09-23-2011 03:06 AM - edited 02-21-2020 05:36 PM
Hi,
I am trying to configure remote access VPN to my network, i have a Cisco ASA 5510 IOS 7.0(7).
I configured the VPN using ASDM 5.0.9 and below is the configuration received:
access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248
access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0
ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0
nat (inside) 0 access-list 90
group-policy ClientVPN internal
group-policy ClientVPN attributes
dns-server value 192.xxx.xxx.xxx 192.xxx.xxx.xxx
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN_splitTunnelAcl
webvpn
username user password dkmv9X0FR/3rJ.Jw encrypted privilege 0
username user attributes
vpn-group-policy ClientVPN
webvpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPN
tunnel-group ClientVPN ipsec-attributes
pre-shared-key *
When i trying to connect using a VPN client i got an error:
Reason 412: The remote peer is no longer responding
I have also site to site VPN on the same ASA which are wotking fine and tunnels are up.
Is there any specific ACCESS List i should configure to get this work.
Attaching my entire ASA config for review.
Thank you for your help on this.
Solved! Go to Solution.
09-24-2011 04:22 AM
You are missing the following config:
group-policy ClientVPN attributes
vpn-tunnel-protocol ipsec
sysopt connection permit-ipsec
09-24-2011 04:22 AM
You are missing the following config:
group-policy ClientVPN attributes
vpn-tunnel-protocol ipsec
sysopt connection permit-ipsec
09-24-2011 10:45 AM
Hi Jennifer,
Thank you for your reply:
I have tried what you asked to do and didn't work:
1- Adding
sysopt connection permit-ipsec
to my config
2- group-policy ClientVPN attributes
vpn-tunnel-protocol ipsec
3- Changed the IP pool
ip local pool VPNIpPool 172.16.15.250-172.16.15.252 mask 255.255.255.0
4- Changed the group-policy and tunnel-group as follows:
group-policy ClientVPNPolicy internal
group-policy ClientVPNPolicy attributes
dns-server value 192.xxx.xxx.30 192.xxx.xxx.33
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN_splitTunnelAcl
webvpn
username usertest password ***** encrypted privilege 0
username usertest attributes
vpn-group-policy ClientVPNPolicy
webvpn
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPNPolicy
tunnel-group ClientVPN ipsec-attributes
pre-shared-key ******
Didn't work either.
I am attaching my new config now.
Thank for your help i am really desperate
Regards
ASA Version 7.0(7)
!
hostname MyCompany
domain-name default.domain.invalid
enable password ***** encrypted
names
name 92.xxx.xxx.xxx srv1
dns-guard
!
interface Ethernet0/0
speed 10
nameif outside
security-level 0
ip address 92.xxx.xxx.2 255.xxx.xxx.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.xxx.xxx.1 255.255.255.0
!
passwd ***** encrypted
ftp mode passive
access-list idm extended permit ip any any
access-list Outside_IN extended permit tcp any host 92.xxx.xxx.2 (outside interface)
access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248
access-list 96 extended permit ip host app1srv host 111.111.111.76
access-list 96 extended permit ip host app1srv host 111.111.111.77
access-list 96 extended permit ip host app2srv host 111.111.111.76
access-list 96 extended permit ip host app2srv host 111.111.111.77
access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmzdown 1500
mtu management 1500
ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0
asdm image disk0:/asdm-509.bin
no asdm history enable
arp timeout 14400
global (outside) 1 92.xxx.xxx.254
nat (inside) 0 access-list 90
nat (inside) 1 192.xxx.xxx.0 255.255.255.0
static (inside,outside) srv1 192.xxx.xxx.30 netmask 255.255.255.255
access-group Outside_IN in interface outside
access-group idm in interface inside
route outside 0.0.0.0 0.0.0.0 92.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ClientVPNPolicy internal
group-policy ClientVPNPolicy attributes
dns-server value 192.xxx.xxx.30 192.xxx.xxx.33
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN_splitTunnelAcl
webvpn
username usertest password ***** encrypted privilege 0
username usertest attributes
vpn-group-policy ClientVPNPolicy
webvpn
http server enable
http 192.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site_Site_VPN esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map ToOutside 26 match address 96
crypto map ToOutside 26 set peer 111.111.111.1
crypto map ToOutside 26 set transform-set Site_Site_VPN
crypto map ToOutside 26 set security-association lifetime seconds 86400
crypto map ToOutside 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ToOutside interface outside
isakmp identity address
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
isakmp am-disable
tunnel-group 111.111.111.1 type ipsec-l2l
tunnel-group 111.111.111.1 ipsec-attributes
pre-shared-key *****
tunnel-group ClientVPN type ipsec-ra
tunnel-group ClientVPN general-attributes
address-pool VPNIpPool
default-group-policy ClientVPNPolicy
tunnel-group ClientVPN ipsec-attributes
pre-shared-key ******
telnet 192.xxx.xxx.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:6905b6ae5815f04794207ff4929351b7
: end
09-24-2011 11:00 AM
Finally found the issue....
it is crypto isakmp am-disable
when putting no
crypto isakmp am-disable
The Client VPN is up
Thank for the help
09-24-2011 06:16 PM
Great finding and thanks for sharing...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide