ASA 5505 VPN with dhcp at endpoint

I have a new customer that I installed an ASA 5505 to replace a Linksys VPN router. They have a main office with a static IP address, 3 branch offices with static IP addresses and 2 branches that are doing DHCP from the ISP for their router address. I have no problem getting the static VPNs up and running. My problem is with the VPN connections that are doing DHCP. I can go in and determine what IP they are currently using and setup a connection and it works fine. The problem is of course when their IP address from the ISP changes, which seems to happen at least daily. What is the proper way to setup a connection that is using DHCP? Also, can you setup multiple connections this way? Currently the 2 locations have different passwords setup in their routers.
I need help ASAP as this customer is getting frustrated quickly. I do not want to lose a customer that I just got over this.
Thanks in advance,
Steve

Go to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards

Similar Messages

ASA 5505 VPN with backup route

We are looking to set up a site-to-site VPN with a backup over a T1. We have a remote site with a 1841 router. This router has a PTP T1 back to a secondary location with a 2811. Due to location, the only option we had to get additional bandwidth was to have a cable modem installed. We want to set a site-to-site up to our primary location, with a backup route over the T1 in the event the cable modem goes down. We have an ASA 5505 at the remote location, and an ASA 5540 at the primary. In addition, we want to split the traffic across the two connections. Since the wireless controllers are anchored back to the secondary location, we want to send that traffic over the PTP T1 and the rest of the traffic over the VPN. We also need to have a backup route for the wireless traffic to send across the VPN in the event the T1 goes down.

Go to this link and scroll down to Site to Site VPN (L2L) with IOS and Site to Site VPN (L2L) with ASA, you can use the links example depicting your scenario requirements, where one end is dynamic and other static for Ipsec L2L IOS-to-ASA or ASA-to-IOS.
The best solution obiosly is having static IP addressing, make that clear with your client , but these exmaples are very good solution for your problem.
Keep in mind that the DHCP dynamic side will always be the initiator to bring up the tunnel , not the static side.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Regards

Cisco ASA 5505 VPN with iPhone

Hello Everyone. I am a newbie to the Cisco appliances, so please bear with me. I am trying to configure this unit to allow iPhone VPN access to our network to sync LOTUS DOMINO (Not Exchange) user's Email, Contacts, and Calendar. We have a Sonicwall NSA 2400 that is our main router, so the ASA will only be used for VPN access, not routing. It will be in the DMZ providing VPN access for the iPhones. With the VPN connected, we need to limit access to only those services required by the iphone to sync information. The Software version on the Cisco is 7.2(4). If there is anyone that could help me out, I would greatly appreciate it. Please remember I am new to this, so please be patient. Where do I begin? I hope to hear from anyone soon.

Hi,
I cannot help you with the Cisco side of the equation, but do you know about Lotus Traveler? It's free from IBM and essentially adds ActiveSync support to your Domino email environment. The iPhone is configured with an Exchange ActiveSync account and pointed to the Lotus Traveler server (which sits in your DMZ and only needs port 80/443 access). It gives you full push email/contacts/calendar (Blackberry-like) functionality.
Like I said, it's a free add-on from IBM Lotus for all licensed Domino users.

ASA 5505 VPN with NEM

Hi!
Im having trouble setting up two ASA5505 with EzVPN. One is head and one is client. Without NEM everything works fine. With NEM it connects but cant ping anything or use the split tunnel to access Internet. See attached configs.
With NEM enabled the Head gives the following error:
No translation group found for icmp src outside:192.168.10.2 dst inside:192.168.1.201 (type 8, code 0)
Any ideas ?
The Public IP addressesa and gateway are changed to 9's in the first three parsts of the address.
Thanks! /Bjorn

HEllo,
Add this command to the head end side.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
This should fix your issue.
Rate this post if it helps.
Cheers,
Gilbert

ASA 5505 & VPN Cellular connection

We have a ASA 5505 setup with VPN and using Cisco client 5.0. The VPN works without a problem if we use normal internet access (from home, motel, etc). However if we use a cellular wi-fi hotspot or tether a phone it will connect to the vpn but will not allow us to get on the office network. Anyone have this problem or know a solution

Hello greentw1972,
I have ran in to this issue several times. This is mainly caused by Cisco VPN client's compatibility issues with the 3G-Dongle/Tethering-device. I have seen several workarounds for this but the best one I have found is to use a Open source vpn client.
I have used Shrewsoft VPN client and it has worked nicely without any issues so far
Find the links below for further information.
The 3rd link will show you how exactly you need to transfer information from Cisco VPN client to Shrewsoft client.
Shrewsoft latest VPN client download link : www.shrew.net/download/vpn/vpn-client-2.2.0-rc-2.exe
Shrewsoft Web site : www.shrew.net
Installation instruction as Cisco VPN alternative : http://superuser.com/questions/312947/how-to-configure-shrewsoft-vpn-to-connect-to-cisco-vpn-server
Plese rate this post if helpful

ASA 5505-VPN- Can't use AD services

New install:5505 VPN with MS Active Directory services on LAN.
I can VPN into the network but cannot e.g. join my laptop to the Domain. Message says "cannot find "domain" I can: ping the PDC, RDP onto the PDC or any system on the LAN. Also applications that are on the remote laptop and rely on LAN resources fail.
Any help would be welcome

Sorry, just realized I did not attach config!

Problem with ASA 5505 VPN config

Hi to all,
I have a problem with ASA 5505 remote access vpn. I have site-to-site VPN and I need that my VPN clients can access IP subnets that I have behind site-to-site VPN. All that I have tried I get and error to my log “Flow is a loopback”.
So what I need : for example I need that vpn client with ip 10.0.0.1 can go to 192.168.1.2
My config:
access-list Test_splitTunnelAcl standard permit host 10.0.2.3
access-list Test_splitTunnelAcl standard permit host 10.0.2.4
access-list Test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list nonat_outside extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool VPN_Client_Pool2 10.0.0.1-10.0.0.200 mask 255.255.255.0
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Test_splitTunnelAcl
Site-to-Site:
crypto map outside_map 3 set peer 195.233.x.x
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
object-group network DM_INLINE_NETWORK_2
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.2.70
network-object host 192.168.3.55
network-object 192.168.1.0 255.255.255.0
I hope that someone can post an answer and solve my problem

A few things are required:
1) You don't need the following 2 lines, so it can be removed:
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
2) On the ASA, you need to configure:
same-security-traffic permit intra-interface
3) Object group: DM_INLINE_NETWORK_2 needs to include 10.0.0.0/24
4) On the remote lan-to-lan end, the crypto ACL also needs to include 10.0.0.0/24 as the destination subnet.
5) The NAT exemption (NONAT) on the remote lan-to-lan end also needs to include 10.0.0.0/24 as the destination subnet.
Hope that will resolve your problem.

ASA 5505 VPN Ping Problems

Hello everyone,
First off, I apologize if this is something that I can google. My knowledge of network administration is all self-taught so if there is a guide to follow that I've missed please point me in the right direction, its often hard to Google terms for troubleshooting when your jargon isn't up to snuff.
The chief issue is that when pinging internal devices while connected to the results are very inconsistent.
Pinging 192.168.15.102 with 32 bytes of data:
Reply from 192.168.15.102: bytes=32 time=112ms TTL=128
Request timed out.
Request timed out.
Request timed out.
We've set up a IPSec VPN connection to a remote Cisco ASA 5505. There are no issues connecting, connection seems constant, packets good etc. At this point I can only assume I have configuration issues but I've been looking at this for so long, and coupled with my inexperience configuring these settings I have no clue where to start. My initial thoughts are that the LAN devices I am pinging are not sending their response back or the ASA doesn't know how to route packets back?
Here's a dump of the configuration:
Result of the command: "show config"
: Saved
: Written by enable_15 at 12:40:06.114 CDT Mon Sep 9 2013
ASA Version 8.2(5)
hostname VPN_Test
enable password D37rIydCZ/bnf1uj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.15.0 internal-network
ddns update method DDNS_Update
ddns both
interval maximum 0 4 0 0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description VLAN to inside hosts
nameif inside
security-level 100
ddns update hostname 0.0.0.0
ddns update DDNS_Update
dhcp client update dns server both
ip address 192.168.15.1 255.255.255.0
interface Vlan2
description External VLAN to internet
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
name-server 216.221.96.37
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny icmp interface outside interface inside
access-list outside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
access-list Remote_splitTunnelAcl standard permit internal-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip internal-network 255.255.255.0 192.168.15.192 255.255.255.192
access-list inside_access_in remark Block Internet Traffic
access-list inside_access_in extended permit ip 192.168.15.192 255.255.255.192 any
access-list inside_access_in remark Block Internet Traffic
access-list inside_access_in extended permit ip interface inside interface inside
access-list inside_access_in extended permit ip any 192.168.15.192 255.255.255.192
access-list inside_access_in remark Block Internet Traffic
access-list inside_nat0_outbound_1 extended permit ip 192.168.15.192 255.255.255.192 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_IP_Pool 192.168.15.200-192.168.15.250 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in permit ip interface inside interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 192.168.15.192 255.255.255.192
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http internal-network 255.255.255.0 inside
http yy.yy.yy.yy 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.15.200-192.168.15.250 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.15.101 source inside
ntp server 192.168.15.100 source inside prefer
webvpn
group-policy Remote internal
group-policy Remote attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_splitTunnelAcl
username StockUser password t6a0Nv8HUfWtUdKz encrypted privilege 0
username StockUser attributes
vpn-group-policy Remote
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool VPN_IP_Pool
default-group-policy Remote
tunnel-group Remote ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

Hi Graham,
My first question is do you have a site to site VPN or Remote access client VPN.
After checking your configuration i see that you do not have any Site to SIte VPN configuration so i am assuming that you ara facing issue with the VPN client.
And if i understood correctly you are able to connect the VPN client but you not able to access the internal resources properly.
I would recommend you to tey and make teh following changes.
Remove the following configuration first:
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 192.168.15.192 255.255.255.192
You do not need the 1st one and i do not understand the reason of the second one
Second one is your pool IP subnet (192.168.15.200-192.168.15.250) and i am not sure why you have added this NAT.
If possible change your Pool subnet all together because we do not recommend to use th POOL ip which is simlar to your local LAN.
Try the above changes and let me know in case if you have any issue.
Thanks
Jeet Kumar

ASA 5505 VPN can't access inside host

I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
part of config below
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
service-policy global_policy global
group-policy xxxxxxx internal
group-policy xxxxxxx attributes
banner value xxxxx Disaster Recovery Site
wins-server none
dns-server value 24.xxx.xxx.xx
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value xxxxxx
smartcard-removal-disconnect enable
client-firewall none
webvpn
functions url-entry
vpn-nac-exempt none
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
address-pool xxxx
default-group-policy xxxx
tunnel-group blountdr ipsec-attributes
pre-shared-key *

I get the banner and IP adress info...
This is what the client log provides...
1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 172.20.255.255
Netmask 255.255.255.255
Gateway 10.1.2.1
Interface 10.1.2.5
2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.

ASA 5505 VPN can't access connected network

I have an ASA 5505 with ipsec VPN configured on it. I am able to connect to the ASA but I can't ping a connected network. I get a dhcp assigned address in the network I am trying to reach but can't access that network on Vlan5. Please help.
I attached the config.

I think final questions, can you have two nat statements that point to the same acl ie.
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.9.0 255.255.255.0
nat (fw-civic) 0 access-list no_nat
nat (fw-civic) 1 192.168.5.0 255.255.255.0
Or do I need to create a new acl for the fw-civic interface?
Thanks

ASA 5505 VPN NEM

Hi! First of all I appologize for posting a similar question in another forum. I think this one is the right place.
Im trying to connect to a PIX 501 with easy vpn in nem mode with a ASA 5505. Currently running 7.2.2-22 (had to download a interim release due to dhcp problems with the ISP in 7.2.2) and ASDM 5.2.
The problem is that when using nem mode i cannot ping the other side at all. When using client mode this works fine but i need the two way traffic.
Our Head unit is 192.168.1.1 and the connecting ASA 5505 is 192.168.10.1. When I try to ping a machine (192.168.1.201) from the remote site I get this in the ASA log:
With network extension mode
302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.10.2/512 laddr 192.168.10.2/512
With only client mode
302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.1.9/1 laddr 192.168.10.2/512
It seemes to me that the ASA sets an incorrect gateway address in nem mode ?
The PIX 501 has been working fine for some years with software clients connecting.
Any ideas ?
Thanks!

When configured in Easy VPN Network Extension Mode, the ASA 5505 does not hide the IP addresses of local hosts by substituting a public IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.
Try this link:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html

ASA 5505 VPN HELP!!!

