Problems with SMTP port forwarding on ASA 5505

Cannot telnet to port 25 to test for SMTP traffic.  Packet trace indicates that the packet is dropped by the implicit rule, but I have tried an access rule specifically for SMTP, and the trace appears to skip the rule and drop the packet when it hits the implicit default drop rule.  Can anyone help?  Here is my configuration:
ASA Version 8.2(5)
hostname XXXXXXXXXXXXXXXXX
enable pXXXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any any eq smtp
access-list INBOUND extended permit tcp any any eq https
access-list INBOUND extended permit tcp any eq 3389 any object-group rdp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
  quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end

Thanks.  I made the suggested changes, here are the results of packer-tracer:
ASA# packet-tracer input outside tcp 1.2.3.4 1234 XXX.XXX.XXX.130 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  match tcp inside host Server eq 25 outside any
    static translation to XXX.XXX.XXX.130/25
    translate_hits = 0, untranslate_hits = 3
Additional Information:
NAT divert to egress interface inside
Untranslate XXX.XXX.XXX.130/25 to Server/25 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INBOUND in interface outside
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  match tcp inside host Server eq 25 outside any
    static translation to XXX.XXX.XXX.130/25
    translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  match tcp inside host Server eq 25 outside any
    static translation to XXX.XXX.XXX.130/25
    translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 24392, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
I'm not all that experienced with translating these results, but on the surface, it appears to be passing traffic.  However, I still cannt telnet to the public IP using port 25.  I am using Putty as my telnet client and it doesn't generate an error.  At no time am I able to interact with the prompt in the putty window. The putty window just closes abruptly after about 10 seconds.  Does the line in Phase 7 containing 'untranslate_hits=3' have anything to do with my issue?
Here is the new config:
NUGENT-ASA# show run
: Saved
ASA Version 8.2(5)
hostname NUGENT-ASA
enable password XXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (outside,inside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
  quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
: end

Similar Messages

  • VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

    Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
    Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
    VLAN 1 - inside (has separate dhcp scope assigned by ASA)
    VLAN 99 - guest (has separate dhcp scope assigned by ASA)
    SG200
    purpose
    ASA 5505 (Sec Plus license)
    purpose
    g2
    Trunk 1UP,99T
    Ubiquiti AP (VLAN 1 works, VLAN 99 does not
    g3
    Access port 99T
    vlan 99 does not work
    g8
    Trunk 1UP, 99T
    < Trunk between switch and ASA >
    Int e0/2
    switchport trunk allowed vlan 1,99
     switchport trunk native vlan 1
     switchport mode trunk
    Int e0/3
    switchport trunk allowed vlan 1,99
     switchport trunk native vlan 1
     switchport mode trunk
    Second ubiquiti AP
    Both VLAN 1 and VLAN 99 clients work properly

    Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
    There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
    No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
    Anything connected to the SG200 on the native VLAN works properly.
    Anything connected to the ASA VLANs (1 or 99) works properly
    I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
    I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
    SG200 g2 - trunk port (1UP, 99T) -- Access Point
    SG200 g2 - access port (99U)
    SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
    ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
    Thanks,

  • Problem with Remote Access VPN on ASA 5505

    I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
    The VPN client logs are as follows:
    Cisco Systems VPN Client Version 5.0.07.0440
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.2.9200
    2      15:09:21.240  12/11/12  Sev=Info/4    CM/0x63100002
    Begin connection process
    3      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100004
    Establish secure connection
    4      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100024
    Attempt connection with server "**.**.***.***"
    5      15:09:21.287  12/11/12  Sev=Info/6    IKE/0x6300003B
    Attempting to establish a connection with **.**.***.***.
    6      15:09:21.287  12/11/12  Sev=Info/4    IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    7      15:09:21.303  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
    8      15:09:21.365  12/11/12  Sev=Info/6    GUI/0x63B00012
    Authentication request attributes is 6h.
    9      15:09:21.334  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    10     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
    11     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    12     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports XAUTH
    13     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports DPD
    14     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports NAT-T
    15     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports IKE fragmentation payloads
    16     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000001
    IOS Vendor ID Contruction successful
    17     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
    18     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000055
    Sent a keepalive on the IPSec SA
    19     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000083
    IKE Port in use - Local Port =  0xFBCE, Remote Port = 0x1194
    20     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000072
    Automatic NAT Detection Status:
       Remote end is NOT behind a NAT device
       This   end IS behind a NAT device
    21     15:09:21.334  12/11/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    22     15:09:21.365  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    23     15:09:21.365  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    24     15:09:21.365  12/11/12  Sev=Info/4    CM/0x63100015
    Launch xAuth application
    25     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700008
    IPSec driver successfully started
    26     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    27     15:09:27.319  12/11/12  Sev=Info/4    CM/0x63100017
    xAuth application returned
    28     15:09:27.319  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    29     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    30     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    31     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    32     15:09:27.365  12/11/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
    33     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300005E
    Client sending a firewall request to concentrator
    34     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    35     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    36     15:09:27.397  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    37     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
    38     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
    39     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
    40     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
    41     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
    42     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
    43     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
    44     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
    45     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
    46     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
    47     15:09:27.397  12/11/12  Sev=Info/4    CM/0x63100019
    Mode Config data received
    48     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000056
    Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
    49     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
    50     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    51     15:09:27.444  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
    52     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 86400 seconds
    53     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000047
    This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
    54     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    55     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
    56     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
    57     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000049
    Discarding IPsec SA negotiation, MsgID=CE99A8A8
    58     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000017
    Marking IKE SA for deletion  (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
    59     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    60     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000058
    Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
    61     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
    62     15:09:27.490  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    63     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
    64     15:09:30.475  12/11/12  Sev=Info/4    CM/0x63100012
    Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    65     15:09:30.475  12/11/12  Sev=Info/5    CM/0x63100025
    Initializing CVPNDrv
    66     15:09:30.475  12/11/12  Sev=Info/6    CM/0x63100046
    Set tunnel established flag in registry to 0.
    67     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x63000001
    IKE received signal to terminate VPN connection
    68     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    69     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    70     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    71     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x6370000A
    IPSec driver successfully stopped
    The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
    : Saved
    ASA Version 8.2(5)
    hostname NCHCO
    enable password hTjwXz/V8EuTw9p9 encrypted
    passwd hTjwXz/V8EuTw9p9 encrypted
    names
    name 192.168.2.0 NCHCO description City Offices
    name 192.168.2.80 VPN_End
    name 192.168.2.70 VPN_Start
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address **.**.***.*** 255.255.255.248
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
    access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list LAN_Access standard permit NCHCO 255.255.255.0
    access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 0 access-list outside_nat0_outbound
    route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    network-acl outside_nat0_outbound
    webvpn
      svc ask enable default svc
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http **.**.***.*** 255.255.255.255 outside
    http 74.218.158.238 255.255.255.255 outside
    http NCHCO 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
    crypto ipsec transform-set l2tp-transform mode transport
    crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map dyn-map 10 set pfs group1
    crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
    crypto dynamic-map dyn-map 10 set reverse-route
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 74.219.208.50
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map vpn-map 1 match address outside_1_cryptomap_1
    crypto map vpn-map 1 set pfs group1
    crypto map vpn-map 1 set peer 74.219.208.50
    crypto map vpn-map 1 set transform-set ESP-3DES-SHA
    crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
    crypto isakmp identity address
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 15
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 35
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    client-update enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet NCHCO 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh NCHCO 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.150-192.168.2.225 inside
    dhcpd dns 216.68.4.10 216.68.5.10 interface inside
    dhcpd lease 64000 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value nchco.local
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    password-storage enable
    ipsec-udp enable
    intercept-dhcp 255.255.255.0 enable
    address-pools value VPN_Pool
    group-policy NCHVPN internal
    group-policy NCHVPN attributes
    dns-server value 192.168.2.1 8.8.8.8
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value NCHCO
    username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
    username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
    username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool (inside) VPN_Pool
    address-pool VPN_Pool
    authentication-server-group (inside) LOCAL
    authentication-server-group (outside) LOCAL
    authorization-server-group LOCAL
    authorization-server-group (inside) LOCAL
    authorization-server-group (outside) LOCAL
    default-group-policy DefaultRAGroup
    strip-realm
    strip-group
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group DefaultWEBVPNGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
    tunnel-group 74.219.208.50 type ipsec-l2l
    tunnel-group 74.219.208.50 ipsec-attributes
    pre-shared-key *****
    tunnel-group NCHVPN type remote-access
    tunnel-group NCHVPN general-attributes
    address-pool VPN_Pool
    default-group-policy NCHVPN
    tunnel-group NCHVPN ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:15852745977ff159ba808c4a4feb61fa
    : end
    asdm image disk0:/asdm-645.bin
    asdm location VPN_Start 255.255.255.255 inside
    asdm location VPN_End 255.255.255.255 inside
    no asdm history enable
    Anyone have any idea why this is happening?
    Thanks!

    Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
    VPN Client Log:
    Cisco Systems VPN Client Version 5.0.07.0440
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.2.9200
    331    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100002
    Begin connection process
    332    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100004
    Establish secure connection
    333    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100024
    Attempt connection with server "69.61.228.178"
    334    13:11:41.362  12/17/12  Sev=Info/6    IKE/0x6300003B
    Attempting to establish a connection with 69.61.228.178.
    335    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    336    13:11:41.424  12/17/12  Sev=Info/6    GUI/0x63B00012
    Authentication request attributes is 6h.
    337    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
    338    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    339    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
    340    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    341    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports XAUTH
    342    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports DPD
    343    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports NAT-T
    344    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports IKE fragmentation payloads
    345    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000001
    IOS Vendor ID Contruction successful
    346    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
    347    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000055
    Sent a keepalive on the IPSec SA
    348    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000083
    IKE Port in use - Local Port =  0xD271, Remote Port = 0x1194
    349    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000072
    Automatic NAT Detection Status:
       Remote end is NOT behind a NAT device
       This   end IS behind a NAT device
    350    13:11:41.393  12/17/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    351    13:11:41.424  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    352    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    353    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100015
    Launch xAuth application
    354    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100017
    xAuth application returned
    355    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    356    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    357    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    358    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    359    13:11:41.456  12/17/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
    360    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300005E
    Client sending a firewall request to concentrator
    361    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    362    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    363    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    364    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
    365    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
    366    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
    367    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
    368    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
    369    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
    370    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000F
    SPLIT_NET #1
        subnet = 192.168.2.0
        mask = 255.255.255.0
        protocol = 0
        src port = 0
        dest port=0
    371    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
    372    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
    373    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
    374    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
    375    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
    376    13:11:41.502  12/17/12  Sev=Info/4    CM/0x63100019
    Mode Config data received
    377    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000056
    Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
    378    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
    379    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    380    13:11:41.534  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
    381    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 86400 seconds
    382    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000047
    This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
    383    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    384    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
    385    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 28800 seconds
    386    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
    387    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000059
    Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
    388    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000025
    Loaded OUTBOUND ESP SPI: 0xD2DBADEA
    389    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000026
    Loaded INBOUND ESP SPI: 0x14762837
    390    13:11:41.549  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    391    13:11:41.877  12/17/12  Sev=Info/6    CVPND/0x63400001
    Launch VAInst64 to control IPSec Virtual Adapter
    392    13:11:43.455  12/17/12  Sev=Info/4    CM/0x63100034
    The Virtual Adapter was enabled:
        IP=192.168.2.70/255.255.255.0
        DNS=192.168.2.1,8.8.8.8
        WINS=0.0.0.0,0.0.0.0
        Domain=NCHCO.local
        Split DNS Names=
    393    13:11:43.455  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      266
    394    13:11:47.517  12/17/12  Sev=Info/4    CM/0x63100038
    Successfully saved route changes to file.
    395    13:11:47.517  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
      69.61.228.178   255.255.255.255       192.168.1.1     192.168.1.162      100
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
        192.168.1.2   255.255.255.255     192.168.1.162     192.168.1.162      100
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
        192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      266
        192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
       192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      266
      192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      266
    396    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100036
    The routing table was updated for the Virtual Adapter
    397    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310001A
    One secure connection established
    398    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
    Address watch added for 192.168.1.162.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
    399    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
    Address watch added for 192.168.2.70.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
    400    13:11:47.517  12/17/12  Sev=Info/5    CM/0x63100001
    Did not find the Smartcard to watch for removal
    401    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700008
    IPSec driver successfully started
    402    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    403    13:11:47.517  12/17/12  Sev=Info/6    IPSEC/0x6370002C
    Sent 109 packets, 0 were fragmented.
    404    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    405    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
    Created a new key structure
    406    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
    Added key with SPI=0xeaaddbd2 into key list
    407    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
    Created a new key structure
    408    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
    Added key with SPI=0x37287614 into key list
    409    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370002F
    Assigned VA private interface addr 192.168.2.70
    410    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700037
    Configure public interface: 192.168.1.162. SG: 69.61.228.178
    411    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100046
    Set tunnel established flag in registry to 1.
    412    13:11:52.688  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    413    13:11:52.688  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476009
    414    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    415    13:11:52.704  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    416    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
    417    13:12:03.187  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    418    13:12:03.187  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476010
    419    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    420    13:12:03.202  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    421    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
    422    13:12:14.185  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    423    13:12:14.185  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476011
    424    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    425    13:12:14.201  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    426    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
    427    13:12:24.762  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    428    13:12:24.762  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476012
    429    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    430    13:12:24.778  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    431    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
    New running configuration:
    : Saved
    ASA Version 8.4(1)
    hostname NCHCO
    enable password hTjwXz/V8EuTw9p9 encrypted
    passwd hTjwXz/V8EuTw9p9 encrypted
    names
    name 192.168.2.0 NCHCO description City Offices
    name 192.168.2.80 VPN_End
    name 192.168.2.70 VPN_Start
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 69.61.228.178 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa841-k8.bin
    ftp mode passive
    object network NCHCO
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.64
    subnet 192.168.2.64 255.255.255.224
    object network obj-0.0.0.0
    subnet 0.0.0.0 255.255.255.0
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
    access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
    access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
    access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
    access-list AnyConnect_Client_Local_Print extended deny ip any any
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
    nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
    nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
    object network obj_any
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    network-acl outside_nat0_outbound
    webvpn
      svc ask enable default svc
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 69.61.228.178 255.255.255.255 outside
    http 74.218.158.238 255.255.255.255 outside
    http NCHCO 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set l2tp-transform mode transport
    crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map dyn-map 10 set pfs group1
    crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
    crypto dynamic-map dyn-map 10 set reverse-route
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 74.219.208.50
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map vpn-map 1 match address outside_1_cryptomap_1
    crypto map vpn-map 1 set pfs group1
    crypto map vpn-map 1 set peer 74.219.208.50
    crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
    crypto isakmp identity address
    crypto ikev1 enable inside
    crypto ikev1 enable outside
    crypto ikev1 ipsec-over-tcp port 10000
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto ikev1 policy 15
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 35
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet NCHCO 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh NCHCO 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.150-192.168.2.225 inside
    dhcpd dns 216.68.4.10 216.68.5.10 interface inside
    dhcpd lease 64000 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    default-domain value nchco.local
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
    password-storage enable
    ipsec-udp enable
    intercept-dhcp 255.255.255.0 enable
    address-pools value VPN_Pool
    group-policy NCHCO internal
    group-policy NCHCO attributes
    dns-server value 192.168.2.1 8.8.8.8
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value NCHCO_splitTunnelAcl_1
    default-domain value NCHCO.local
    username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
    username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
    username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool (inside) VPN_Pool
    address-pool VPN_Pool
    authentication-server-group (inside) LOCAL
    authentication-server-group (outside) LOCAL
    authorization-server-group LOCAL
    authorization-server-group (inside) LOCAL
    authorization-server-group (outside) LOCAL
    default-group-policy DefaultRAGroup
    strip-realm
    strip-group
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group DefaultWEBVPNGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
    tunnel-group 74.219.208.50 type ipsec-l2l
    tunnel-group 74.219.208.50 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group NCHCO type remote-access
    tunnel-group NCHCO general-attributes
    address-pool VPN_Pool
    default-group-policy NCHCO
    tunnel-group NCHCO ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
    : end
    asdm image disk0:/asdm-649.bin
    asdm location VPN_Start 255.255.255.255 inside
    asdm location VPN_End 255.255.255.255 inside
    no asdm history enable
    I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
    Thanks so much!
    Matthew

  • Problem with VPN Client passthrough on ASA 5505

    I am having a problem with passing through a VPN client connection on an ASA 5505. The ASA is running version 8 and terminates an anyconnect VPN. The ASA is using PAT. When the inside user connects with the VPN client, it connects but no traffic passes through the tunnel. I see the error
    305006 regular translation creation failed for protocol 50 src INSIDE:y.y.y.y dst OUTSIDE:x.x.x.x
    UDP 500,4500 and ESP are allowed into the ASA. Ipsec inspection has also been setup on a global policy, but the user still cannot pass traffice to the remote VPN he is connected through.
    At the Main Office we have an ASA 5510 that terminates a site to site VPN, allows remote connections with PAT and allows passthrough no problems. Any ideas?

    I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
    3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
    regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
    HELP?

  • Problem with opening/port forwarding some ports but not others

    I read the Faq and the first few pages of the forums but couldnt find anything.
    I am using the Port Forwarding (WRT54G, Firmware 4.20.7) to my network camera to try to open up ports 80, 554, 5556 and 5558.
    Using the network toolbox at Blackcode.com I then check the ports to see if they are open.
    Port 554 seems to be open. Port 80, 5556 and 5558 do not appear to be open.
    I am using the correct external IP address (I can toggle port 554 open and closed and test that). Toggling Blocking Anon Internet Requests Of/Off makes no difference to the result.
    I have checked with my ISP and they dont claim to block those ports.
    Any thoughts on what this could be? Is there a way to test if its my ISP? If it is my ISP, is there a workaround?
    Thanks for any help.

    Are you sure the camera does listen on those port at the time you did this tests? Are those ports open inside your LAN, too?
    5556 and 5558 look like RTP ports which may only be active after the channels have been established through RTSP.
    Forwarding of port 80 is known to be an issue on various routers as the router allocates port 80 for the web interface. Sometimes it helps to change the remote management port on the router from 80 to 8080 or something else. You may even have to enable remote management to get this active.
    If this does not work you have to reconfigure port 80 on your server to a different port if possible.
    Message Edited by gv on 08-21-2007 12:28 AM

  • WRT160Nv2-Problem with Single Port forward to multiple servers with same internal port numbers.

    On my network I have 3 systems that I've set up as RDP hosts.  And need to get to all three of them externally.  So I'm trying to do the following single port forwarding.
    RDP 1   Forward 4000 to port 3389 for 192.168.1.11
    RDP 2   Forward 4001 to port 3389 for 192.168.1.12
    RDP 3   Forward 4002 to port 3389 for 192.168.1.14
    When I hit "Save Changes" I get the error "Port range already exists".  So it's good that it won't let me overlap ports generally, but at the same time, I'm trying to send them to different IP address.  There should be no overlap in this case.  Please advise
    I'm trying this on the WRT160Nv2 with firmware 2.0.02, which I had just bought this weekend.

    kevj,
      Thanks for your suggestion.  I have now upgraded the firmware to 2.0.03 build 7.  But I am still seeing the error message
    As I mentioned previously, I'm trying to single port forward to multiple machines in the following way:
    Machine 1:   Forward 4000 to port 3389 for 192.168.1.11
    Machine 2:   Forward 4001 to port 3389 for 192.168.1.12
    Machine 3:   Forward 4002 to port 3389 for 192.168.1.14
    The error appears to be generated by the fact that 3389 is selected for multiple external port numbers, but the same internal port number.  The router I believe isn't taking into account that the similar internal port numbers aren't taking into account the different internal ip address I'm trying to send this to.
    This would be a standard sort of practice for running a live HTTP server on one machine, and a new beta HTTP server behind the router on a secondary machine on the same internal port, but different external port numbers for test purposes from the outside.
    Please advise
    Thank you.

  • Problems with the new NAT in ASA 5510 (8.4)

    Hi together,
    i have some problems with the NAT statements in ASA Version 8.4.
    What i want is to translate the internal address of a server to the external address with a NAT rule.
    The ASA has only one WAN connection (named outside)
    The internal server has the ip address 192.168.0.221 (as example) and i want to translate all incoming traffic on port 3389 to the Server (192.168.0.221).
    This is only for training, i dont want to forward a 3389 port into the BAD in a productive Network
    first i create the network object for the inside server (192.168.0.221)
    object network Network_Obj_RDP
    host 192.168.0.221
    After that i create the access rule for incoming traffic on outside interface:
    access-list outside_access_in extended permit ip any any log debugging
    Next i create a access rule for the inside-prod network to allow the traffic to the RDP Server:
    access-list inside-prod_access_in extended permit object RDP interface outside object Network_Obj_RDP
    Now i create the NAT rule in the network object (Network_Obj_RDP):  
    object network Network_Obj_RDP
    nat (inside-prod,outside) static interface service tcp 3389 3389
    But if i want to connect via 3389 on the outside interface i see in the syslog this entry:
    Built inbound TCP connection 23248 for outside:80.187.107.132/7445 (80.187.107.132/7445) to inside-prod:192.168.0.221/3389 (External IP/3389)
    After a while the connection will be teardown with this message:
    Teardown TCP connection 23289 for outside:80.187.107.132/2294 to inside-prod:192.168.0.221/3389 duration 0:00:30 bytes 0 SYN Timeout
    It looks like that the acl works fine, but the NAT translation are wrong...
    perhaps somebody has a idea to fix this
    Looking forward and hope for help...
    Many thanks
    Greetings

    Hi Jouni,
    this is the correct Packet Tracer output i think:
    packet-tracer input inside-prod tcp 192.168.0.220 3389 8.8.8.8 4567
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside-prod_access_in in interface inside-prod
    access-list inside-prod_access_in extended permit ip object Network_Obj-Productiv any log debugging
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    object network Network_Obj_RDP
    nat (inside-prod,outside) static interface service tcp 3389 3389
    Additional Information:
    Static translate 192.168.0.220/3389 to 80.146.252.162/3389
    Phase: 6
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 825, packet dispatched to next module
    Result:      
    input-interface: inside-prod
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    That looks preety fine, but the way back isn´t right:
    packet-tracer input outside tcp 8.8.8.8 4567 192.168.0.220 3389
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.0.0     255.255.255.0   inside-prod
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside-in in interface outside
    access-list outside-in extended permit tcp any object Network_Obj_RDP eq 3389 log debugging
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    Config:
    object network Network_Obj_RDP
    nat (inside-prod,outside) static interface service tcp 3389 3389
    Additional Information:
    Result:      
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside-prod
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    I have no idea...

  • Post Moved Continual-problem-with-SMTP-passwor...

    Post Moved to Other BB Queries http://community.bt.com/t5/Other-BB-Queries/Continual-problem-with-SMTP-password-being-blocked/td-p/...
    If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

    Post Moved to Other BB Queries http://community.bt.com/t5/Other-BB-Queries/Continual-problem-with-SMTP-password-being-blocked/td-p/...
    If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

  • I have Power Mac G5 1.8 single. I have a problem with ethernet port, before it was working with the internet, but now i shows it is connected even the cable is disconnected. I'm running Leopard 10.5. any help

    I have Power Mac G5 1.8 single. I have a problem with ethernet port, before it was working with the internet, but now i shows it is connected even the cable is disconnected. I'm running Leopard 10.5. any help

    Reset the PRAM.
    http://support.apple.com/kb/HT1379
    If that fails, reset the PMU.
    Scroll down the following page and click the G5 link for instructions:
    http://support.apple.com/kb/ht1939

  • My laptop macbook pro has a problem with usb port they are not working.

    hi there i have a late 2011 mac pro, its been 2 years of purhase however reary used, now it has a problem with usb port are drawing too much power and usb ports are dissabled from the system. now i can not use usb ports. do yo have solution for it??? cheers

    Reset SMC.     http://support.apple.com/kb/HT3964
    Choose the method for:
    "Resetting SMC on portables with a battery you should not remove on your own".
    Best.

  • About port 5060 in asa 5505/

    Hello! My name is Denis, I have a problem with the cisco asa 5505 in the office. We need to open follow ports and protocols: SIP Server IP: 212.24.34.36 SIP Port (UDP/TCP): 5060 RTP Server IP: 212.158.160.92 RTP Port (UDP): 7000-27000 RTP Server IP: 212.24.48.76 RTP Port (UDP): 7000-27000 RTP Server IP: 217.23.132.36 RTP Port (UDP): 7000-27000 HTTP Server IP: 212.24.34.36 HTTP Port (ТСP): 80 I've made it by standart way throuhg the amdinistate interface in the cisco. All the ports is opened, but the problem is with the 5060 port. It is not working meanwhile, there is no ping. I need an instruction to open this port 5060 in our asa 5505. Also I attache the picture (the printscreen). I really hope you to help me. With best regards. Denis, Pilotmoto.

    Hello! My name is Denis, I have a problem with the cisco asa 5505 in the office. We need to open follow ports and protocols: SIP Server IP: 212.24.34.36 SIP Port (UDP/TCP): 5060 RTP Server IP: 212.158.160.92 RTP Port (UDP): 7000-27000 RTP Server IP: 212.24.48.76 RTP Port (UDP): 7000-27000 RTP Server IP: 217.23.132.36 RTP Port (UDP): 7000-27000 HTTP Server IP: 212.24.34.36 HTTP Port (ТСP): 80 I've made it by standart way throuhg the amdinistate interface in the cisco. All the ports is opened, but the problem is with the 5060 port. It is not working meanwhile, there is no ping. I need an instruction to open this port 5060 in our asa 5505. Also I attache the picture (the printscreen). I really hope you to help me. With best regards. Denis, Pilotmoto.

  • SMTP Port forward times out incoming mail

    Hello-
    I have an AirPort extreme with an AirPort Express WDS extension. In the Express, I've wired in my in-house mail server. I port forwarded both TCP and UDP for port 25 to the correct (static) IP address. With this configuration, mail frequently was dropped with the sending server getting a timeout error. After much struggle, I found that setting the default host as my mail server fixed everything. I enabled the firewall on the server and blocked all but the ports I'd been forwarding through the Extreme. All works well. The receiving mail server is Exchange 2003. The mail server on the Internet through which all of my mail bounces is running qmail. The bounce is what enabled me to monitor the log status as email was coming in.
    My question is: why would making the server the default host have worked? I postulated that there was an additional port being used which is not now blocked by the Extreme, but since I firewalled out the same ports on the server, I don't feel that this could be the case. Furthermore, SOME email made it through but most of it did not. I saw nothing in the Extreme's SNMP log that indicated any blocking was going on.
    I would MUCH rather simply port forward on the Extreme so if anyone has any idea why this would have been happening, I'd appreciate it. I should also note that before I installed my AirPort Extreme, this configuration with my old router (using port forwarding) worked flawlessly.
    As a side note, I am running the Extreme in G-Only mode as some LinkSys cards on my network wouldn't behave if N was enabled.
    -Kiyu
    Message was edited by: QZG

    Let us separate between the intermittent SMTP errors and the slowing down for the time being. What happens (and how long it takes) when you open a shell and connect to the SMTP server ? For example, try something like this:
    ]# telnet smtp.google.com 25 (if your smtp server is imap google)
    try to send a simple message and see how long it takes, e.g.
    helo smtp.google.com
    --

  • Error 550 5.7.1 unable to relay with SMTP PORT 25 Exchange 2013

    Hi All,
    I know this issue has been posted for a while, but still can't resolved issue. We've new Exchange 2013 SP1 (CU4) installation, everything is working properly, the OWA, Exchange Client Connection, SMTP/POP with SSL, except with SMTP Using Port 25 Non-Encrypted
    Connection.  
    If I'm using the SMTP Port 25 without TICK "My Outgoing Server (SMTP) Requires authentication", I've got the error: "550 5.7.1 Unable to relay", but if I TICK the option above, my message will be deliver without any error, how do i get
    rid this problem, I need to UN-TICK the option above for the time being, since we've hundreds email account, I want to avoid to educate and tell the user and even remote their PC, just to configure this issue, it will drive me crazy, we're going to use the
    Exchange Client Connection in the future, If everything is smooth and ok.
    I research this problem on the Internet and of course with TECHNET, but still can't, anyone can help me on this?
    fyi, I tried so many things, delete the default the Default Front End Transport for Port 25, it also not fix my issue.
    Thx
    Irwan

    Hi
    You can paste the output of below result
    Get-receiveconnector | fl name,bindings,PermissionGroups
    I think your default receive connector should be missing out some permissions.
    Also try to see if you get any message on protocol logs and paste them too
    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
    (MVP)

  • Problems with USB port and song transferring;

    Hi! I just got an iPod and I am having problems with it. My computer doesn't have a Hi-Speed USB port, even if it's 9 months old. Some of my friends don't have it either but they still are able to transfer songs onto their iPod. For mine, it keeps saying "Do Not Disconnect." I waited for 5 hours last time I got it and it still isn't working.
    I also updated my iPod software today and the iPod icon isn't appearing on the bar to the left in iTunes. I'd really appreciate any help on this! As well as if I really need to do something about the ports or if it could function like this normally.

    Quote from: Svet on 08-December-10, 00:48:07
    Install chipset drivers from MSI web:
    http://eu.msi.com/index.php?func=driverfile&dno=2427&i=0
    +
    NEC USB 3.0 Drivers:
    http://eu.msi.com/index.php?func=driverfile&dno=11189&i=0
    are these the same driver provided with the disc driver? as i already installed both of these..

  • If you're having problems with USB ports, read on...

    i'm reading that alot of people on here are having problems with their front (or top) usb on their cases not working with their k7n2 boards.  i have come across the correct solution to this problem in one of the posts (after having solved the problem on my own), however noone has posted the solution by itself on this forum so everyone can easily see it.
    The trick is to make sure that pin 10 (at least on a K7n2 delta-L), the pin labeled USBOC (USB Open Connection), is wired to NOTHING.  If the connector to your front usb ports is fused into one giant connector and it HAS a wire that will connect to this pin (labeled GND2 or Shield or something), CUT THAT WIRE.  Pin 10 on JUSB2 (at least on a K7n2 delta-L) must be OPEN.  If this pin IS connected to something (even if it is only GND), the motherboard will think something is connected to this usb port and you will get many unknown devices listed in your windows device manager and the rest of your usb ports may or may not work.
    As a general rule of thumb, if a pin on a motherboard is labeled OC for "Open Connection" and you wire something to it, you're asking for trouble.
    If you cannot understand this you should not be attempting to wire a motherboard in the first place. 
    Here is a picture to go along with this discussion.  If you cannot see this picture, I am sorry for it has probably been removed from the place I posted it online as I cannot attach pictures physically to this post.  If someone here has a way to permanently host this picture and post it to this thread permanently, that would be wonderful.
    In summary: all usb ports/headers have only four pins associated with it (VCC, USB+, USB-, GND).  If the connector (whether it's one big connector or individual sockets) to your front/top usb port has 5 sockets, don't connect the 5th socket to anything.  That goes for any case/motherboard combination.  This is what i'm talking about above.  I have no idea why motherboard and case manufacturers have a 5th pin involved in any way on either the pin or socket side.  It is not used for usb.
    EDIT:  I just noticed this has already been discussed in the trouble shooting guide in the above sticky post.  oh well, now we have a pretty picture to go along with it (i hope).

    :-D)Hello guys,
    as promised I come back here to give the results of my tests... and I have to say that you saved my day (even if I had to open back 60 secured cases).
    So the solution was the right one, when I unplugged the "ground" end of the front USB connector cable from the USBOC pin, those connectors finally worked as expected with USB 2.0 compliant devices.
    So thank you really much for this very usefull information !
    And even if maybe it's not only MSI's fault, I still believe that more information on those connectors in the user's manual would be really usefull (who knows what USBOC means except a few people and who could imagine that pluggin on it a "ground" cable would make it unserviceable ??). And who ever saw a user's manual bundled with a case ?? it's pretty unusual  
    Hope that someone at MSI will read that and take it into consideration, not for me (because now I'm aware) but for the thousands other consumers that will feel a little bit "annoyed" with that issue. I don't think that adding one line about it in user's manuals would be so much expensive  
    But I'm quite lucky myself... being able to understand and write english (even if I still have some progress to do  ) gave me the possibility to find the solution... but a lot of my french fellows can't do that... and there's no french forum here... How can they do ? They rely on user's manual
    Best regards,
    Nicolas

Maybe you are looking for

  • Cannot see my external hard drive on the desktop

    Hi, I am at the tail end of a large documentary project on FCP. Suddenly, this evening my external hard drive (Maxtor One Touch III, Turbo Edition, 1.5TB) becomes sluggish. I shut down (all properly) and restart and the external hard drive is no long

  • Photoshop CS4 Install Failure

    CS4 just won't install. I get the fatal exception blue screen once it begins installing the Adobe Media Player. The error, once Windows (Vista 32-bit), reboots says the following: Problem signature: Problem Event Name: BlueScreen OS Version: 6.0.6001

  • Itunes 10.1.0.56! "itunes has stopped working" windows 7

    im having a problem with my itunes every time i try to sync my iphone it says itunes stopped working! its getting really irritating that i spent so much on my phone and i can't have music on it things ive done to try to fix it: uninstall everything t

  • THE REPORT SERVER INSTALLATION IS NOT INITIALIZED (rsReportServer NOT ACTIVATED)

    HI ,i had my report server on SQL SERVER 2005,and for reporting service i am using the sql server reporting services 2008R2,i created a report which i am supposed to display in Website ,i created the rdl using the BIDS 2008 and , its throwing me an e

  • Adobe Elements 11 Failure, Help?!

    My Adobe Premiere Elements 11 will not open, when I click on the program there is no error message and nothing pops up, I have already uninstalled and reinstalled the program 3 times and I'm out of ideas...Need help!