03-16-2012 04:31 PM
Here is a variation on a theme I've seen on the boards here. I have an ASA 5580 configured for client ipsec vpns. I can connect via the vpn, ping the interface being used for management, and complete the TCP handshake for telnet or SSH. After that, the connection times out. I know I'm missing something small, but can't find it. Any help would be greatly appreciated.
Here are the relevant parts of the config:
!
interface TenGigabitEthernet0/8
nameif INSIDE
security-level 100
ip address 10.50.254.249 255.255.255.248 standby 10.50.254.250
!
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address x.x.x.x x.x.x.x
!
interface GigabitEthernet0/1
nameif ToMGMT
security-level 10
ip address 10.50.253.18 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name local
object-group network Inside_NETWORK_ALL
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.248.0.0
object-group network Outside_REMOTE_VPN
network-object 10.50.224.0 255.255.254.0
object-group network MGMT_NET
network-object 10.50.253.0 255.255.255.0
access-list PERMIT_ANY extended permit ip any any
access-list RemoteVPN_SPLIT standard permit 10.50.253.0 255.255.255.0
access-list RemoteVPN_SPLIT standard permit 10.50.0.0 255.255.0.0
access-list RemoteVPN_SPLIT standard permit 10.50.224.0 255.255.254.0
access-list NO-NAT-VPN extended permit ip any 10.50.224.0 255.255.254.0
access-list MGMT-2-VPN extended permit ip 10.50.253.0 255.255.255.0 10.50.224.0 255.255.254.0
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu ToMGMT 1500
ip local pool RemoteVPN_POOL 10.50.224.0-10.50.225.0 mask 255.255.254.0
monitor-interface DMZ
no monitor-interface OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,any) source static Inside_NETWORK_ALL Inside_NETWORK_ALL destination static Inside_NETWORK_ALL Inside_NETWORK_ALL
nat (INSIDE,OUTSIDE) source dynamic Inside_NETWORK_ALL interface
access-group OUTSIDE_IN in interface OUTSIDE
!
!
route OUTSIDE 0.0.0.0 0.0.0.0 200.200.100.10 1
route INSIDE 10.50.0.0 255.255.224.0 10.50.254.254 1
route INSIDE 10.50.253.0 255.255.255.0 10.50.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS_COLO protocol radius
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set 3dessha-Transport esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3dessha-Transport mode transport
crypto ipsec ikev1 transform-set dessha esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3dessha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map RemoteVPN_DM 5 set ikev1 transform-set 3dessha
crypto dynamic-map PUB_IPSEC_CLIENT 1 set ikev1 transform-set ESP-3DES-MD5
crypto map CRYPTO_MAP 1 ipsec-isakmp dynamic RemoteVPN_DM
crypto map CRYPTO_MAP 2 ipsec-isakmp dynamic PUB_IPSEC_CLIENT
crypto map CRYPTO_MAP interface OUTSIDE
crypto isakmp identity key-id ***********
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 65534
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh 10.50.253.0 255.255.255.0 ToMGMT
ssh 10.50.224.0 255.255.254.0 ToMGMT
ssh 10.0.0.0 255.0.0.0 ToMGMT
ssh timeout 5
ssh version 2
console timeout 0
management-access ToMGMT
!
tls-proxy maximum-session 1000
!
ssl trust-point localtrust OUTSIDE
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 10.50.223.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_SPLIT
address-pools value RemoteVPN_POOL
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
dns-server value 10.200.0.6
password-storage enable
split-tunnel-network-list value RemoteVPN_SPLIT
group-policy IPSEC-POLICY internal
group-policy IPSEC-POLICY attributes
vpn-simultaneous-logins 20
vpn-tunnel-protocol ikev1
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_SPLIT
user-authentication enable
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool RemoteVPN_POOL
default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group IPSECGROUP type remote-access
tunnel-group IPSECGROUP general-attributes
address-pool RemoteVPN_POOL
default-group-policy IPSEC-POLICY
authorization-required
tunnel-group IPSECGROUP ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide