Remote access VPN on PIX525 issues.

Hi I was wondering if anybody had any ideas about my remote access VPN. Its configured on a Cisco PIX525 running ver 6.3(5) (old I know!) and I am running Cisco VPN client ver 5.06.0160 on the client end. Ok so here's the thing. The client connects ok, and it gets an IP address no problem. But I cannot ping anything on the remote LAN. So the client is coming across the internet, the VPN adapter has a 192.168.1.1 address assigned by the PIX and I am trying to ping the 192.168.0.4 address assigned to a switch on the inside of the firewall but with no joy. I've attached the config, any help is gratefully appreciated!
Many thanks
Richard.
show run
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Coeliac-firewall
domain-name sungard.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 213.212.66.36 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool MYPOOL 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
router ospf 1
  network 192.168.0.0 255.255.255.0 area 0
  network 192.168.1.0 255.255.255.0 area 0
  log-adj-changes
route outside 0.0.0.0 0.0.0.0 213.212.66.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local MYPOOL outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup coeliacvpn address-pool MYPOOL
vpngroup coeliacvpn dns-server 62.73.136.246
vpngroup coeliacvpn wins-server 62.73.136.246
vpngroup coeliacvpn default-domain password
vpngroup coeliacvpn split-tunnel 101
vpngroup coeliacvpn idle-time 1800
vpngroup coeliacvpn password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local MYPOOL
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username user password *********
vpdn enable outside
terminal width 80
Cryptochecksum:b18e9c6df0917108ff35f720f0230073
: end

Managed to solve the issue. Needed a isakmp nat-traversal 20 to get it to work.

Similar Messages

  • Remote access Vpn issue

    Dear All,
    I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
    I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
    I have below acess-list for acl-in.
    access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
    object-group network vpnclients
    network-object host 10.110.100.26
    network-object host 10.106.100.15
    network-object host 10.10.10.6
    network-object host 10.10.20.82
    network-object host 10.110.100.48
    network-object host 10.10.20.53
    network-object host 10.10.20.54
    network-object host 10.60.100.1
    network-object host 10.10.10.75
    network-object host 10.10.20.100
    network-object host 10.10.130.136
    network-object host 10.106.100.16
    network-object host 10.106.100.9
    network-object host 10.170.100.1
    network-object host 10.170.100.2
    network-object host 10.170.100.21
    network-object host 10.101.100.20
    network-object host 10.170.100.25
    So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
    Regards
    -Danesh Ahammad

    Hi,
    If i read correctly you made the RA vpn "without"  split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
    try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
    ~Harry

  • Remote access vpn issues

    Hi all, I have been having issues with my remote access vpn, I can connect but cannot ping anywhere, I have enabled ipsec over nat-t, but still does not work, I noticed that when I did an ipconfig on my machine, I get the ip address assigned by my asa, 10.120.50.2 /32
    but the default gateway is showing as 10.112.50.3, is this correct, I thought it should be the same as the interface address ?

    Hi Carl,
    Can you make sure you have the following in your config:
    isakmp nat-traversal
    Can you also ensure your internal network has routing in place to cover your VPN client pool.

  • Remote access VPN issues using Pix 501

    We have taken over a network where there was little to no documentation. I have a remote access VPN terminated on a Pix 501 that is having a connectivity issue. I can connect using Cisco VPN Client. There is a server on the inside network that is used for mail etc. It has an IP of 192.168.0.4. I cannot ping it from my VPN session but from the Pix itself, I can ping it. There are different source IP's as the IP pool for the VPN session is 172.16.x.x and the inside network is 192.168.x.x. I can ping other hosts on the same inside network that are in the ARP table of the Pix. I have attached the configuration of the Pix 501. After researching, I cannot figure out what the issue is. I was assuming it was the route inside 172.16.x.x was set incorrectly but I can ping some hosts on the 192.168.x.x network. Thanks

    Aru,
    Hi. Thanks for responding. I did try and remove that route inside command and I still could not ping the server. I also tried removing those static translations and did a clear xlate but still no luck. This one has me puzzled. Especially since I can ping other hosts on that network and also ping the server but only from the Pix. The source on the Pix would be different 192.168.0.x than when I am connected using the VPN 172.16.1.x. That is the biggest difference. If it was routing, I would assume I could not ping any host on the 192.168.0.x network from the VPN session. I did remove that route inside as all of the other config examples did not have a specific route statement for the local pool even though it is not on the inside network. I have limited knowledge of their network as we just were told to manage it. Thanks again.

  • Remote access VPN on ASA5520 Ping Issues.

    Hi I hope someone might be able to help me. I have setup a remote access VPN on an ASA 5520. The VPN client connects ok, accepts my username and password and then I am in. I get an allocated IP address of 172.16.1.1 from the local pool. The problem is that I cannot then ping the inside LAN which is 192.168.1.1. I've got isakmp nat traversal set to default which is 20. I've been looking at this all day and I think I've gone crossed eyed, a fresh pair of eyes are definitley required, so any help would be gratefully received. My config is
    Saved
    ASA Version 7.0(8)
    hostname Hospira-firewall
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    interface GigabitEthernet0/0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 213.212.66.52 255.255.255.248
    interface GigabitEthernet0/1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface GigabitEthernet0/2
    shutdown    
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    ftp mode passive
    same-security-traffic permit intra-interface
    access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    access-list Split standard permit 192.168.1.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip local pool mypool 172.16.1.1-172.16.1.253 mask 255.255.255.0
    no failover
    asdm image disk0:/asdm-508.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 192.168.1.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 213.212.66.49 1
    route outside 172.16.1.0 255.255.255.0 213.212.66.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    group-policy hospira internal
    group-policy hospira attributes
    vpn-simultaneous-logins 400
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Split
    webvpn
    username user password 08S9WUsiSMr3RauN encrypted
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set hospira esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dmap 1 set transform-set hospira
    crypto dynamic-map dmap 1 set security-association lifetime seconds 28800
    crypto dynamic-map dmap 1 set security-association lifetime kilobytes 4608000
    crypto dynamic-map dmap 1 set reverse-route
    crypto map mymap 1 ipsec-isakmp dynamic dmap
    crypto map mymap 2 match address NONAT
    crypto map mymap 2 set security-association lifetime seconds 28800
    crypto map mymap 2 set security-association lifetime kilobytes 4608000
    crypto map mymap interface outside
    isakmp identity address
    isakmp enable outside
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    isakmp nat-traversal  20
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group hospira type ipsec-ra
    tunnel-group hospira general-attributes
    address-pool mypool
    default-group-policy hospira
    tunnel-group hospira ipsec-attributes
    pre-shared-key *
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect dns maximum-length 512
      inspect ftp
      inspect h323 h225
    inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
      inspect icmp error
    service-policy global_policy global
    Cryptochecksum:98f85c39a5cbffe66b0f6585d5083c7c
    : end
    Many thanks

    Hi Richard ,
    - we don't need access-list with RA connection , we have the dynamic map that acts as a template , so your crypto config :
    crypto map mymap 1 ipsec-isakmp dynamic dmap
    crypto map mymap 2 match address NONAT
    crypto map mymap 2 set security-association lifetime seconds 28800
    crypto map mymap 2 set security-association lifetime kilobytes 4608000
    crypto map mymap interface outside
    map with seq 1 is being binded to the dynamic map , now map 2 you are using the nonat access list as the encryption trigger for this map , so this should not be there as it encrypt traffic from the inside subnet to the pool .
    please remove the second entry, then test if not working please provide a capture from the inside interface .
    HTH
    Mohammad.

  • Remote Access VPN - Unable to Access LAN / Inside Network

    Hi,
    I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
    I have attached running configuration for your reference. Please let me know I miss any configuartion.
    FW : ASA5510
    Version : 8.0
    Note : Site to Site VPN is working without any issues
    Thanks
    Jamal

    Hi,
    Very nice network diagram
    Are you saying that originally the VPN Client user is behind the Jeddah ASA?
    If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
    In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
    Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
    Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
    isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
    isakmp nat-traversal natkeepalive
    no isakmp nat-traversal natkeepalive
    Syntax Description
    natkeepalive
    Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
    Defaults
    By default, NAT traversal (isakmp nat-traversal) is disabled.
    Command Modes
    The following table shows the modes in which you can enter the command:
    Command Mode
    Firewall Mode
    Security Context
    Routed
    Transparent
    Single
    Multiple
    Context
    System
    Global configuration
    Command History
    Release
    Modification
    Preexisting
    This command was preexisting.
    7.2(1)
    This command was deprecated. The crypto isakmp nat-traversal command replaces it.
    Usage Guidelines Network Address Translation (NAT), including Port Address Translation  (PAT), is used in many networks where IPSec is also used, but there are a  number of incompatibilities that prevent IPSec packets from  successfully traversing NAT devices. NAT traversal enables ESP packets  to pass through one or more NAT devices.
    The security appliance supports NAT traversal as described by Version 2  and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft,  available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
    This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
    Examples
    The following example, entered in global configuration mode, enables  ISAKMP and then enables NAT traversal with an interval of 30 seconds:
    hostname(config)# isakmp enable
    hostname(config)# isakmp nat-traversal 30
    - Jouni

  • Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

    I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface.   The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ.   Without the client connected, they access the web servers via the external public IP.  Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address. 
    Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.  
    I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

    Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface. 
    Share the configuration if you want help with the NAT exemption part.

  • ASA Remote Access VPN Clients - Multiple DNS Suffixes?

    Hi community!
    I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
    We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
    I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
    Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
    Full marks for helpful posts!
    Kind regards, Ash.

    Hi
    I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
    I have a remote access requirement for users from separate AD's to authenticate through an ASA.
    I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
    Regards

  • Remote access VPN-unable to connect inside-URGENT

    Hi,
    I have configured Remote access VPN in cisco ASA 5520.Whenever I am trying to connect from outside it's connecting fine.It aslo getting IP from pool but prob is i am unable to connect/ping inside nw.
    Pls help me...how to resolve this issue.

    I had the same problem on an IOS router (871). My solution was one of two things. I downloaded the most up-to-date version of the VPN client (5.0.02.90) as opposed to the version I had or it was a software firewall (Norton 360). I have two different computers. One works just fine...the other connects but no traffic passes through. Here is what I have:
    Computer 1 (working)- VPN Client v5.0.02.0090 and Network Associates Enterprise VirusScan.
    Computer 2 (not working) - VPN Client v5.0.00.0340 and Norton 360.
    I highly doubt it is the VPN Client, but sometimes you never know. Check your software firewall and try disabling it. Let me know how this works.

  • Problem with Remote Access VPN on ASA 5505

    I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
    The VPN client logs are as follows:
    Cisco Systems VPN Client Version 5.0.07.0440
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.2.9200
    2      15:09:21.240  12/11/12  Sev=Info/4    CM/0x63100002
    Begin connection process
    3      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100004
    Establish secure connection
    4      15:09:21.287  12/11/12  Sev=Info/4    CM/0x63100024
    Attempt connection with server "**.**.***.***"
    5      15:09:21.287  12/11/12  Sev=Info/6    IKE/0x6300003B
    Attempting to establish a connection with **.**.***.***.
    6      15:09:21.287  12/11/12  Sev=Info/4    IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    7      15:09:21.303  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
    8      15:09:21.365  12/11/12  Sev=Info/6    GUI/0x63B00012
    Authentication request attributes is 6h.
    9      15:09:21.334  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    10     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
    11     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    12     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports XAUTH
    13     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports DPD
    14     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports NAT-T
    15     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000001
    Peer supports IKE fragmentation payloads
    16     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000001
    IOS Vendor ID Contruction successful
    17     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
    18     15:09:21.334  12/11/12  Sev=Info/6    IKE/0x63000055
    Sent a keepalive on the IPSec SA
    19     15:09:21.334  12/11/12  Sev=Info/4    IKE/0x63000083
    IKE Port in use - Local Port =  0xFBCE, Remote Port = 0x1194
    20     15:09:21.334  12/11/12  Sev=Info/5    IKE/0x63000072
    Automatic NAT Detection Status:
       Remote end is NOT behind a NAT device
       This   end IS behind a NAT device
    21     15:09:21.334  12/11/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    22     15:09:21.365  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    23     15:09:21.365  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    24     15:09:21.365  12/11/12  Sev=Info/4    CM/0x63100015
    Launch xAuth application
    25     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700008
    IPSec driver successfully started
    26     15:09:21.474  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    27     15:09:27.319  12/11/12  Sev=Info/4    CM/0x63100017
    xAuth application returned
    28     15:09:27.319  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    29     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    30     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    31     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    32     15:09:27.365  12/11/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
    33     15:09:27.365  12/11/12  Sev=Info/5    IKE/0x6300005E
    Client sending a firewall request to concentrator
    34     15:09:27.365  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
    35     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    36     15:09:27.397  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
    37     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
    38     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
    39     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
    40     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
    41     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
    42     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
    43     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
    44     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
    45     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
    46     15:09:27.397  12/11/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
    47     15:09:27.397  12/11/12  Sev=Info/4    CM/0x63100019
    Mode Config data received
    48     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000056
    Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
    49     15:09:27.412  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
    50     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    51     15:09:27.444  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
    52     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 86400 seconds
    53     15:09:27.444  12/11/12  Sev=Info/5    IKE/0x63000047
    This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
    54     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    55     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
    56     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
    57     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000049
    Discarding IPsec SA negotiation, MsgID=CE99A8A8
    58     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000017
    Marking IKE SA for deletion  (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
    59     15:09:27.459  12/11/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = **.**.***.***
    60     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000058
    Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
    61     15:09:27.459  12/11/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
    62     15:09:27.490  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    63     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
    64     15:09:30.475  12/11/12  Sev=Info/4    CM/0x63100012
    Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    65     15:09:30.475  12/11/12  Sev=Info/5    CM/0x63100025
    Initializing CVPNDrv
    66     15:09:30.475  12/11/12  Sev=Info/6    CM/0x63100046
    Set tunnel established flag in registry to 0.
    67     15:09:30.475  12/11/12  Sev=Info/4    IKE/0x63000001
    IKE received signal to terminate VPN connection
    68     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    69     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    70     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    71     15:09:30.475  12/11/12  Sev=Info/4    IPSEC/0x6370000A
    IPSec driver successfully stopped
    The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
    : Saved
    ASA Version 8.2(5)
    hostname NCHCO
    enable password hTjwXz/V8EuTw9p9 encrypted
    passwd hTjwXz/V8EuTw9p9 encrypted
    names
    name 192.168.2.0 NCHCO description City Offices
    name 192.168.2.80 VPN_End
    name 192.168.2.70 VPN_Start
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address **.**.***.*** 255.255.255.248
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
    access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
    access-list LAN_Access standard permit NCHCO 255.255.255.0
    access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 0 access-list outside_nat0_outbound
    route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    network-acl outside_nat0_outbound
    webvpn
      svc ask enable default svc
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http **.**.***.*** 255.255.255.255 outside
    http 74.218.158.238 255.255.255.255 outside
    http NCHCO 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
    crypto ipsec transform-set l2tp-transform mode transport
    crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map dyn-map 10 set pfs group1
    crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
    crypto dynamic-map dyn-map 10 set reverse-route
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 74.219.208.50
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map vpn-map 1 match address outside_1_cryptomap_1
    crypto map vpn-map 1 set pfs group1
    crypto map vpn-map 1 set peer 74.219.208.50
    crypto map vpn-map 1 set transform-set ESP-3DES-SHA
    crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
    crypto isakmp identity address
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 15
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 35
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    client-update enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet NCHCO 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh NCHCO 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.150-192.168.2.225 inside
    dhcpd dns 216.68.4.10 216.68.5.10 interface inside
    dhcpd lease 64000 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value nchco.local
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    password-storage enable
    ipsec-udp enable
    intercept-dhcp 255.255.255.0 enable
    address-pools value VPN_Pool
    group-policy NCHVPN internal
    group-policy NCHVPN attributes
    dns-server value 192.168.2.1 8.8.8.8
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value NCHCO
    username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
    username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
    username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool (inside) VPN_Pool
    address-pool VPN_Pool
    authentication-server-group (inside) LOCAL
    authentication-server-group (outside) LOCAL
    authorization-server-group LOCAL
    authorization-server-group (inside) LOCAL
    authorization-server-group (outside) LOCAL
    default-group-policy DefaultRAGroup
    strip-realm
    strip-group
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group DefaultWEBVPNGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
    tunnel-group 74.219.208.50 type ipsec-l2l
    tunnel-group 74.219.208.50 ipsec-attributes
    pre-shared-key *****
    tunnel-group NCHVPN type remote-access
    tunnel-group NCHVPN general-attributes
    address-pool VPN_Pool
    default-group-policy NCHVPN
    tunnel-group NCHVPN ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:15852745977ff159ba808c4a4feb61fa
    : end
    asdm image disk0:/asdm-645.bin
    asdm location VPN_Start 255.255.255.255 inside
    asdm location VPN_End 255.255.255.255 inside
    no asdm history enable
    Anyone have any idea why this is happening?
    Thanks!

    Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
    VPN Client Log:
    Cisco Systems VPN Client Version 5.0.07.0440
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.2.9200
    331    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100002
    Begin connection process
    332    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100004
    Establish secure connection
    333    13:11:41.362  12/17/12  Sev=Info/4    CM/0x63100024
    Attempt connection with server "69.61.228.178"
    334    13:11:41.362  12/17/12  Sev=Info/6    IKE/0x6300003B
    Attempting to establish a connection with 69.61.228.178.
    335    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    336    13:11:41.424  12/17/12  Sev=Info/6    GUI/0x63B00012
    Authentication request attributes is 6h.
    337    13:11:41.362  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
    338    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    339    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
    340    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    341    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports XAUTH
    342    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports DPD
    343    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports NAT-T
    344    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000001
    Peer supports IKE fragmentation payloads
    345    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000001
    IOS Vendor ID Contruction successful
    346    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
    347    13:11:41.393  12/17/12  Sev=Info/6    IKE/0x63000055
    Sent a keepalive on the IPSec SA
    348    13:11:41.393  12/17/12  Sev=Info/4    IKE/0x63000083
    IKE Port in use - Local Port =  0xD271, Remote Port = 0x1194
    349    13:11:41.393  12/17/12  Sev=Info/5    IKE/0x63000072
    Automatic NAT Detection Status:
       Remote end is NOT behind a NAT device
       This   end IS behind a NAT device
    350    13:11:41.393  12/17/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    351    13:11:41.424  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    352    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    353    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100015
    Launch xAuth application
    354    13:11:41.424  12/17/12  Sev=Info/4    CM/0x63100017
    xAuth application returned
    355    13:11:41.424  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    356    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    357    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    358    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    359    13:11:41.456  12/17/12  Sev=Info/4    CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
    360    13:11:41.456  12/17/12  Sev=Info/5    IKE/0x6300005E
    Client sending a firewall request to concentrator
    361    13:11:41.456  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
    362    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    363    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
    364    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
    365    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
    366    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
    367    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x63000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
    368    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
    369    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
    370    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000F
    SPLIT_NET #1
        subnet = 192.168.2.0
        mask = 255.255.255.0
        protocol = 0
        src port = 0
        dest port=0
    371    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
    372    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
    373    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000E
    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
    374    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
    375    13:11:41.502  12/17/12  Sev=Info/5    IKE/0x6300000D
    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
    376    13:11:41.502  12/17/12  Sev=Info/4    CM/0x63100019
    Mode Config data received
    377    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000056
    Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
    378    13:11:41.502  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
    379    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    380    13:11:41.534  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
    381    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 86400 seconds
    382    13:11:41.534  12/17/12  Sev=Info/5    IKE/0x63000047
    This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
    383    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    384    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
    385    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000045
    RESPONDER-LIFETIME notify has value of 28800 seconds
    386    13:11:41.549  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
    387    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000059
    Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
    388    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000025
    Loaded OUTBOUND ESP SPI: 0xD2DBADEA
    389    13:11:41.549  12/17/12  Sev=Info/5    IKE/0x63000026
    Loaded INBOUND ESP SPI: 0x14762837
    390    13:11:41.549  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    391    13:11:41.877  12/17/12  Sev=Info/6    CVPND/0x63400001
    Launch VAInst64 to control IPSec Virtual Adapter
    392    13:11:43.455  12/17/12  Sev=Info/4    CM/0x63100034
    The Virtual Adapter was enabled:
        IP=192.168.2.70/255.255.255.0
        DNS=192.168.2.1,8.8.8.8
        WINS=0.0.0.0,0.0.0.0
        Domain=NCHCO.local
        Split DNS Names=
    393    13:11:43.455  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      266
    394    13:11:47.517  12/17/12  Sev=Info/4    CM/0x63100038
    Successfully saved route changes to file.
    395    13:11:47.517  12/17/12  Sev=Info/5    CVPND/0x63400013
        Destination           Netmask           Gateway         Interface   Metric
            0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.162       10
      69.61.228.178   255.255.255.255       192.168.1.1     192.168.1.162      100
          127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
          127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
    127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
        192.168.1.0     255.255.255.0     192.168.1.162     192.168.1.162      266
        192.168.1.2   255.255.255.255     192.168.1.162     192.168.1.162      100
      192.168.1.162   255.255.255.255     192.168.1.162     192.168.1.162      266
      192.168.1.255   255.255.255.255     192.168.1.162     192.168.1.162      266
        192.168.2.0     255.255.255.0      192.168.2.70      192.168.2.70      266
        192.168.2.0     255.255.255.0       192.168.2.1      192.168.2.70      100
       192.168.2.70   255.255.255.255      192.168.2.70      192.168.2.70      266
      192.168.2.255   255.255.255.255      192.168.2.70      192.168.2.70      266
          224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
          224.0.0.0         240.0.0.0     192.168.1.162     192.168.1.162      266
          224.0.0.0         240.0.0.0      192.168.2.70      192.168.2.70      266
    255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
    255.255.255.255   255.255.255.255     192.168.1.162     192.168.1.162      266
    255.255.255.255   255.255.255.255      192.168.2.70      192.168.2.70      266
    396    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100036
    The routing table was updated for the Virtual Adapter
    397    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310001A
    One secure connection established
    398    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
    Address watch added for 192.168.1.162.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
    399    13:11:47.517  12/17/12  Sev=Info/4    CM/0x6310003B
    Address watch added for 192.168.2.70.  Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
    400    13:11:47.517  12/17/12  Sev=Info/5    CM/0x63100001
    Did not find the Smartcard to watch for removal
    401    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700008
    IPSec driver successfully started
    402    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    403    13:11:47.517  12/17/12  Sev=Info/6    IPSEC/0x6370002C
    Sent 109 packets, 0 were fragmented.
    404    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700014
    Deleted all keys
    405    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
    Created a new key structure
    406    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
    Added key with SPI=0xeaaddbd2 into key list
    407    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700010
    Created a new key structure
    408    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370000F
    Added key with SPI=0x37287614 into key list
    409    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x6370002F
    Assigned VA private interface addr 192.168.2.70
    410    13:11:47.517  12/17/12  Sev=Info/4    IPSEC/0x63700037
    Configure public interface: 192.168.1.162. SG: 69.61.228.178
    411    13:11:47.517  12/17/12  Sev=Info/6    CM/0x63100046
    Set tunnel established flag in registry to 1.
    412    13:11:52.688  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    413    13:11:52.688  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476009
    414    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    415    13:11:52.704  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    416    13:11:52.704  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
    417    13:12:03.187  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    418    13:12:03.187  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476010
    419    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    420    13:12:03.202  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    421    13:12:03.202  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
    422    13:12:14.185  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    423    13:12:14.185  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476011
    424    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    425    13:12:14.201  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    426    13:12:14.201  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
    427    13:12:24.762  12/17/12  Sev=Info/4    IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
    428    13:12:24.762  12/17/12  Sev=Info/6    IKE/0x6300003D
    Sending DPD request to 69.61.228.178, our seq# = 2722476012
    429    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x6300002F
    Received ISAKMP packet: peer = 69.61.228.178
    430    13:12:24.778  12/17/12  Sev=Info/4    IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
    431    13:12:24.778  12/17/12  Sev=Info/5    IKE/0x63000040
    Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
    New running configuration:
    : Saved
    ASA Version 8.4(1)
    hostname NCHCO
    enable password hTjwXz/V8EuTw9p9 encrypted
    passwd hTjwXz/V8EuTw9p9 encrypted
    names
    name 192.168.2.0 NCHCO description City Offices
    name 192.168.2.80 VPN_End
    name 192.168.2.70 VPN_Start
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 69.61.228.178 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    speed 100
    duplex full
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa841-k8.bin
    ftp mode passive
    object network NCHCO
    subnet 192.168.2.0 255.255.255.0
    object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    object network obj-192.168.2.64
    subnet 192.168.2.64 255.255.255.224
    object network obj-0.0.0.0
    subnet 0.0.0.0 255.255.255.0
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
    access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
    access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
    access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
    access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
    access-list AnyConnect_Client_Local_Print extended deny ip any any
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
    access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
    access-list AnyConnect_Client_Local_Print remark Windows' printing port
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
    access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
    access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
    access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
    access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
    access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
    access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-649.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
    nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
    nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
    object network obj_any
    nat (inside,outside) dynamic interface
    route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    network-acl outside_nat0_outbound
    webvpn
      svc ask enable default svc
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 69.61.228.178 255.255.255.255 outside
    http 74.218.158.238 255.255.255.255 outside
    http NCHCO 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set l2tp-transform mode transport
    crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map dyn-map 10 set pfs group1
    crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
    crypto dynamic-map dyn-map 10 set reverse-route
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 74.219.208.50
    crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map vpn-map 1 match address outside_1_cryptomap_1
    crypto map vpn-map 1 set pfs group1
    crypto map vpn-map 1 set peer 74.219.208.50
    crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
    crypto isakmp identity address
    crypto ikev1 enable inside
    crypto ikev1 enable outside
    crypto ikev1 ipsec-over-tcp port 10000
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto ikev1 policy 15
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 35
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet NCHCO 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh NCHCO 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.150-192.168.2.225 inside
    dhcpd dns 216.68.4.10 216.68.5.10 interface inside
    dhcpd lease 64000 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    default-domain value nchco.local
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.2.1
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
    password-storage enable
    ipsec-udp enable
    intercept-dhcp 255.255.255.0 enable
    address-pools value VPN_Pool
    group-policy NCHCO internal
    group-policy NCHCO attributes
    dns-server value 192.168.2.1 8.8.8.8
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value NCHCO_splitTunnelAcl_1
    default-domain value NCHCO.local
    username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
    username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
    username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool (inside) VPN_Pool
    address-pool VPN_Pool
    authentication-server-group (inside) LOCAL
    authentication-server-group (outside) LOCAL
    authorization-server-group LOCAL
    authorization-server-group (inside) LOCAL
    authorization-server-group (outside) LOCAL
    default-group-policy DefaultRAGroup
    strip-realm
    strip-group
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group DefaultWEBVPNGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
    tunnel-group 74.219.208.50 type ipsec-l2l
    tunnel-group 74.219.208.50 ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group NCHCO type remote-access
    tunnel-group NCHCO general-attributes
    address-pool VPN_Pool
    default-group-policy NCHCO
    tunnel-group NCHCO ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
    : end
    asdm image disk0:/asdm-649.bin
    asdm location VPN_Start 255.255.255.255 inside
    asdm location VPN_End 255.255.255.255 inside
    no asdm history enable
    I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
    Thanks so much!
    Matthew

  • Remote Access VPN authentication through RADIUS

    Hi,
    I have configured remote access VPN (IPsec) in my Cisco ASA . Before there was only single username & password to for VPN client. Now I am planning to give access through RADIUS server. I have configured RADIUS server in WIN 2003 server.
    Server configuration:
    1) Administrative Tools > Internet Authentication Service and right-click on RADIUS Client to add a new RADIUS client with ip address of CISCO ASA (inside interface).
    2) Remote Access Policies, right-click on Connections to Other Access Servers, and select Properties.
    3) check Grant Remote Access Permissions is selected.Click Edit Profile and check these settings:On the Authentication tab, check Unencrypted authentication (PAP, SPAP), MS-CHAP,and MS-CHAP-v2.On the Encryption tab, ensure that the option for No Encryption is selected.Click OK when you are finished.
    4.Select Administrative Tools > Computer Management > System Tools > Local Users and Groups, right-click on Users and select New Users to add a user into the local computer account.Add a user and check this profile information:On the General tab, ensure that the option for Password Never Expired is selected instead ofthe option for User Must Change Password.
    On the Dial-in tab, select the option for Allow access
    ASA configuration:
    aaa-server vpn protocol radius
    aaa-server vpn host 10.155.20.25 (RADIUS server IP )
    key cisco321
    tunnel-group vpnacc type ipsec-ra
    tunnel-group vpnacc general-attributes
    authentication-server-group vpn
    but it is not working. Please guide to resolve this issue.
    Regards,
    som

    Also, take a look at your logs on the windows server, and try debugging the asa. Try running wireshark or network monitor on the windows server to see if the requests are coming in. You should be able to figure out pretty quickly what is going on by debugging aaa on the asa and/or checking the logs on the server. Make sure the service is running on the windows box. Make sure that something stupid like windows firewall isnt blocking the connection. You can turn on debugging by typing "debug aaa" and type "logging console debugging" and "term mon". You can test aaa by typing "test aaa-server authentication vpn host x.x.x.x username someusername password somepassword"
    Hopefully this will lead you in the right direction. Oh, one more thing, when you are done, don't forget to turn off the debug by typing "undebug all". Another word of warning, running debugs on a production firewall should be done at your own risk, it is very easy to overwhelm a device to the point it stops responding by running debugs.

  • Remote Access VPN users unable to communicate with each other

    Hi,
    We have configured Remote Access VPN on Cisco IOS router. Users are able to access the inside resources but cant communicate to each other. Any suggestions on the issue?
    Regards
    Saif

    Have you excluded the VPN traffic from being NATed when traffic is going between clients?
    Please post a full sanitised configuration of the router so we can check it for configuration issues.
    Please remember to select a correct answer and rate helpful posts

  • Remote Access VPN Users with CX Active Authentication.

    I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
    The CX version we have is 9.3.1.1

    Have you excluded the VPN traffic from being NATed when traffic is going between clients?
    Please post a full sanitised configuration of the router so we can check it for configuration issues.
    Please remember to select a correct answer and rate helpful posts

  • Remote access VPN with Cisco Router - Can not get the Internal Lan .

    Dear Sir ,
    I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
    I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
    Below is the IP address of the device.
    Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
    IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
    IP address:10.10.10.1
    Mask:255.255.255.0 F0/0
    IP Address :20.20.20.1
    Mask :255.255.255.0
    F0/1
    IP address :192.168.1.3
    Mask:255.255.255.0
    F0/0
    IP address :20.20.20.2
    Mask :255.255.255.0
    F0/1
    IP address :192.168.1.1
    Mask:255.255.255.0
    I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
    Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
    Need your help to fix the problem.
    Router R2 Configuration :!
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R2
    boot-start-marker
    boot-end-marker
    no aaa new-model
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip tcp synwait-time 5
    interface FastEthernet0/0
    ip address 20.20.20.2 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    ip address 10.10.10.1 255.255.255.0
    duplex auto
    speed auto
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    control-plane
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    login
    end
    Router R1 Configuration :
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R1
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication login USERAUTH local
    aaa authorization network NETAUTHORIZE local
    aaa session-id common
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    username vpnuser password 0 strongpassword
    ip tcp synwait-time 5
    crypto keyring vpnclientskey
    pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp client configuration group remotevpn
    key cisco123
    dns 192.168.1.2
    wins 192.168.1.2
    domain mycompany.com
    pool vpnpool
    acl VPN-ACL
    crypto isakmp profile remoteclients
    description remote access vpn clients
    keyring vpnclientskey
    match identity group remotevpn
    client authentication list USERAUTH
    isakmp authorization list NETAUTHORIZE
    client configuration address respond
    crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
    crypto dynamic-map DYNMAP 10
    set transform-set TRSET
    set isakmp-profile remoteclients
    crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
    interface FastEthernet0/0
    ip address 20.20.20.1 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPNMAP
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpnpool 192.168.50.1 192.168.50.10
    ip forward-protocol nd
    ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
    no ip http server
    no ip http secure-server
    ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
    ip access-list extended NAT-ACL
    deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    permit ip 192.168.1.0 0.0.0.255 any
    ip access-list extended VPN-ACL
    permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
    control-plane
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    end

    Dear All,
    I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
    Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
    Waiting for your responce .
    --Milon

  • Remote access VPN client gets connected fails on hosts in LAN

    Hi,
    VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)

    Hi Mashal,
    Thanks for your time,
    VPN Pool(Client) 192.168.100.0/24
    Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
    =============
    On the Switch
    =============
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.2.5 to network 0.0.0.0
         172.32.0.0/24 is subnetted, 1 subnets
    C       172.32.0.0 is directly connected, Vlan101
    C    192.168.200.0/24 is directly connected, Vlan2000
    C    192.9.200.0/24 is directly connected, Vlan4000
    S    192.168.250.0/24 [1/0] via 192.9.200.125
    S    192.168.1.0/24 [1/0] via 192.9.200.125
    C    192.168.2.0/24 is directly connected, Vlan1000
    S    192.168.252.0/24 [1/0] via 192.9.200.125
    S*   0.0.0.0/0 [1/0] via 192.168.2.5
    ===============
    On ASA
    ===============
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    Gateway of last resort is 172.32.0.2 to network 0.0.0.0
    C    172.32.0.0 255.255.255.0 is directly connected, outside
    C    192.9.200.0 255.255.255.0 is directly connected, inside
    C    192.168.168.0 255.255.255.0 is directly connected, failover
    C    192.168.2.0 255.255.255.0 is directly connected, MGMT
    S    192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
    S    192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
    S*   0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
    We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route  on the being pointing to on the switch.
    So we are left to do with how to on the switch with default route.

Maybe you are looking for