cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
975
Views
0
Helpful
13
Replies

site to site vpn and remote access vpn

mirzaakberali
Level 1
Level 1

hi ,

iam facing trouble in configuring remote access vpn on cisco asa 5510 on dynamic ip and site to site vpn configuration with sonicwall nsa 240 running on static ip.

following is the configuration i have made for remote access vpn

User Access Verification

Password:

Type help or '?' for a list of available commands.

ajmfw> en

Password: ********

ajmfw# show run

: Saved

:

ASA Version 7.0(8)

!

hostname ajmfw

domain-name pix.ajm.local

enable password rRiL7GeK5Rz8u8fp encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.101 255.255.255.0

management-only

!

ftp mode passive

clock timezone GST 4

object-group service rdp tcp

port-object range 3389 3389

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.240

access-list ajmmobile_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool ajmpool 192.168.60.1-192.168.60.10 mask 255.255.255.0

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy ajmmobile internal

group-policy ajmmobile attributes

wins-server value 192.168.1.100

dns-server value 192.168.1.100 213.42.20.20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ajmmobile_splitTunnelAcl

default-domain value ajmdubai.local

webvpn

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

username youmna password aCnHruhwBOyHXsvR encrypted

username netcare password m9piWoZJb5Cm5Vy1 encrypted privilege 0

username netcare attributes

vpn-group-policy ajmmobile

webvpn

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

tunnel-group ajmmobile type ipsec-ra

tunnel-group ajmmobile general-attributes

address-pool ajmpool

default-group-policy ajmmobile

tunnel-group ajmmobile ipsec-attributes

pre-shared-key *

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 195.229.241.222 213.42.20.20

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

please respond asap

13 Replies 13

mirzaakberali
Level 1
Level 1

dear andrew,

right now iam have just configured remote access vpn and when i try to connect i get the following the debug messages on the cisco asa 5510 and the vpn doesnt connects.

error could not remove entry from peer table no match

please respond

asap

Mirza,

What happens when we add this command on.

crypto isakmp enable outside

HTH,

Toshi

it is already enabled staphon

what to do next

Have you read the config examples I posted - have you compared them.

yes i have configured as per the examples listed there but still it doesnt connects and shows the error on asa which i have posted below

error could not remove entry from peer table no match

hi all,

one thing what i have found is that even outbound VPN connections are not passing through the asa 5510 there is something in the firewall which is blocking both inbound and outbound vpn connections.

asa ver 7.0(8)

please respond asap

as it is very urgent

hi all,

now iam getting a new error message on the asa when i do debug crypto isakmp and ipsec and try to connect to remote access vpn from cisco vpn client

the error is

received invalid cookie message for non-existent sa

please help me

its very critical now

vpn has to be working

hi andrew,

i have configured it as per the configuration guides from the cisco site but still my vpn is not working .

please respond to me asap

it is getting very critical. it is a crisis for me i have to solve it.

Sorry - been busy with other issues.

OK - what is the issue exactly - what is not working, how far does the connection proceed, what are your debugs and logs saying?

try adding:-

tunnel-group ajmmobile ipsec-attributes

authentication-server-group local

test and lets us know.

hi andrew,

i have added this command but still no luck.i have upgraded the ios 8.0(4) and asdm to 6.21 and still i get the same error

error unable to remove peer from peer table entry group=ajmmobile no match

please respond asap

also if u can guide me how to setup ssl vpn on this which should allow full network access like mapi exchange server access will be beneficial.

eagerly waiting for ur email

regards

akber