPNPolicy internal

group-policy ClientVPNPolicy attributes

dns-server value 192.xxx.xxx.30 192.xxx.xxx.33

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ClientVPN_splitTunnelAcl

webvpn

username usertest password ***** encrypted privilege 0

username usertest attributes

vpn-group-policy ClientVPNPolicy

webvpn

http server enable

http 192.xxx.xxx.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Site_Site_VPN esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map ToOutside 26 match address 96

crypto map ToOutside 26 set peer 111.111.111.1

crypto map ToOutside 26 set transform-set Site_Site_VPN

crypto map ToOutside 26 set security-association lifetime seconds 86400

crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map ToOutside interface outside

isakmp identity address

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash md5

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

isakmp am-disable

tunnel-group 111.111.111.1 type ipsec-l2l

tunnel-group 111.111.111.1 ipsec-attributes

pre-shared-key *****

tunnel-group ClientVPN type ipsec-ra

tunnel-group ClientVPN general-attributes

address-pool VPNIpPool

default-group-policy ClientVPNPolicy

tunnel-group ClientVPN ipsec-attributes

pre-shared-key ******

telnet 192.xxx.xxx.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Cryptochecksum:6905b6ae5815f04794207ff4929351b7

: end

0 Helpful

charbel.soueid
Level 1
Level 1
In response to charbel.soueid

‎09-24-2011 10:59 AM

Finally found the issue....

it is crypto isakmp am-disable

when putting no

crypto isakmp am-disable

The Client VPN is up

Thank for the help

0 Helpful
Customers Also Viewed These Support Documents