Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
0
Replies

Unable to connect to Remote-Access VPN from Cisco Client

Halliblondal
Level 1
Level 1

‎10-04-2022 01:37 AM

I have a small lab, for testing and getting to know some networking, but now I am really stuck, not seeing the misconfiguration. The thing is that I am trying to set up a remote access VPN, using IKEv1 Wizard, using my Radius server (IP 10.10.1.13). I can test the AAA and I get connection and authentication fine to the server.

When I connect from outside to my ASA with my Cisco Client, using Ubuntu and Cisco AnyConnect Secure Mobility Client Version 4.9.01095, my connection always times out. I have tried a self-signed certificate using the Anyconnect VPN wizard, and with just the local database on the ASA (not using the  VLAN Radius), but I never get a response:

Cisco AnyConnect Secure Mobility Client (version 4.9.01095) .

Copyright (c) 2004 - 2020 Cisco Systems, Inc.  All Rights Reserved.


  >> state: Disconnected
  >> state: Disconnected
  >> notice: Ready to connect.
  >> registered with local VPN subsystem.
  >> contacting host (192.168.0.50) for login information...
  >> notice: Contacting 192.168.0.50.
  >> warning: Connection attempt has failed.
  >> warning: Unable to contact 192.168.0.50.
  >> error: Could not connect to server.  Please verify Internet connectivity and server address.
  >> state: Disconnected

 But it works fine to ping 192.168.0.50 (my outside interface), and if I open it in the browser I get access to the index.html from the Apache server I installed on VLAN 4 (IP 10.10.4.13). Just not figuring out why I do not get any response from the VPN server on the ASA. Here is my ASA configuration:

ciscoasa# show configuration
: Saved
:
: Serial Number: JMX1151L0CN
: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
: Written by enable_15 at 01:10:51.219 UTC Wed Jan 1 2003
!
ASA Version 9.1(7)19
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool VPN 10.10.5.10-10.10.5.100 mask 255.255.255.0
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 192.168.0.50 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.10.0.1 255.255.255.0
!
interface Ethernet0/1.2
 vlan 2
 nameif Trusted
 security-level 100
 ip address 10.10.1.1 255.255.255.0
!
interface Ethernet0/1.3
 vlan 3
 nameif Admin
 security-level 100
 ip address 10.10.2.1 255.255.255.0
!
interface Ethernet0/1.4
 vlan 4
 nameif IoT
 security-level 70
 ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/1.5
 vlan 5
 nameif DMZ
 security-level 50
 ip address 10.10.4.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa917-19-k8.bin
ftp mode passive
object network myNet
 subnet 10.10.0.0 255.255.255.0
object network NAT_trusted
 subnet 10.10.1.0 255.255.255.0
object network NAT_IoT
 subnet 10.10.3.0 255.255.255.0
object network NAT_DMZ
 subnet 10.10.4.0 255.255.255.0
object network NAT_ADMIN
 subnet 10.10.2.0 255.255.255.0
object network HTTP_WEB_SERVER
 host 10.10.4.13
object network HTTPS_WEB_SERVER
 host 10.10.4.13
object network FTP_SERVER
 host 10.10.4.13
object network FTP_DATA
 host 10.10.4.13
object network Inside
 subnet 10.10.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.5.0_25
 subnet 10.10.5.0 255.255.255.128
object network FTP
 host 10.10.4.13
object network http
 host 10.10.1.13
object network https
 host 10.10.4.13
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any object HTTP_WEB_SERVER eq www
access-list Outside_access_in extended permit tcp any object HTTPS_WEB_SERVER eq https
access-list Outside_access_in extended permit tcp any object FTP_SERVER eq ftp
access-list Inside_access_in_2 extended permit ip object Inside any
access-list Admin_access_in extended permit ip 10.10.2.0 255.255.255.0 any
access-list DMZ_access_in extended permit ip any any
access-list AnyConnect_Client_Local_Print extended permit ip any4 any4 inactive
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Outside_cryptomap_65535.65535 extended permit ip 192.168.0.0 255.255.255.0 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Trusted 1500
mtu Admin 1500
mtu IoT 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Outside,Outside) source static any any destination static NETWORK_OBJ_10.10.5.0_25 NETWORK_OBJ_10.10.5.0_25
!
object network myNet
 nat (any,Outside) dynamic interface
object network NAT_trusted
 nat (Trusted,Outside) dynamic interface
object network NAT_IoT
 nat (IoT,Outside) dynamic interface
object network NAT_DMZ
 nat (DMZ,Outside) dynamic interface
object network NAT_ADMIN
 nat (Admin,Outside) dynamic interface
object network Inside
 nat (Inside,Outside) dynamic 192.168.0.1
object network FTP
 nat (any,Outside) static interface service tcp ftp ftp
object network http
 nat (DMZ,Outside) static interface service tcp www www
object network https
 nat (DMZ,Outside) static interface service tcp https https
access-group Outside_access_in in interface Outside
access-group Inside_access_in_2 in interface Inside
access-group Admin_access_in in interface Admin
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radiusg5.local protocol radius
aaa-server radiusg5.local (Trusted) host 10.10.1.13
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address Outside_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment self
 subject-name CN=ciscoasa
 keypair Group5VPN
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
 certificate f02f123e
    308201cf 30820138 a0030201 020204f0 2f123e30 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
    86f70d01 09021608 63697363 6f617361 301e170d 30333031 30313032 35383437
    5a170d31 32313232 39303235 3834375a 302c3111 300f0603 55040313 08636973
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a3 55c900fd
    f16e843a dbfa98d7 27868052 f9e03294 13c5ea1d 62e3af6b a837b886 e8c4faab
    8dccc88a f1ced15b 0eab3d3b b809ed74 d7e95dfc f331929a 57cd5afb fd529511
    745061b1 e7cfdb5e c495f912 bbb478bf 1e33dfef 698f89ac 2793a94f 54a5e96b
    4b75d063 afa1b8c0 c0d6ae98 adac82ed b5d642da 29ec1440 2c879b02 03010001
    300d0609 2a864886 f70d0101 05050003 81810056 ab6ae073 660d9547 2b5cd169
    9889dbfa a6d4c321 cbd61955 538cf991 7d20a91d 6e8dcaba 2db1e2b5 c0f88494
    c94ef5a6 0d62b805 872e3c56 7dad0afa 39747f8b 026cb283 6a493dd8 4a129d6b
    88a2e833 df3670de 3380a42b daef44d7 c79a7add 9b0d7519 e432d694 1cf825a0
    c485659c 64b24f0e a55a5e37 9a8eaded 4f106a
  quit
crypto isakmp identity address
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.10.0.2-10.10.0.12 Inside
dhcpd dns 8.8.8.8 8.8.4.4 interface Inside
dhcpd enable Inside
!
dhcpd address 10.10.1.2-10.10.1.12 Trusted
dhcpd dns 8.8.8.8 8.8.4.4 interface Trusted
dhcpd enable Trusted
!
dhcpd address 10.10.2.2-10.10.2.250 Admin
dhcpd dns 8.8.8.8 8.8.4.4 interface Admin
dhcpd enable Admin
!
dhcpd address 10.10.3.2-10.10.3.12 IoT
dhcpd dns 8.8.8.8 8.8.4.4 interface IoT
dhcpd enable IoT
!
dhcpd address 10.10.4.2-10.10.4.12 DMZ
dhcpd dns 8.8.8.8 8.8.4.4 interface DMZ
dhcpd enable DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 8.8.4.4 interface management
dhcpd update dns interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint2 DMZ
ssl trust-point ASDM_TrustPoint2 Inside
ssl trust-point ASDM_TrustPoint2 Admin
ssl trust-point ASDM_TrustPoint2 Trusted
ssl trust-point ASDM_TrustPoint2 Outside
ssl trust-point ASDM_TrustPoint2 IoT
webvpn
 enable Outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.10010-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 2
 anyconnect profiles group5 disk0:/group5.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
group-policy group5 internal
group-policy group5 attributes
 dns-server value 10.10.1.13 8.8.4.4
 vpn-tunnel-protocol ikev1 ikev2
 default-domain value radiusg5.local
 webvpn
  anyconnect profiles value group5 type user
username TomLocal password SiE7m2yDaj32HxMZ encrypted
username TomASA password hXJtGqz/O6XaFAm6 encrypted
tunnel-group group5 type remote-access
tunnel-group group5 general-attributes
 address-pool VPN
 authentication-server-group radiusg5.local
 default-group-policy group5
tunnel-group group5 webvpn-attributes
 group-alias group5 enable
tunnel-group group5 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect http
  inspect icmp
  inspect icmp error
  inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e300d2ceace26bd703daaacb132c2fd5
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents