VPN help needed

srosenthal · ‎10-25-2007

Hello,

I have an ASA5510 that I am trying to setup VPN on. I need to allow home users access inside our network. I have tried going thru the VPN wizard several times and just cannot seem to get it working. I am using the Cisco VPN client, latest verision.

I am enclosing the latest configuration which also has a show version at the end of it.

Any help would be greatly appreciated.

acomiskey · ‎10-25-2007

Firstly, you always want your vpn pool to be different than your inside network.

access-list inside_nat0_outbound extended permit ip any 10.19.1.0 255.255.255.0

ip local pool VPN 10.19.1.100-10.19.1.254 mask 255.255.255.0

Also add..

crypto isakmp nat-traversal

Also, are you trying to vpn to the inside interface?

crypto map inside_map interface inside

crypto isakmp enable inside

srosenthal · ‎10-25-2007

Thank you for your help.

I am at home and want to have VPN access to the inside networks.

Seth

acomiskey · ‎10-25-2007

These lines should say "outside" as you are vpn'ing to the outside inteface of the asa.

crypto map inside_map interface outside

crypto isakmp enable outside

srosenthal · ‎10-25-2007

I did correct the config with the commands you gave me.

I tried to connect with the VPN client and still cannot. I was curious about the pre-shared key. Am I supposed to enter that in the client somewhere?

Seth

acomiskey · ‎10-25-2007

Yes. You need to enter the group name "VPN" and the pre-shared key or "password" under the group authentication section of the cisco vpn client.

attrgautam · ‎10-25-2007

Yes you need to have the Pre-shared key in the VPN Client. When you enter the group in thE vpn cLIENT, the psk will be the password for the group..when the connection is successful you will get the username and password dialog where you key in your personal information.

Let us know if it works

srosenthal · ‎10-25-2007

Ok, I did that and it still will not connect. The VPN client tells me

Secure VPN Connection terminated by the Client.

Reason 412: The remote peer is no longer responding.

I am also attaching the latest config.

Seth

acomiskey · ‎10-25-2007

This works for me...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto isakmp identity address

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

srosenthal · ‎10-25-2007

Thank you, that worked wonderfully.

Now my next question is how do I setup for certain clients to access only certain networks?

Again, thank you very much.

Seth

acomiskey · ‎10-25-2007

Will these users be part of the same tunnel group or will you create differnet tunnel groups for different classes of users?

srosenthal · ‎10-25-2007

I guess they can be part of the same group, just different user names and networks accessed.

Seth

acomiskey · ‎10-25-2007

This should help you some...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

This will show you how to create a vpn-filter acl which can be applied to a tunnel group policy or individual user account.

The other option is to remove "sysopt connection permit-vpn". This will stop ipsec traffic from bypassing your interface acl's. Then you can simply write the access you desire in your outside access list.

srosenthal · ‎10-25-2007

Thank you again for the help. I did figure out that all I needed to do was add and ACL and then add a user and apply that ACL to the user.

Again, thank you very much.

Seth