I have two ASA 5505's. One is currently setup as my firewall connected to the Cox Cable modem and wireless AP. I have another ASA that I would like to use, I have an idea that I could set that one up as a VPN unit, but not sure how I could do that. If that is not an option, can you provide the command line instructions on how to setup the VPN via the console cable. I am kinda new and I am slowing trying to become more knowledgeable about this. Any help would be greatly appreciated.
Thanks,
Jon
My current Config:
ASA Version 8.2(3)wn coldstart' comm
!d
hostname Wood-ASA1-if
%ASA-5-111008:
domain-name lv.cox.net the 'inspect ip-optio
enable password 8Ry2YjIyt7RRXU24 encrypted8cb69fe 20cfb60adisk0:/asa823.bin
passwd 2KFQnbNIdI.2KYOU encrypteded the 'service-policy global_pol
namesobal'
!a
interface Ethernet0/0in        ^
switchport access vlan 2%ASA-5-
command.ser 'Con
!S
interface Ethernet0/1ig' executed the 'pro
!t
interface Ethernet0/2mand.tics access-lirv
interface Ethernet0/3 securi
rd DfltAccess
!l
interface Etherne
interface Vlan1ecuted the 'pro
nameif inside' command.omma
security-level 100
%ASA-5-111008: Use
ip address 192.168.1.1 255.255.255.01008: User 'Config' executed the 'no
!t
interface Vlan2 the '
%ASA-5-1
nameif outsidefig' executed t
security-level 0-5-111008: User '
ip address dhcp setrouteination address http http
boot system disk0:/asa823-k8.bing' executed the 'class-map inspe
boot config disk0:/asa823.binom/its/service/oddce/services
ftp mode passivemand. User 'Conf
dns server-group DefaultDNS User 'Config' execut
%ASA-
domain-name lv.cox.netexecuted the 'destinati
object-group icmp-type ICMP-INBOUNDation linkup linkdown coldstart' co
description Permit necessary inbound ICMP trafficand.'policy-map type
%ASA-5-111008: User 'Config'
icmp-object echo-replyon transport-method htt
icmp-object unreachable
s_map' command.t
icmp-object t
%ASA-
logging buffered warningsecuted the 'subscribe-to-
logging asdm notificationsxecuted t
%ASA-5-111008: U
mtu inside 1500cuted the 'poli
mtu outside 1500ct
riodic month
icmp unreachable rate-limit 1 burst-size 1-111008: User 'Config' executed the 'subsc
asdm image disk0:/asdm-625.bino5-111008: User 'Config' execu
no asdm history enablemmand.outside' command
arp timeout 14400monthly' command.
nat-control
%ASA-5-111
global (outside) 1 interfacenfig' executed the 'subscrib
nat (inside) 1 0.0.0.0 0.0.0.0andasa# threat-detec
d.n
%ASA
access-group INBOUND in interface outside08: Us
riodic daily' command.e
timeout xlate 3:
aaa authentication ssh console LOCALe Ethernet0/5, changed state to admi
http server enableas
%ASA-5-111008:
http 192.168.1.0 255.255.255.0 inside' executed the
%ASA-4-411003: Interfa
no snmp-server locationstate to administra con
no snmp-server contact
telnet timeout 5# nat-contr
%ASA
ssh 0.0.0.0 0.0.0.0 insideec
%ASA-4-411001: Line pro
ssh 0.0.0.0 0.0.0.0 outside/3, changed state to upomma
ssh timeout 5SA-5-111
%ASA
console timeout 0onfig' executed t
dhcpd dns 8.8.8.8 8.8.4.4ne protocol on Interface
dhcpd auto_config outside to ups_map' com
%ASA-5-1
!0
dhcpd address 192.168.1.2-192.168.1.33 insideommand
enableR: % I
Password:SA-5-1110
Wood-A
dhcpd dns 8.8.8.8 8.8.4.4 interface inside: Uname: enable_15 From: 1 To:pect netbios
dhcpd enable insidescoas
%ASA-5-111008
!U
threat-detection basic-threat%ASA-5-111008: User 'enable_1
threat-detection statistics acce
.0.0.0 0.0.0.
parametersprompt host
message-length maximum client auto1008: User 'enable_15' executed the
message-length maximum 512A-5-111008: User 'Config' ex
policy-map type inspect dns prsent_dns_map 0/0' command. executed the 'inspe
no shut
parametersA-5
Wood-AS
message-length maximum 512 Interface Ethernet0/0, chan
policy-map global_policyg' executed the 'inspect
class inspection_defaultA-5-111008: User 'Con
ini
inspect dns preset_dns_map
%ASA-5-111008: User 'enable
inspect ftpthe 'no shutd
inspect h323 h225111008: User 'Confi
inspect h323 rasstination address
inspect rsh1001: Line pr
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c3a35118ab34143a5e73e414ead343c1

for sure you can do this with the ASA , see the following configuration example :
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080950890.shtml
cheers.

ASA 5505 VPN configuration question

I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
Thanks for any help
Thanks much

Hi Kevin
Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
Regards

ASA 5505 VPN One Way Traffic

I am currently having an issue with two ASA 5505s. One would be representing a Central office for a small business operating a L2L IPsec VPN using a dynamic map for a remote site that does not have a static IP address.
I stripped the configuration down to the minimal possible for testing to get this working but ran into an issue where although I have my ISAKMP SA and my IPsec SA the tunnel is only passing traffic from my remote site with the dynamic address to the Central site with a static IP address. The Central site with the static IP address will not pass traffic to the remote site.
During my troubleshooting I came across two different issues. I could at some points get traffic coming from the Central site to hit my ACL as interesting traffic to the remote site, but it would then not hit the ACL for no NAT. I just could not figure out why the no NAT ACL wasn't working. My configuration matched a few configurations I found online, but no joy on getting it to actually bypass NAT to the remote site.
I have had the same type of set-up working on ISRs with no issue, but I do not have the same amount of experience with ASAs so any help would be appriciated. The Configurations I am using for the basic testing are below with the Hub being the Static IP site and the Spoke being a dynamic IP address site.
ASA Version 8.0(2)
hostname ASAHUB
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 12.15.44.176 255.255.255.192
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
shutdown
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list NONAT_INSIDE extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT_INSIDE
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.15.44.129 1
route outside 192.168.20.0 255.255.255.0 12.15.44.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TEST esp-3des esp-md5-hmac
crypto dynamic-map TEST 20 match address VPN
crypto dynamic-map TEST 20 set transform-set TEST
crypto map TEST 30 ipsec-isakmp dynamic TEST
crypto map TEST interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
ASA Version 8.2(1)
hostname ASASPOKE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
shutdown
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
ftp mode passive
access-list NONAT_INSIDE extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_INSIDE
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TEST esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 10 match address VPN
crypto map VPN 10 set peer 12.15.44.176
crypto map VPN 10 set transform-set TEST
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 12.xx.xx.xx type ipsec-l2l
tunnel-group 12.xx.xx.xx ipsec-attributes
pre-shared-key *

Well I had pretty much given up on this, but today had a few extra minutes so I grabbed some ASAs that I had wiped for a different project, copied my configs back on them and actually ended up with a functional VPN passing traffic in both directions. The only change that was made from the above configurations was with NAT traversal.
On the Configurations above the NAT traversal was configured only on the HUB ASA. When I got the configuration to work correctly it was with the NAT traversal configured only on the Spoke/Remote ASA. Does anyone know why that made the difference?
The final configs for both of the devices I used for testing are below.
ASA Version 8.0(2)
hostname HUB
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 12.xx.xxx.xx 255.255.255.192
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
shutdown
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list NONAT_INSIDE extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_INSIDE
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.15.44.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TEST esp-3des esp-md5-hmac
crypto dynamic-map TEST 20 match address VPN
crypto dynamic-map TEST 20 set transform-set TEST
crypto map TEST 30 ipsec-isakmp dynamic TEST
crypto map TEST interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key cisco
prompt hostname context
Cryptochecksum:ac4003df5144c618b70555bf31b56e03
: end
ASA Version 8.2(1)
hostname ASASPOKE
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
shutdown
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
ftp mode passive
access-list NONAT_INSIDE extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_INSIDE
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TEST esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 10 match address VPN
crypto map VPN 10 set peer 12.xx.xxx.xx
crypto map VPN 10 set transform-set TEST
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
track 10 rtr 10 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.xx.xxx.xx type ipsec-l2l
tunnel-group 12.xx.xxx.xx ipsec-attributes
pre-shared-key cisco
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:50a9d87c794db95b0f4cac127ee3c0fe
: end

Cisco ASA 5505 VPN connection issue ("Unable to add route")

I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination     192.168.1.255
Netmask     255.255.255.255
Gateway     172.16.1.1
Interface     172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?

Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

ASA 5505 VPN with dhcp at endpoint

Similar Messages

Maybe you are looking for