Solved: Problems with remote Access with ASA 5505 - this is the error "The remote peer is not longer respon...

monter_85 · ‎07-27-2015

Hello,

I'm trying made a remote access IPSec VPNs, when I have all the configuration made and try stablish a remote access the software vpn client (cisco) show the next message:

"The remote peer is not longer responding"

I know where is the problem.

Information of the network:

LAN ASA-1:

192.168.1.0 - 255.255.255.0

interface vlan 1:

ip: 192.168.1.1 - 255.255.255.0

interface vlan 2:

ip: 100.100.100.1 - 255.255.255.252

LAN REMOTE ACCESS:

192.168.10.0 -255.255.255.0

Configuration ASA-1:

* IP address pool

ip local pool VPNPOOL 192.168.20.1-192.168.20.254

* Split tunneling

access-list splittunnel standard permit 192.168.1.0 255.255.255.0

* Configuration NAT

object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-vpnpool
subnet 192.168.20.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-vpnpool obj-vpnpool no-proxy-arp

*Group-policy

group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
vpn-idle-timeout 30

split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel

* Configure IPSec

crypto ikev1 policy 10
encryption 3des
hash sha
authentication pre-share
group 2
lifetime 3600
crypto ikev1 enable outside
crypto isakmp identity address

crypto ipsec ikev1 transform-set RA-TS esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 10 set ikev1 transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside

* Create tunnel

tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPNPOOL
default-group-policy company-vpn-policy
tunnel-group vpnclient ipsec-attributes
ikev1 pre-shared-key groupkey123

Where is the problem?

Dinesh Moudgil · ‎07-27-2015

Hello,
The configuration looks pretty much fine. Please share the output of the following commands from ASA when you try to connect.

debug crypto isakmp 200
debug crypto ipsec 200

You might want to take captures on outside interface of the firewall to confirm whether the packets are reaching the firewall or not using :
capture capx interface outside match ip host <firewall's external IP> host <client's public ip>

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎07-27-2015

Hello,
The configuration looks pretty much fine. Please share the output of the following commands from ASA when you try to connect.

debug crypto isakmp 200
debug crypto ipsec 200

You might want to take captures on outside interface of the firewall to confirm whether the packets are reaching the firewall or not using :
capture capx interface outside match ip host <firewall's external IP> host <client's public ip>

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

monter_85 · ‎07-27-2015

Hello,

I thought that the problem was in the configuration of ASA. After your answer I review all configurations (ASA how Routers (Cisco)) and the problem was in the configuration of one router (cisco) that it doesn't permit any conection through him to ASA.

Thanks for your answer.

Dinesh Moudgil · ‎07-27-2015

Glad I was able to help you.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Problems with remote Access with ASA 5505 - this is the error "The remote peer is not longer responding""